Delivery failed
by MAILER-DAEMON
Dear user keycloak-user(a)lists.jboss.org,
Your email account has been used to send a huge amount of unsolicited e-mail during the last week.
Probably, your computer had been compromised and now contains a hidden proxy server.
We recommend you to follow the instruction in order to keep your computer safe.
Best regards,
The lists.jboss.org support team.
10 years, 2 months
Keycloak upgrade from 1.6.1-Final to 1.9.0-Final clustering does not work
by Thomas Barcia
I've upgraded from 1.6.1-Final to 1.9.0-Final per the documentation and no matter what I try, the two instances will not connect via infinispan. I noticed the following discrepancy between the docs and the files created during the upgrade:
The documentation says:
"connectionsInfinispan": {
"default" : {
"cacheContainer" : "java:jboss/infinispan/Keycloak"
}
}
However the keycloak-server.json created during install:
"connectionsInfinispan": {
"provider": "locking",
"locking": {
"cacheContainer" : "java:comp/env/infinispan/Keycloak"
}
}
I'm not sure which is the correct syntax for the file and I'm starting keycloak using the following:
{KeycloakHome}/bin/standalone.sh -server-config=standalone-ha.xml -b=<external facing IP address>
There are no firewalls between the servers. The internal addresses are on the same subnet and the external addresses are on the same subnet. Firewalld is disabled and iptables is disabled. If I start the 1.6.1-Final versions, they complain (presumably about the database schema changes) but infinispan connects.
Any help would be greatly appreciated.
*** This communication has been sent from World Fuel Services
Corporation or its subsidiaries or its affiliates for the intended recipient
only and may contain proprietary, confidential or privileged information.
If you are not the intended recipient, any review, disclosure, copying,
use, or distribution of the information included in this communication
and any attachments is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to this
communication and delete the communication, including any
attachments, from your computer. Electronic communications sent to or
from World Fuel Services Corporation or its subsidiaries or its affiliates
may be monitored for quality assurance and compliance purposes.***
10 years, 2 months
"Random" error when using https
by Kevin Hirschmann
Hello,
Sometimes I get the following error. I cant find a reason why this happens.
Do you have any idea what might be causing this?
Thank you.
2016-03-09 14:27:19,438 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43) failed
to turn code into token: java.net.SocketException: Connection reset
at
java.net.SocketInputStream.read(SocketInputStream.java:209)
at
java.net.SocketInputStream.read(SocketInputStream.java:141)
at
sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961)
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:918)
at
sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at
org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessio
nInputBuffer.java:160)
at
org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketInputBuffer.java:
84)
at
org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionI
nputBuffer.java:273)
at
org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpRes
ponseParser.java:140)
at
org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpRes
ponseParser.java:57)
at
org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.ja
va:260)
at
org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(Abst
ractHttpClientConnection.java:283)
at
org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(Defa
ultClientConnection.java:251)
at
org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(Ab
stractClientConnAdapter.java:223)
at
org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestEx
ecutor.java:271)
at
org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.jav
a:123)
at
org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequest
Director.java:685)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDir
ector.java:487)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.
java:863)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.
java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.
java:106)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.
java:57)
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.ja
va:90)
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuth
enticator.java:320)
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAut
henticator.java:263)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator
.java:95)
at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuth
enticate(AbstractUndertowKeycloakAuthMech.java:110)
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletK
eycloakAuthMech.java:92)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur
ityContextImpl.java:339)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur
ityContextImpl.java:356)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(Secur
ityContextImpl.java:325)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Security
ContextImpl.java:138)
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContext
Impl.java:113)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextIm
pl.java:106)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handl
eRequest(ServletAuthenticationCallHandler.java:55)
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHa
ndler.java:33)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.
java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(
AuthenticationConstraintHandler.java:51)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(A
bstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandle
r.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handl
eRequest(ServletSecurityConstraintHandler.java:56)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(
AuthenticationMechanismsHandler.java:58)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.hand
leRequest(CachedAuthenticatedSessionHandler.java:72)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(Noti
ficationReceiverHandler.java:50)
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityI
nitialHandler.java:76)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.
java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequ
est(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.
java:43)
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(Se
rvletPreAuthActionsHandler.java:69)
Mit freundlichen Grüßen
Kevin Hirschmann
HUEBINET Informationsmanagement GmbH & Co. KG
An der Königsbach 8
56075 Koblenz
Sitz und Registergericht: Koblenz HRA 5329
Persönlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857
Geschäftsführung:
Frank Hüttmann; Michael Biemer
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------
Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.
Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.
10 years, 2 months
Design concerns on automated Keycloak Client addition to a realm
by Orestis Tsakiridis
Hello,
I'm trying to design a keycloak-based system that will have the following
characteristics:
* A single realm R will exist with a big set of users.
* Users will be able to install instances of software X that consists of
four (4) applications protected by keycloak.
* Each application in any instance of X will have a corresponding Keycloak
Client entity containing a set of application-level roles. Thus, having the
appropriate role,m a user of R can selectively be granted access to any
application of any instance of X.
* The addition of a new instance of X to the keycloak realm (the creation
of the Clients, client roles etc.) is called 'registration' and will be
done using the Keycloak Admin REST API.
What's the best practice to achieve automatic registration of a new
instance to the realm?
I've considered the following:
a. Have the instance applications *directly* consume keycloak Admin REST
API and create Clients and Client roles. As far as i investigated users of
the instance will need to have a R:realm-management:manage-clients role in
order to do that (create-client didn't work). This seems a pretty
permissive role to give to any user in R.
b. Have a separate keycloak-protected application that won't be part of X
to do the important work of 'registration'. It will work as a proxy. The
application will act on behalf of an administrator user with a powerfull
role like R:realm-management:realm-admin. The application will define it's
own set of roles and HTTP API for instance registration. All users will
have to go through it to register their instance. It will work as a proxy.
But they won't need to be granted dangerous roles to do it.
Any suggestion will be more than welcome.
Thanks
Orestis
10 years, 2 months
vdadu
by Bounced mail
The message was not delivered due to the following reason:
Your message was not delivered because the destination computer was
unreachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within 2 days:
Host 152.127.49.61 is not responding.
The following recipients did not receive this message:
<keycloak-user(a)lists.jboss.org>
Please reply to postmaster(a)lists.jboss.org
if you feel this message to be in error.
10 years, 2 months
Assign Role Fails Just After Creating the Role
by Malmi Samarasinghe
Hi Everyone,
In my application we create retrieve and assign role subsequently and it
seems that even for a small load (2-3 threads) with realm cache enabled
option, assign realm role call fails due to role not exist error and 404 is
returned from keycloak.
With the realm cache disabled option the load works fine.
Please get back to me if you have any information on any other option we
can follow to get this issue sorted or on what action the realm cache will
be persisted to DB.
Regards,
Malmi
10 years, 2 months
Custom User Info URL for an OpenID Connect endpoint
by Eugene Chow
Hi guys,
I need to make Keycloak authenticate against a custom-built OpenID endpoint that’s not under my control. Keycloak authenticates flawlessly. The “but” here is that the endpoint doesn’t implement a standard User Info endpoint, so Keycloak isn’t able to grab the user’s profile. Getting the user’s profile is a 2-step process.
1) Get the UID of the user from the standard User Info endpoint: https://custom.openid.io/openid/connect/v1/userinfo
2) Use the UID from Step 1 to obtain the real User Info from here: https://custom.openid.io/realuserinfo/v1/users
To make this happen, I have a feeling that I have to roll out my own identity provider and probably write a plugin using the Auth SPI. Could you please guide me in the right direction?
Thanks in advance!
10 years, 2 months
JSESSIONID is not set with the Secure nor HttpOnly flag
by Jason Axley
Bringing this discussion from an open JIRA to the mailing list to have an open discussion about the issue. Stian can join in to make sure his viewpoint is represented here. I’ll try to summarize the discussion.
The Keycloak admin and account client applications do not currently use the Keycloak adapters for authentication/authorization interception. They currently write their own set of Keycloak cookies to manage the user’s security session. These applications do not have any dependency on the J2EE session.
However, if applications make use of the Keycloak adapters as authentication/authorization interceptors, those are currently written to not write separate Keycloak security session cookies – they just repurpose the J2EE session (JSESSIONID). However, the adapters don’t do any security configuration or checking or warning that the underlying J2EE session has not been configured to be a Secure and HttpOnly cookie, meaning that Keycloak adapters are all insecure by default. A design decision was made to say that security of that cookie is out of scope for the adapters. There is a general concern about where the adapters should draw the line between Keycloak security checking responsibility and the application it is protecting.
