[keycloak-user] Keycloak 3.4.0.Final - Can't secure an EAR (Nicolas DUMINIL)

Darrell Wu darrell at 1placeonline.com
Tue Dec 19 16:03:11 EST 2017


Hi Nicolas,

The secure deployment name attribute should match your module-name in the
web.xml in your WAR with .war appended

In your case it should be something like
customer-management-rest.war   assuming you have the following in your
web.xml

    <module-name>customer-management-rest</module-name>

Darrell

On 20 December 2017 at 07:34, <keycloak-user-request at lists.jboss.org> wrote:

> Send keycloak-user mailing list submissions to
>         keycloak-user at lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
>         keycloak-user-request at lists.jboss.org
>
> You can reach the person managing the list at
>         keycloak-user-owner at lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
>    1. Re: Prevent federated users from setting a password (Rens Verhage)
>    2. Re: Failed to initialize in KC 3.4 (Bob McWhirter)
>    3. Keycloak 3.4.0.Final - Can't secure an EAR (Nicolas DUMINIL)
>    4. How to check permissions on lot of resources (Teddy CHAMBARD)
>    5. AdapterRsaTokenVerifier throws NullPointerException on
>       getPublicKey after processing expired token (Dmitry Korchemkin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 19 Dec 2017 07:56:32 +0000
> From: Rens Verhage <Rens.Verhage at topicus.nl>
> Subject: Re: [keycloak-user] Prevent federated users from setting a
>         password
> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Message-ID: <94BBDF41-9A45-4F30-B5C0-2AE3387BF63A at topicus.nl>
> Content-Type: text/plain; charset="utf-8"
>
> Sat down with a colleague and did some out of the box thinking. Came up
> with a solution that works best for us: set up 2 realms, A and B. A
> contains all users that log in with username and password and is an
> identity provider to realm B. This way we have levelled the playing field,
> in B all users log in through an IdP and we can treat them all the same.
>
>
>
> Rens
>
>
>
> On 18 Dec 2017, at 12:19, Rens Verhage <Rens.Verhage at topicus.nl<mailto:
> Rens.Verhage at topicus.nl>> wrote:
>
> Hi all,
>
> We?re implementing Keycloak in an existing multi-tenant application and
> have to make a choice: 1 realm for all our tenants or each tenant its own
> realm?
>
> >From an administrator?s point of view, one single realm for all user
> accounts seems a good choice. However, there is one important requirement
> that until now, we haven?t been able to fulfil this way:
>
> A tenant might choose to let their users log in through an external
> identity provider, ADFS will be fairly common. Users that will log in this
> way will be required to always do so and therefore are not allowed to set a
> password in Keycloak. Deleting a user will be as easy as removing the user
> from the Active Directory.
>
> However, not all tenants will have their own identity provider. For these
> tenants, users must be able to log in with a username and password. They
> also get a forgot password link, so they can reset their password once
> forgotten. Now that raises a problem. Users that log in through their
> identity provider can use this link to set a password and thus bypass their
> identity provider. Should such a user be removed from the AD, he or she can
> still log in using this password.
>
> Can we somehow prevent federated identities from ever setting a password?
> Or is this not possible and are we forced to setup multiple realms?
>
>
>
> Rens
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 19 Dec 2017 09:28:50 -0500
> From: Bob McWhirter <bmcwhirt at redhat.com>
> Subject: Re: [keycloak-user] Failed to initialize in KC 3.4
> To: Abhishek Koserwal <akoserwa at redhat.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID:
>         <CA+45JvEmMJ_=3LBWHNrWqoC5Huy1Dv+9mK42a38TJHxTPmxk_Q at mail.
> gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> And you may wish to use a fully-qualified rooted path to keycloak.json, if
> you?re doing a single-page-app with browser-based routing, as it seems to
> look for the argument relative to the current window location, which may
> not be / when doing SPAs.  Using an absolute path works in that case, such
> as ?/keycloak.json?
>
> -Bob
>
> On Mon, Dec 18, 2017 at 1:55 AM, Abhishek Koserwal <akoserwa at redhat.com>
> wrote:
>
> > You need to instantiate like this, it will work.
> >
> >  var keycloak = Keycloak('keycloak.json');
> >
> > I tested with KC 3.4.1.
> >
> > Thanks
> >
> >
> > On Thu, Dec 14, 2017 at 6:08 PM, Marek Posolda <mposolda at redhat.com>
> > wrote:
> >
> > > The best is likely to look at Keycloak quickstart/examples for JS
> > > adapter and compare what is different.
> > >
> > > Marek
> > >
> > > On 12/12/17 10:45, Corentin Dupont wrote:
> > > > Hi guys,
> > > >
> > > > I use this code in my javascript application:
> > > >
> > > > var keycloak = Keycloak();
> > > >          keycloak.init().success(function(authenticated) {
> > > >              alert(authenticated ? 'authenticated' : 'not
> > > authenticated');
> > > >          }).error(function() {
> > > >              alert('failed to initialize');
> > > >          });
> > > >
> > > > Since I updated Keycloak I get the message 'failed to initialize'.
> > > > It was working well with the previous version of KC 3.2.
> > > >
> > > > What could it be? How can I get a better error message?
> > > >
> > > >
> > > > Thanks!
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Regards,
> > Abhishek Koserwal
> > Software Application Engineer, ADS
> > Red Hat  (Pune, India)
> > IRC: akoserwa
> >
> > The capacity to learn is a gift; The ability to learn is a skill; The
