javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
by KASALA Štefan
Hello all,
We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 adapter version installed. We are trying to configure https proxy / lb for keycloak server. I am getting the following error from keycloak adapter after succesfull sign in to keycloak server. Here is the keycloak adapter log part:
2016-09-22 10:45:50,643 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/
2016-09-22 10:45:50,643 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate()
2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer
2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth
2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth
2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was no code
2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) redirecting to auth server
2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) callback uri: https://lbbams.intra.dcom.sk/rtgov-ui/
2016-09-22 10:45:50,645 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) Sending redirect to login page: https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-conne...
ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid
2016-09-22 10:45:50,663 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-...
UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a
2016-09-22 10:45:50,663 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate()
2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer
2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth
2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth
2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was a code, resolving
2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) checking state cookie for after code
2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) ** reseting application state cookie
2016-09-22 10:45:50,668 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) [jsse.jar:1.7.0_67]
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]
at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67]
Our keycloak adapter config:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<realm name="governance">
<realm-public-key>public key string...</realm-public-key>
<auth-server-url>${keycloak.auth.url:/auth}</auth-server-url>
<principal-attribute>preferred_username</principal-attribute>
<disable-trust-manager>true</disable-trust-manager>
<allow-any-hostname>true</allow-any-hostname>
</realm>
<secure-deployment name="overlord-rtgov-ui.war">
<realm>governance</realm>
<resource>rtgov-ui</resource>
<credential name="secret">password</credential>
</secure-deployment>
<secure-deployment name="overlord-rtgov.war">
<realm>governance</realm>
<resource>overlord-rtgov</resource>
<enable-basic-auth>true</enable-basic-auth>
<credential name="secret">password</credential>
</secure-deployment>
</subsystem>
Could you please help us, how can we fix this? Thanks a log.
Stefan Kasala.
________________________________
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.
8 years, 2 months
Custom Adapter Logout logic
by Jared Blashka
Is it currently possible to hook into the adapter's logout logic to trigger
some custom behavior without interrupting the logout flow?
For example, if I want to audit logout activity on a particular SP or
delete some cookies (if it was a front-channel logout request) without
stopping the normal federated logout process.
Jared
8 years, 3 months
Prevent JS Adapter from redirecting if already logged in
by Gregor Jarisch
Hi there,
we have a single page application using the JS adapter. Once the user is logged in and a page redirect occurs, the SPA loads, but immediately reloads once again when keycloak adapter authenticates.
Since the user was logged in before already, we would have assumed that no further page refresh has to be made.
Interestingly, when we manually pass on all the token values in the init method (for testing purposes), the page doesn't refresh a second time and the user is authenticated. As we would have expected it to be.
This might be just a misunderstanding of how this adapter is supposed to work, but from our understanding the purpose of the iframe and the set cookie is to make sure the user stays authenticated.
Thus, shouldn't the keycloak adapter "store" the tokens and use them on a page refresh if they are valid in order to authenticate without the need for an additional page refresh?
Would be nice if somebody can explain this mechanism a bit further and maybe even give a hint on what we are doing wrong here.. We are puzzled at the moment.
Thanks
Gregor
8 years, 3 months
SAML attribute importer with multiple values
by Manuel Palacio
Hello,
I am trying to process a SAML attribute with multiple values.
To that end I have created a client mapper of type User Attribute with
"Multivalued" on.
I also have an "attribute importer" mapper in the SAML v2.0 identity
provider. It points to user attribute name defined in the client mapper
mentioned above.
Unfortunately, it is only mapping the first value into the access token.
The attribute in the SAML response looks like this
<Attribute Name="http://cambio.se/2016-09/cds/profile"> <AttributeValue>
value1</AttributeValue> <AttributeValue>value2</AttributeValue> <
AttributeValue>value3</AttributeValue> </Attribute>
In the access token only the first value appears as part of "otherClaims"
map.
What do I need to do in order to get all the values in the access token?
Thanks
/Manuel
8 years, 3 months
With Keycloak 2.2.1 the DB migration fails
by Padmaka Wijaygoonawardena
Hi,
With Keycloak 2.2.1 release the DB migration from a fresh DB fails this
also occurred in 2.1.0 as well. I use a MySQL DB as the database. attached
herewith is the stack trace.