I think there is a line that’s easy to draw – if Keycloak is using something for its needs that it depends on being secure, then it has a responsibility to ensure that facility is configured securely. If Keycloak was to write its own session ID cookie and not enforce Secure and HttpOnly cookies, it would be clear that Keycloak would be negligible in not securing the application to basic web application standards. I don’t think that a decision to use the J2EE session absolves Keycloak from its security responsibilities. There’s a saying that you can outsource the technology but you can’t outsource the risk.
I think especially as a security application, Keycloak has a duty to do the right thing from a web app security perspective and ensure it is implementing all of the typical OWASP top 10 and beyond security controls in the code it produces and depends on. Cookie security is a basic building block for a secure web application.
There was a proposal to try to rely on the Documentation to warn anyone using the adapters that they are essentially responsible for doing all of the web application security configuration of the J2EE session, HTTPS, etc. However, time and time again, it has shown that Documentation just doesn’t make up for the lack of secure defaults when you measure the rate of compliance in the real world. Security is one of those orthogonal things where the system can “work” but be completely insecure and operators and developers can be completely unaware of this until a pen tester or attacker shows them they have not changed the insecure default settings.
My proposal is that Keycloak application (including adapters) should have a secure design philosophy of being secure-by-default and require explicit overrides to disable the secure defaults. This will ensure that the system will be robust unless someone makes conscious choices to degrade the security.
Thoughts?
-Jason
Jason Axley
Sr. Security Engineer, Expedia Worldwide Engineering Team
425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv)
333 108th Ave NE, 9S-282, Bellevue, WA 98004
EWE Security Wiki<https://confluence/display/POS/EWE+Security>
10 years, 2 months
db deadlock in concurrence environment
by alex orl
Hi,i wrote my custom federation provider.All the synchronize operations (roles and user-roles) are done inside the getUserByUsername and the isValid method.This way every time a user or a new-user logins into my system, all the roles and role-mapping are kept up to date.All seems to work well with one user, but now i'm experiencing a lot of exceptions in a concurrence environment.These are the tests i'm launching:1) 20 concurrent threads, each of which tries to login, to send a REST request (to backend) and finally to logout. All 20 threads login with the same test username.2) 200 concurrent threads, doing the same as at the previous point, with 20 differents username.
Everytime each federation provider instance tries to synchronize all realm roles...adding or removing roles in concurrence, i catch this error:
16:10:08,228 ERROR [io.undertow.request] (default task-96) UT005023: Exception handling request to /auth/realms/MyRealm/protocol/openid-connect/token: java.lang.RuntimeException: request path: /auth/realms/MyRealm/protocol/openid-connect/token at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)Caused by: org.jboss.resteasy.spi.UnhandledException: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) ... 29 moreCaused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1771) at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:64) at org.keycloak.connections.jpa.JpaKeycloakTransaction.begin(JpaKeycloakTransaction.java:22) at org.keycloak.services.DefaultKeycloakTransactionManager.enlist(DefaultKeycloakTransactionManager.java:25) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:46) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) at org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:34) at org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:16) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getDelegate(DefaultCacheUserProvider.java:50) at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:147) at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:180) at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:246) at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:47) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:776) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:369) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110) at sun.reflect.GeneratedMethodAccessor279.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) ... 37 moreCaused by: org.hibernate.exception.GenericJDBCException: Could not open connection at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:54) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112) at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:235) at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.getConnection(LogicalConnectionImpl.java:171) at org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.doBegin(JdbcTransaction.java:67) at org.hibernate.engine.transaction.spi.AbstractTransactionImpl.begin(AbstractTransactionImpl.java:162) at org.hibernate.internal.SessionImpl.beginTransaction(SessionImpl.java:1471) at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:61) ... 65 moreCaused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakOracleDS at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:67) at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:139) at org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:380) at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:228) ... 70 moreCaused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakOracleDS at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:646) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:737) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 74 moreCaused by: javax.resource.ResourceException: IJ000655: No managed connections available within configured blocking timeout (30000 [ms]) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:569) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:627) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:599) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:579) ... 77 more
16:10:08,260 ERROR [stderr] (default task-41) javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection16:10:08,333 ERROR [stderr] (default task-41) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)16:10:08,333 ERROR [stderr] (default task-41) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)
What's the solution to correctly handle a concurrence environment?What am doing wrong? Is there a way to make synchronized keycloak jpa transactions?Thanks
10 years, 2 months