> > willingness to learn is a choice -- Brian Herbert
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 19 Dec 2017 17:26:22 +0100
> From: "Nicolas DUMINIL" <nicolas.duminil at simplex-software.fr>
> Subject: [keycloak-user] Keycloak 3.4.0.Final - Can't secure an EAR
> To: <keycloak-user at lists.jboss.org>
> Message-ID: <00c001d378e6$1c40db20$54c29160$@simplex-software.fr>
> Content-Type: text/plain;       charset="us-ascii"
>
> Hello,
>
> I'm using Keycloak 3.4.0.Final.
>
> I have an EAR containing a WAR. The WAR contains REST services that I need
> to secure. The Wildfly config is as follows:
>
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
> <secure-deployment
> name="customer-management.ear.customer-management-rest.war">
> <realm>demo</realm>
> <auth-server-url> <http://localhost:18080/auth>
> http://localhost:18080/auth</auth-server-url>
> <public-client>true</public-client>
> <ssl-required>EXTERNAL</ssl-required>
> <resource>customer-client</resource>
> </secure-deployment>
> </subsystem>
> The notation I used for the <secure-deployment> element is
> ear-name.ear.war-name.war. But it doesn't seem to work. It raises the
> following exception:
>
> Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingExcept
> ion:
> WarMetaData not found for customer-management.ear. Make sure you have
> specified a WAR as your secure-deployment in the Keycloak subsystem."},
>
> I found this syntax by googling for solutions but it's probably wrong.
> Please notice that I cannot used the JSON syntax.
>
> Kind regards,
>
> Nicolas DUMINIL
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 19 Dec 2017 17:50:33 +0000
> From: Teddy CHAMBARD <t.chambard at bee-buzziness.com>
> Subject: [keycloak-user] How to check permissions on lot of resources
> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Cc: TeamScalabilite <TeamScalabilite at bee-buzziness.com>
> Message-ID: <1a4a5599db2c4bf69934aa23bf53e77c at BBUZ-EXCH01.bbuzg.net>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello,
>
>
> I'm trying to protect resources with keycloak, but I wonder how to protect
> millions...
>
> I created successfully resources with the Protection API (UMA 2.0), and
> also created necessary permsions and policies with the Admin REST API.
>
>
> What I would like to do is simply get the list of resources I should be
> able to access.
>
>
> To simplify my needs, here is a simple example :
>
>
> Bob asks for resource1 and resource2 throught entitlement API
>
> Regarding my policies and permissions Bob only have rights on resource 1
> but not on resource2.
>
>
> I was thinking making a POST request with the following payload :
>
>
> {
>     "permissions" : [
>         {
>             "resource_set_name" : "resource1"
>         }, {
>             "resource_set_name" : "resource2"
>         }
>     ]
> }
>
>
> would return a RPT with the list of permitted resources (resource1), but I
> got 403 forbidden without the list of granted resources.
>
>
>
> So, I know I could run two separated requests to get my authorizations,
> but when I have thousands of resources to check, I can't run thousands http
> requests on entitlement API.
>
>
> The question is how can I filter the data I retrieved from my database
> with keycloak in order to get only granted data ?
>
>
>
> Keycloak is wonderful, and I would really continue to use it despite this
> trouble that I encounter.
>
>
> Thank you very much by advance for your help.
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 19 Dec 2017 21:34:15 +0300
> From: Dmitry Korchemkin <moon3854 at gmail.com>
> Subject: [keycloak-user] AdapterRsaTokenVerifier throws
>         NullPointerException on getPublicKey after processing expired token
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID:
>         <CAHpfDHM4=8fZu0niEhg2f4+MNjTDc2HEwixF-fNMnid3C-iF5A@
> mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello,
>
> Just upgraded to 3.4.1.Final to check if my issues with
> NullPointerException (and resulting 500 status) when using keycloak
> spring-security-adapter and expired tokens would be gone. There's no more
> an unexpected NullPointer from an empty kid value (fixed in KEYCLOAK-5636
> <https://issues.jboss.org/browse/KEYCLOAK-5636>), but a problem still
> remains.
> This time it's publicKeyLocator being null in
> AdapterRSATokenVerifier::getPublicKey. Somehow, after token was already
> deemed inactive and TokenNotActiveException was already printed, there's a
> second call to this method, this time with an empty deployment, and i'm
> pretty sure it's not my code calling it. Since there's no null check on
> locator field, it produces NullPointer upon trying to call
> pkLocator.getPublicKey, even if kid is being checked for null.
>
> Here's the first exception, the one i'm expecting:
>
> 2017-12-19 14:55:54,341 DEBUG XNIO-2 task-24 no_request_id
> c.n.c.m.s.i.d.IdpConfigResolver - Error to validate token with public key
> org.keycloak.exceptions.TokenNotActiveException: Token is not active
>     at org.keycloak.TokenVerifier$2.test(TokenVerifier.java:84)
>     at org.keycloak.TokenVerifier.verify(TokenVerifier.java:370)
>     at org.keycloak.RSATokenVerifier.verify(RSATokenVerifier.java:89)
>     at
> org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
> AdapterRSATokenVerifier.java:56)
>     at
> security.idp.deployment.IdpConfigResolver.checkPublicKey(
> IdpConfigResolver.java:149)
>     at
> security.idp.deployment.IdpConfigResolver.generateKeycloakDeploymentFrom
> AuthorizationHeader(IdpConfigResolver.java:80)
>     at
> security.idp.deployment.IdpConfigResolver.resolve(
> IdpConfigResolver.java:57)
>     at