[2016-09-28 10:35:18.0609], WARN ,
org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool
ServerService Thread Pool -- 62 - IJ000615: Destroying active connection in
pool: mysql_keycloak
(org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@2899b74f)
[2016-09-28 10:35:18.0618], WARN ,
org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection ServerService
Thread Pool -- 62 - IJ030022: Lock owned during cleanup: ServerService
Thread Pool -- 56: java.lang.Throwable: Lock owned during cleanup:
ServerService Thread Pool -- 56
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
at java.net.SocketInputStream.read(SocketInputStream.java:170)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at
com.mysql.jdbc.util.ReadAheadInputStream.fill(ReadAheadInputStream.java:100)
at
com.mysql.jdbc.util.ReadAheadInputStream.readFromUnderlyingStreamIfNecessary(ReadAheadInputStream.java:143)
at
com.mysql.jdbc.util.ReadAheadInputStream.read(ReadAheadInputStream.java:173)
at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:2911)
at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3337)
at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3327)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3814)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2526)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484)
at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:848)
at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:742)
at
org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198)
at
liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122)
at
liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247)
at
liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230)
at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548)
at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51)
at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73)
at liquibase.Liquibase.update(Liquibase.java:210)
at liquibase.Liquibase.update(Liquibase.java:190)
at liquibase.Liquibase.update(Liquibase.java:186)
at
org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider.java:114)
at
org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:76)
at
org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:59)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.update(DefaultJpaConnectionProviderFactory.java:329)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.migration(DefaultJpaConnectionProviderFactory.java:299)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:186)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory$$Lambda$105/1378148237.run(Unknown
Source)
at
org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:677)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:137)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:85)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:63)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158)
at
org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:51)
at
org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:33)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158)
at
org.keycloak.models.cache.infinispan.RealmCacheSession.getDelegate(RealmCacheSession.java:161)
at
org.keycloak.models.cache.infinispan.RealmCacheSession.getMigrationModel(RealmCacheSession.java:154)
at
org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:60)
at
org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:221)
at
org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:162)
at
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:121)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:295)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:112)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
[2016-09-28 10:35:18.0634], INFO ,
org.jboss.as.connector.services.driver.DriverService MSC service thread 1-6
- WFLYJCA0019: Stopped Driver service with driver-name =
mysql-connector-java-5.1.33-bin.jar_com.mysql.jdbc.Driver_5_1
[2016-09-28 10:35:19.0107], INFO ,
org.hibernate.validator.internal.util.Version MSC service thread 1-5 -
HV000001: Hibernate Validator 5.2.3.Final
[2016-09-28 10:35:19.0592], DEBUG,
org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider$LogWrapper$1
ServerService Thread Pool -- 56 - Foreign key constraint added to
RESOURCE_POLICY (RESOURCE_ID)
[2016-09-28 10:35:19.0593], DEBUG,
org.keycloak.transaction.JtaTransactionWrapper ServerService Thread Pool --
56 - JtaTransactionWrapper rollback
[2016-09-28 10:35:19.0593], DEBUG,
org.keycloak.transaction.JtaTransactionWrapper ServerService Thread Pool --
56 - JtaTransactionWrapper end
[2016-09-28 10:35:19.0594], DEBUG,
org.keycloak.transaction.JtaTransactionWrapper ServerService Thread Pool --
56 - JtaTransactionWrapper resuming suspended
[2016-09-28 10:35:19.0595], DEBUG,
org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService
ServerService Thread Pool -- 56 - Going to release database lock
[2016-09-28 10:35:19.0595], ERROR,
org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService
ServerService Thread Pool -- 56 - Database error during release lock:
liquibase.exception.DatabaseException:
