[keycloak-user] Authentication failed: org.jvnet.libpam.PAMException
mizuki
mizuki0621 at gmail.com
Thu Mar 14 16:42:34 EDT 2019
Thanks for the response, Bruno.
I certainly went through the documents and examed configurations carefully.
I attached KRB log from IPA server as well as /var/log/secure from Keycloak
server as supporting evidences (high lighted with blue for important
portions).
In the case when both 'password' and 'otp' are enabled to the user in IPA,
Keycloak failed to authenticate user with either the password or otp.
[root at idm01 ~]# ipa user-show mmstestu
User login: mmstestu
First name: Test
Last name: 55555
Home directory: /u0b/mmstestu
Login shell: /bin/bash
Principal name: mmstestu at SDCC.BNL.GOV
Principal alias: mmstestu at SDCC.BNL.GOV
Kerberos principal expiration: 20690301145828Z
Email address: smithj4 at example.com
UID: 7041
GID: 9965
SSH public key fingerprint:
SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
User authentication types: otp, password
Account disabled: False
Password: True
Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
Member of HBAC rule: mktst1
Kerberos keys available: True
Krb log on IPA server shows following:
Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH:
mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Additional
pre-authentication required
Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED:
mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Incorrect
password in encrypted challenge
/var/log/secure log on KeyCloak server:
Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
user=mmstestu
Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
received for user mmstestu: 17 (Failure setting user credentials)
In ../log/server.log on KeyCloak server:
2019-03-14 16:24:36,844 ERROR
[org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2)
Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
failed : Permission denied
at org.jvnet.libpam.PAM.check(PAM.java:113)
at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
at
org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
at
org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
at
org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
at
org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
at
org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
at
org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown
Source)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
at
org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown
Source)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
at
org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown
Source)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown
Source)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
Source)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
Source)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
Source)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
Source)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:812)
Then if I remove the 'password' option and leaves 'otp' only for the user,
KeyCloak does actually authenticate fine (password + QRCode combined with
no space): Following are logs when it successes:
[root at idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp
------------------------
Modified user "mmstestu"
------------------------
User login: mmstestu
First name: Test
Last name: 55555
Home directory: /u0b/mmstestu
Login shell: /bin/bash
Principal name: mmstestu at SDCC.BNL.GOV
Principal alias: mmstestu at SDCC.BNL.GOV
Kerberos principal expiration: 20690301145828Z
Email address: smithj4 at example.com
UID: 7041
GID: 9965
SSH public key fingerprint:
SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
User authentication types: otp
Account disabled: False
Password: True
Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
Member of HBAC rule: mktst1
Kerberos keys available: True
In KRB log on IPA server:
Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime 1552595337,
etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for krbtgt/
SDCC.BNL.GOV at SDCC.BNL.GOV
Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime 1552595337,
etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for host/
mktst1.sdcc.bnl.gov at SDCC.BNL.GOV
In /var/log/secure on KeyCloak server:
Mar 14 16:28:57 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=
user=mmstestu
Please advice.
Thanks.
Mizuki
On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno at abstractj.org> wrote:
> Hi Mizuki,
>
> In the scenario you described Keycloak just relies on PAM to
> authenticate the user. What I'd do before configure Keycloak is to try
> dbus-send and pamtester, just to make sure that my setup works.
>
> So here's my suggestion, try to run pamtester -v keycloak youruser. If
> pamtester does not authenticate your user, there's a chance that
> something is wrong with your setup. Certainly worth to review our
> docs[1].
>
> [1] - https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
>
> On 2019-03-05, mizuki wrote:
> > Hi,
> >
> > We are currently evaluating keycloak as a possible authentication
> mechanism
> > deployed to our facility.
> > We use kerberos for user authentication with FreeIPA and configured sssd
> > for user federation in keycloak (follow the official document both from
> > keycloak and freeipa.org)
> > One of the requirement we desire is to enable kerboros password for SSH
> > login and enabled 'otp' for HTTP based applications.
> >
> > To do so,
> > 1. We enabled both user-auth-types for the user:
> > - password
> > - password + otp
> >
> > 2. Created HBAC rules in IPA, allowing keycloak server access for
> following
> > services: (I purposely did not enable 'otp' at this point as I want to
> > verify both 'password' and 'otp' shall work)
> > - keycloak
> > - sshd
> >
> > 3. Confimred sshd worked with both 'password' and 'otp' types via
> PAM/SSSD,
> > then I went ahead and accessed URL that is protected by keycloak,
> > 'password' works but 'otp' won't, the following ERRORs were seen in
> > keycloak's server.log:
> > -----------
> > 019-03-04 17:01:20,246 WARN [org.keycloak.events] (default task-22)
> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120,
> > error=invalid_user_credentials, auth_method=openid-connect,
> auth_type=code,
> > redirect_uri=https://www.example.com/secure/
> > <https://vproxytest03.racf.bnl.gov/secure/>*,
> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
> > 2019-03-04 17:01:43,033 ERROR
> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22)
> > Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
> > failed : Permission denied
> > at org.jvnet.libpam.PAM.check(PAM.java:113)
> > at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
> > at
> >
> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
> >
> > at
> >
> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
> >
> > at
> >
> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
> >
> > at
> >
> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
> >
> > at
> >
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
> >
> > at
> >
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
> >
> > at
> >
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
> >
> > at
> >
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
> >
> > at
> >
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
> >
> > at
> >
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
> >
> > at
> >
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> >
> > at
> >
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> >
> > at
> >
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> >
> > at
> >
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> >
> > at
> >
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> >
> > at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> >
> > at java.lang.reflect.Method.invoke(Method.java:508)
> > at
> >
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> >
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> >
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> >
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> >
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
> > Source)
> > at
> >
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> >
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> >
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> >
> > at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> >
> > at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> >
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> >
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> >
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
> > Source)
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> >
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
> > Source)
> > at
> >
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> >
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> >
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> >
> > at
> >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> >
> > at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >
> > at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> > at
> >
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> >
> > at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> >
> > at
> >
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> >
> > at
> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> > at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> >
> > at
> >
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> >
> > at
> >
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> >
> > at
> >
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> >
> > at
> >
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> >
> > at
> >
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> >
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >
> > at
> >
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> >
> > at
> >
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> >
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >
> > at
> >
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> >
> > at
> >
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> >
> > at
> >
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> >
> > at
> >
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> >
> > at
> >
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> >
> > at
> >
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> >
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >
> > at
> >
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >
> > at
> >
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> >
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> >
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> >
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> >
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> >
> > at
> >
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> >
> > at
> >
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> >
> > at
> >
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> >
> > at
> >
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
> > Source)
> > at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >
> > at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > Source)
> > at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >
> > at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > Source)
> > at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >
> > at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > Source)
> > at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >
> > at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > Source)
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> >
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> >
> > at
> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> > at
> > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> > at
> >
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> >
> > at
> >
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> >
> > at
> >
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> >
> > at
> >
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> >
> > at java.lang.Thread.run(Thread.java:812)
> > ------------------
> >
> > Interesting thing is keycloak handles OTP just fine if I have
> > 'password+otp' only checked on, then we won't be able to log onto the
> > machines via SSH using password, that defeats our purposes.
> >
> > I tested different version of JAVA and the latest keycloak (4.8.3)
> version
> > (on REHL 7), all got the same results.
> > I'm wondering if this is more likely a bug or I missed something.
> > I'd appreciate if someone can advice what the approach is.
> >
> > Thank you very much.
> >
> > Mizuki
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>
More information about the keycloak-user
mailing list