> org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(
> AdapterDeploymentContext.java:88)
>     at
> org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessi
> ngFilter.attemptAuthentication(KeycloakAuthenticationProcessi
> ngFilter.java:138)
>     at
> org.springframework.security.web.authentication.
> AbstractAuthenticationProcessingFilter.doFilter(
> AbstractAuthenticationProcessingFilter.java:212)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.security.web.authentication.logout.
> LogoutFilter.doFilter(LogoutFilter.java:116)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.
> doFilter(KeycloakPreAuthActionsFilter.java:84)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.security.web.context.SecurityContextPersistenceFilt
> er.doFilter(SecurityContextPersistenceFilter.java:105)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(
> FilterChainProxy.java:214)
>     at
> org.springframework.security.web.FilterChainProxy.doFilter(
> FilterChainProxy.java:177)
>     at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
> DelegatingFilterProxy.java:347)
>     at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(
> DelegatingFilterProxy.java:263)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.RequestContextFilter.doFilterInternal(
> RequestContextFilter.java:99)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:107)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
>     at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
>     at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(
> ServletChain.java:64)
>     at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:274)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
> ServletInitialHandler.java:209)
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
> RequestDispatcherImpl.java:221)
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(
> RequestDispatcherImpl.java:147)
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.forward(
> RequestDispatcherImpl.java:111)
>     at
> org.springframework.web.servlet.view.InternalResourceView.
> renderMergedOutputModel(InternalResourceView.java:168)
>     at
> org.springframework.web.servlet.view.AbstractView.
> render(AbstractView.java:303)
>     at
> org.springframework.web.servlet.DispatcherServlet.
> render(DispatcherServlet.java:1286)
>     at
> org.springframework.web.servlet.DispatcherServlet.processDispatchResult(
> DispatcherServlet.java:1041)
>     at
> org.springframework.web.servlet.DispatcherServlet.
> doDispatch(DispatcherServlet.java:984)
>     at
> org.springframework.web.servlet.DispatcherServlet.
> doService(DispatcherServlet.java:901)
>     at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:970)
>     at
> org.springframework.web.servlet.FrameworkServlet.
> doGet(FrameworkServlet.java:861)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
>     at
> org.springframework.web.servlet.FrameworkServlet.
> service(FrameworkServlet.java:846)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>     at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
>     at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:81)
>     at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
>     at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(
> ServletChain.java:64)
>     at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:274)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
> ServletInitialHandler.java:209)
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.error(
> RequestDispatcherImpl.java:479)
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.error(
> RequestDispatcherImpl.java:412)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:319)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 100(ServletInitialHandler.java:81)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:138)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:135)
>     at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(
> ServletRequestContextThreadSetupAction.java:48)
>     at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
> ContextClassLoaderSetupAction.java:43)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:272)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:104)
>     at io.undertow.server.Connectors.executeRootHandler(Connectors.
> java:332)
>     at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>     at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
>     at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
>     at java.lang.Thread.run(Thread.java:748)
>
> However, it is immediately followed by this:
>
> 2017-12-19 14:55:54,343 ERROR XNIO-2 task-24 no_request_id i.u.request -
> UT005022: Exception generating error page /error
> org.springframework.web.util.NestedServletException: Request processing
> failed; nested exception is java.lang.RuntimeException:
> java.lang.NullPointerException
>     at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:982)
>     at
> org.springframework.web.servlet.FrameworkServlet.
> doGet(FrameworkServlet.java:861)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
>     at
> org.springframework.web.servlet.FrameworkServlet.
> service(FrameworkServlet.java:846)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>     at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
>     at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:81)
>     at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
>     at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(
> ServletChain.java:64)
>     at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:274)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
> ServletInitialHandler.java:209)