liquibase.exception.DatabaseException: java.sql.SQLException: IJ031040:
Connection is not associated with a managed connection:
org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7@88d58a5
at
liquibase.database.AbstractJdbcDatabase.commit(AbstractJdbcDatabase.java:1130)
at
org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService.releaseLock(CustomLockService.java:184)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$releaseLock$1(LiquibaseDBLockProvider.java:126)
at
org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:677)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.releaseLock(LiquibaseDBLockProvider.java:123)
at
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:123)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:295)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:112)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: liquibase.exception.DatabaseException: java.sql.SQLException:
IJ031040: Connection is not associated with a managed connection:
org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7@88d58a5
at liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:126)
at
liquibase.database.AbstractJdbcDatabase.commit(AbstractJdbcDatabase.java:1128)
... 31 more
Caused by: java.sql.SQLException: IJ031040: Connection is not associated
with a managed connection:
org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7@88d58a5
at
org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedConnection.java:164)
at
org.jboss.jca.adapters.jdbc.WrappedConnection.getAutoCommit(WrappedConnection.java:802)
at liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:122)
... 32 more
[2016-09-28 10:35:19.0596], DEBUG,
org.keycloak.transaction.JtaTransactionWrapper ServerService Thread Pool --
56 - JtaTransactionWrapper rollback
[2016-09-28 10:35:19.0596], DEBUG,
org.keycloak.transaction.JtaTransactionWrapper ServerService Thread Pool --
56 - JtaTransactionWrapper end
[2016-09-28 10:35:19.0598], INFO ,
org.jboss.as.server.BootstrapImpl$ShutdownHook Thread-2 - WFLYSRV0220:
Server shutdown has been requested.
[2016-09-28 10:35:19.0601], DEBUG,
org.jboss.as.security.service.SecurityDomainService MSC service thread 1-8
- Stopping security domain service jboss-ejb-policy
[2016-09-28 10:35:19.0601], DEBUG,
org.jboss.as.mail.extension.MailSessionAdd$1 MSC service thread 1-2 -
WFLYMAIL0003: Removed mail session [java:jboss/mail/Default]
[2016-09-28 10:35:19.0602], DEBUG,
org.infinispan.manager.DefaultCacheManager MSC service thread 1-7 -
Stopping cache manager server on padmaka
[2016-09-28 10:35:19.0602], DEBUG,
org.wildfly.extension.undertow.ConsoleRedirectService MSC service thread
1-2 - Stopping console redirect for default-host
[2016-09-28 10:35:19.0606], DEBUG,
org.jboss.as.connector.subsystems.datasources.CommonDeploymentService MSC
service thread 1-3 - Stopped CommonDeployment %s
[2016-09-28 10:35:19.0606], INFO ,
org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$2 MSC
service thread 1-6 - WFLYJCA0010: Unbound data source
[java:jboss/datasources/KeycloakDS]
[2016-09-28 10:35:19.0607], DEBUG,
org.jboss.as.connector.subsystems.datasources.CommonDeploymentService MSC
service thread 1-6 - Stopped CommonDeployment %s
[2016-09-28 10:35:19.0612], DEBUG,
org.jboss.as.security.service.SecurityDomainService MSC service thread 1-3
- Stopping security domain service jboss-web-policy
[2016-09-28 10:35:19.0624], DEBUG,
org.jboss.as.security.service.SecurityDomainService MSC service thread 1-4
- Stopping security domain service jaspitest
[2016-09-28 10:35:19.0628], DEBUG,
org.jboss.as.connector.services.resourceadapters.deployment.registry.ResourceAdapterDeploymentRegistryService
MSC service thread 1-1 - Stopping service service jboss.raregistry
[2016-09-28 10:35:19.0628], DEBUG,
org.infinispan.manager.DefaultCacheManager MSC service thread 1-8 -
Stopping cache manager web on padmaka
[2016-09-28 10:35:19.0630], DEBUG,
org.infinispan.manager.DefaultCacheManager MSC service thread 1-6 -
Stopping cache manager ejb on padmaka
[2016-09-28 10:35:19.0630], INFO ,
org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service
thread 1-7 - ISPN000080: Disconnecting JGroups channel server
[2016-09-28 10:35:19.0631], DEBUG,
org.jboss.as.ejb3.remote.EJBTransactionRecoveryService$1 ServerService
Thread Pool -- 62 - Un-registered
org.jboss.as.ejb3.remote.EJBTransactionRecoveryService$1@5bc6f06a from the
transaction recovery manager
[2016-09-28 10:35:19.0632], INFO ,
org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service
thread 1-7 - ISPN000082: Stopping the RpcDispatcher for channel server
[2016-09-28 10:35:19.0638], INFO ,
org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service
thread 1-8 - ISPN000080: Disconnecting JGroups channel web
[2016-09-28 10:35:19.0638], INFO ,
org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service
thread 1-8 - ISPN000082: Stopping the RpcDispatcher for channel web
[2016-09-28 10:35:19.0636], INFO ,
org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service
thread 1-6 - ISPN000080: Disconnecting JGroups channel ejb
[2016-09-28 10:35:19.0640], INFO ,
org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service
