<p dir="ltr">How is the ejb being called? From jax-rs service or server-side web app? For there to be a user you need to be authenticated as a user so either the server-side webapp has redirected to login page or there is a bearer token included in the authorisation header of the http request.</p>
<div class="gmail_quote">On 15 Mar 2016 17:58, "Firdos Ali" <<a href="mailto:ali@affordabletours.com">ali@affordabletours.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thank you for the prompt response.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I moved to keycloak 1.9.1 both on the server and updated the adapter, however it is still not working. Let me clarify on a few other things and hopefully that will provide some additional context<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">We put our project in an ear file which contains one jar file inclusive of the stateless ejbs, one war file, and a few other supporting jar files. <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">The war file has the keycloak.json with the following:<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">{<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> "realm": "affordabletours",<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> "realm-public-key": "some key",<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> "auth-server-url": "<a href="http://10.0.0.1:8080/auth" target="_blank">http://10.0.0.1:8080/auth</a>",<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> "ssl-required": "external",<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> "resource": "keycloaktest",<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> "credentials": {<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> "secret": "some secret"<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> }<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">}<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Are you suggesting that I change the resource “keycloaktest” access type from ‘confidential’ to ‘bearer-only’? If so, I tried that and unfortunately that did not work. I guess my confusion is how would the jar file with the ejbs is aware of the security context when it is only at the war level? Thanks<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><a name="-279217427159260115__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></a></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Stian Thorgersen [mailto:<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>] <br><b>Sent:</b> Friday, March 11, 2016 12:29 AM<br><b>To:</b> Firdos Ali <<a href="mailto:ali@affordabletours.com" target="_blank">ali@affordabletours.com</a>><br><b>Cc:</b> keycloak-user <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br><b>Subject:</b> Re: [keycloak-user] EJB Invalid User + Log Out not working<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On 10 March 2016 at 20:19, Firdos Ali <<a href="mailto:ali@affordabletours.com" target="_blank">ali@affordabletours.com</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><div><p class="MsoNormal">Hello,<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">I am having a few problems with Keycloak. Let me first start with the environment information:<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">Keycloak version: 1.9.0<u></u><u></u></p><p class="MsoNormal">Keycloak wildfly version: 10.0.0<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">Application wildfly version: 8.0.0<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal"><b>Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid User</b><u></u><u></u></p><p class="MsoNormal">I have followed the documentation by adding the keycloak adapter to the application wildfly 8.0 and by server.xml has the following:<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal"><extensions><br> ….<br> <extension module="org.keycloak.keycloak-adapter-subsystem"/><br></extensions><u></u><u></u></p><p class="MsoNormal"><profile><br> <subsystem xmlns="urn:jboss:domain:security:1.2"><br> ….<br> <security-domain name="keycloak"><br> <authentication><br> <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/><br> </authentication><br> </security-domain><br> </security-domains><br> </subsystem><br> …<br> <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/><br></profile><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none">MyEJB:<br><span style="font-size:10.0pt;font-family:Consolas;color:#646464">@Stateless</span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:#646464">@Local</span><span style="font-size:10.0pt;font-family:Consolas;color:black">(MyInt.</span><b><span style="font-size:10.0pt;font-family:Consolas;color:#7f0055">class</span></b><span style="font-size:10.0pt;font-family:Consolas;color:black">)</span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:#646464">@SecurityDomain</span><span style="font-size:10.0pt;font-family:Consolas;color:black">(</span><span style="font-size:10.0pt;font-family:Consolas;color:#2a00ff">"keycloak"</span><span style="font-size:10.0pt;font-family:Consolas;color:black">)<br></span><b><span style="font-size:10.0pt;font-family:Consolas;color:#7f0055">public</span></b><span style="font-size:10.0pt;font-family:Consolas;color:black"> </span><b><span style="font-size:10.0pt;font-family:Consolas;color:#7f0055">class</span></b><span style="font-size:10.0pt;font-family:Consolas;color:black"> MyBean </span><b><span style="font-size:10.0pt;font-family:Consolas;color:#7f0055">implements</span></b><span style="font-size:10.0pt;font-family:Consolas;color:black"> MyInt </span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:black"> ...</span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:#646464"> @PermitAll</span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:black"> </span><span style="font-size:10.0pt;font-family:Consolas;color:#646464">@TransactionAttribute</span><span style="font-size:10.0pt;font-family:Consolas;color:black">(TransactionAttributeType.</span><b><i><span style="font-size:10.0pt;font-family:Consolas;color:#0000c0">REQUIRES_NEW</span></i></b><span style="font-size:10.0pt;font-family:Consolas;color:black">)</span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:black"> </span><b><span style="font-size:10.0pt;font-family:Consolas;color:#7f0055">public</span></b><span style="font-size:10.0pt;font-family:Consolas;color:black"> boolean myMethod(...) </span><b><span style="font-size:10.0pt;font-family:Consolas;color:#7f0055">throws</span></b><span style="font-size:10.0pt;font-family:Consolas;color:black"> Exception {</span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:black"> }</span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:black"> </span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:black">At the moment I am not using jboss-ej3.xml as I reference the security domain in my EJB class. I added it and it did not help out</span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:black"> </span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:Consolas;color:black">Stacktrace:</span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none">ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB Invocation failed on component MyBean for method public abstract boolean com.at.ejb.MyInt.myMethod(…) throws java.lang.Exception: javax.ejb.EJBAccessException: JBAS013323: Invalid User<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)<u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)<u></u><u></u></p><p class="MsoNormal">Is there something I am missing from the documentation? Any thoughts how to resolve this issue?<u></u><u></u></p></div></div></blockquote><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Is there a bearer token sent with the request that invokes the EJB? If so try with 1.9.1. Could be <a href="https://issues.jboss.org/browse/KEYCLOAK-2518" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2518</a> fixes this.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><div><p class="MsoNormal"><b>Problem 2: Unable to log out a user from keycloak administration console:</b><u></u><u></u></p><p class="MsoNormal">After I click “Logout” on the administration console in Keycloak, I see the following error on the keycloak server:<u></u><u></u></p><p class="MsoNormal">ERROR [io.undertow.request] (default task-26) UT005023: Exception handling request to /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab: org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder;<br> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)<u></u><u></u></p></div></div></blockquote><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Are you using the standalone Keycloak server? Looking at javadocs for httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses httpclient 4.5, so looks like for some reason you have an old version of httpclient.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif"><br>Best regards,<br><br></span><br>_______________________________________________<br>keycloak-user mailing list<br><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><u></u><u></u></p></blockquote></div><div><div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div></blockquote></div>