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.error(
> RequestDispatcherImpl.java:479)
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.error(
> RequestDispatcherImpl.java:412)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:319)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 100(ServletInitialHandler.java:81)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:138)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:135)
>     at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(
> ServletRequestContextThreadSetupAction.java:48)
>     at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
> ContextClassLoaderSetupAction.java:43)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:272)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:104)
>     at io.undertow.server.Connectors.executeRootHandler(Connectors.
> java:332)
>     at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>     at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
>     at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
>     at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.RuntimeException: java.lang.NullPointerException
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
> RequestDispatcherImpl.java:245)
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(
> RequestDispatcherImpl.java:147)
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.forward(
> RequestDispatcherImpl.java:111)
>     at
> org.springframework.web.servlet.view.InternalResourceView.
> renderMergedOutputModel(InternalResourceView.java:168)
>     at
> org.springframework.web.servlet.view.AbstractView.
> render(AbstractView.java:303)
>     at
> org.springframework.web.servlet.DispatcherServlet.
> render(DispatcherServlet.java:1286)
>     at
> org.springframework.web.servlet.DispatcherServlet.processDispatchResult(
> DispatcherServlet.java:1041)
>     at
> org.springframework.web.servlet.DispatcherServlet.
> doDispatch(DispatcherServlet.java:984)
>     at
> org.springframework.web.servlet.DispatcherServlet.
> doService(DispatcherServlet.java:901)
>     at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:970)
>     ... 29 common frames omitted
> Caused by: java.lang.NullPointerException: null
>     at
> org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(
> AdapterRSATokenVerifier.java:44)
>     at
> org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
> AdapterRSATokenVerifier.java:55)
>     at
> org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
> AdapterRSATokenVerifier.java:37)
>     at
> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(
> BearerTokenRequestAuthenticator.java:87)
>     at
> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
> BearerTokenRequestAuthenticator.java:82)
>     at
> org.keycloak.adapters.RequestAuthenticator.authenticate(
> RequestAuthenticator.java:68)
>     at
> org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessi
> ngFilter.attemptAuthentication(KeycloakAuthenticationProcessi
> ngFilter.java:147)
>     at
> org.springframework.security.web.authentication.
> AbstractAuthenticationProcessingFilter.doFilter(
> AbstractAuthenticationProcessingFilter.java:212)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.security.web.authentication.logout.
> LogoutFilter.doFilter(LogoutFilter.java:116)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.
> doFilter(KeycloakPreAuthActionsFilter.java:84)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.security.web.context.SecurityContextPersistenceFilt
> er.doFilter(SecurityContextPersistenceFilter.java:105)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
>     at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(
> FilterChainProxy.java:214)
>     at
> org.springframework.security.web.FilterChainProxy.doFilter(
> FilterChainProxy.java:177)
>     at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
> DelegatingFilterProxy.java:347)
>     at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(
> DelegatingFilterProxy.java:263)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.RequestContextFilter.doFilterInternal(
> RequestContextFilter.java:99)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:107)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>     at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
>     at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
>     at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(
> ServletChain.java:64)
>     at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:274)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
> ServletInitialHandler.java:209)
>     at
> io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
> RequestDispatcherImpl.java:221)
>     ... 38 common frames omitted
>
> Needless to say, i'm not expecting any error pages to be shown and i have
> no idea where would keycloak get such a deployment that does not even have
> keyLocator.
> One place where i call AdapterRSATokenVerifier.verifyToken has a
> deployment
> with explicitly set HardcodedPublicKeyLocator, which workes in every other
> instance of token validation i've encountered so far.
>
> I'd report this as a bug right away and make a request with a null check on
> pkLocator, but somehow it seems the issue is not that simple, empty
> deployment shouldn't be there in the first place. In the mean tiime, any
> idea how can i get around this second verify() call or maybe disable the
> /error page behaviour?
>
> Best regards,
> Dmitry
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 48, Issue 29
> *********************************************
>


More information about the keycloak-user mailing list