thread 1-6 - ISPN000082: Stopping the RpcDispatcher for channel ejb
[2016-09-28 10:35:19.0637], DEBUG,
org.infinispan.manager.DefaultCacheManager MSC service thread 1-1 -
Stopping cache manager hibernate on padmaka
[2016-09-28 10:35:19.0642], DEBUG,
org.jboss.tm.usertx.UserTransactionRegistry MSC service thread 1-2 -
org.jboss.tm.usertx.UserTransactionRegistry@daa6d39 removeListener
org.jboss.as.jpa.container.JPAUserTransactionListener@47424e73
[2016-09-28 10:35:19.0642], DEBUG,
org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$2 MSC
service thread 1-3 - Removed JDBC Data-source
[java:jboss/datasources/KeycloakDS]
[2016-09-28 10:35:19.0641], DEBUG,
org.jboss.as.clustering.infinispan.subsystem.CacheContainerBuilder MSC
service thread 1-7 - server cache container stopped
[2016-09-28 10:35:19.0641], DEBUG,
org.jboss.as.clustering.infinispan.subsystem.CacheContainerBuilder MSC
service thread 1-6 - ejb cache container stopped
[2016-09-28 10:35:19.0640], INFO ,
org.wildfly.extension.undertow.HttpsListenerService MSC service thread 1-4
- WFLYUT0008: Undertow HTTPS listener https suspending
[2016-09-28 10:35:19.0639], DEBUG,
org.jboss.as.clustering.infinispan.subsystem.CacheContainerBuilder MSC
service thread 1-8 - web cache container stopped
[2016-09-28 10:35:19.0654], INFO ,
org.wildfly.extension.undertow.HttpsListenerService MSC service thread 1-4
- WFLYUT0007: Undertow HTTPS listener https stopped, was bound to
10.1.11.48:8101
[2016-09-28 10:35:19.0651], ERROR,
org.jboss.msc.service.ServiceControllerImpl$StartContextImpl ServerService
Thread Pool -- 56 - MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.RuntimeException: Failed to update database
at
org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:90)
at
org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:59)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.update(DefaultJpaConnectionProviderFactory.java:329)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.migration(DefaultJpaConnectionProviderFactory.java:299)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:186)
at
org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:677)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:137)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:85)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:63)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158)
at
org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:51)
at
org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:33)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158)
at
org.keycloak.models.cache.infinispan.RealmCacheSession.getDelegate(RealmCacheSession.java:161)
at
org.keycloak.models.cache.infinispan.RealmCacheSession.getMigrationModel(RealmCacheSession.java:154)
at
org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:60)
at
org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:221)
at
org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:162)
at
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:121)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:295)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:112)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 19 more
Caused by: liquibase.exception.MigrationFailedException: Migration failed
for change set META-INF/
jpa-changelog-authz-2.0.0.xml::authz-2.0.0::psilva@redhat.com:
Reason: liquibase.exception.UnexpectedLiquibaseException:
java.sql.SQLException: IJ031040: Connection is not associated with a
managed connection:
org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7@503aa43a
at liquibase.changelog.ChangeSet.execute(ChangeSet.java:573)
at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51)
at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73)
at liquibase.Liquibase.update(Liquibase.java:210)
at liquibase.Liquibase.update(Liquibase.java:190)
at liquibase.Liquibase.update(Liquibase.java:186)
at
org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider.java:114)
at
org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:76)
... 44 more
Caused by: liquibase.exception.UnexpectedLiquibaseException:
java.sql.SQLException: IJ031040: Connection is not associated with a
managed connection:
org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7@503aa43a
at liquibase.database.jvm.JdbcConnection.getURL(JdbcConnection.java:79)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:62)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122)
at
liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247)
at
liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230)
at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548)
... 51 more
Caused by: java.sql.SQLException: IJ031040: Connection is not associated
with a managed connection:
org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7@503aa43a
at
org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedConnection.java:164)
at
org.jboss.jca.adapters.jdbc.WrappedConnection.getMetaData(WrappedConnection.java:913)
at liquibase.database.jvm.JdbcConnection.getURL(JdbcConnection.java:77)
... 56 more
is there any solution for this?
Thanks in advance.
Padmaka
8 years, 3 months
migrate-json operation produces WFLYCTL0212: Duplicate resource
by Patrick Boe
Hello,
I'm not sure if I'm invoking this incorrectly, but I could use some help diagnosing an error I get when attempting to upgrade my Keycloak installation from 2.0.0 to 2.2.1.
When, from the root of my new keycloak installation, I do:
> .\bin\jboss-cli.bat
[disconnected /] embed-server --server-config=standalone.xml
[standalone@embedded /] /subsystem=keycloak-server:migrate-json
I get the following error:
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0212: Duplicate resource [
(\"subsystem\" => \"keycloak-server\"),
(\"theme\" => \"defaults\")
]",
"rolled-back" => true
}
Does anyone have some advice on how to resolve this, or suggestions as to what I may have misconfigured?
Best,
Patrick Boe
________________________________
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
8 years, 3 months
iOS App login with Keycloak
by Joey
Hi Guys,
We are building a system, including 3 subsystems for a big website.
and iOS and Android app. We use KeyCloak as the SSO server for all
subsystems, and then we also want to use KeyCloak for iOS and Android
as the login server. But for iOS, Android we want to use native login
page not the html page provide by KeyCloak adapter. but I read all
documents and discussions, I didnt find a way how to implement it.
Anybody can help me? thanks.
Joey
8 years, 3 months
IP access control for /auth/admin/master/console/
by Jan Nabbefeld
Hi,
I’m currently struggling while setting up an IP based access control
filter to protect the path /auth/admin/master/console/. My Kc cluster
runs in AWS with EC2 instances managed in an autoscaling group (subnet
172.31.0.0/16). The relevant part of the standalone-ha.xml looks like
that:
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http"
redirect-socket="https" proxy-address-forwarding="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name=“proxy-peer"/>
<filter-ref name="restrict-admin-console-access"/>
<access-log pattern="%h %l %u [%t] "%r"
%s %b "%{i,Referer}" "%{i,User-Agent}""/>
<!—
<filter-ref name="request-dumper"/>
-->
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<filter name="request-dumper"
class-name="io.undertow.server.handlers.RequestDumpingHandler"
module="io.undertow.core" />
<request-limit name="limit-connections"
queue-size="100" max-concurrent-requests="1200"/>
<filter name="proxy-peer" module="io.undertow.core"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/>
<expression-filter module="io.undertow.core"
name="restrict-admin-console-access"
expression=“path-prefix(/auth/admin/master/console/)
-> ip-access-control(default-allow=false, acl={‘127.0.0.1 allow’,
‘172.31.0.0/16 allow’, '62.96.159.233 allow'})"/>
</filters>
</subsystem>
With this configuration I can access the admin console only if I
connect to the instance itself bypassing the load-balancer. Requests
that hitting the endpoint via the load-balancer have all
X-Forwarding-* headers set. Here is an example for GET /auth/admin
which response 302 to /auth/admin/master/console/. Finally this
results in a 403 (the request isn’t logged by the
RequestDumpingHandler):
----------------------------REQUEST---------------------------
URI=/auth/admin
characterEncoding=null
contentLength=-1
contentType=null
header=Accept=*/*
header=Connection=keep-alive
header=X-Forwarded-Proto=http
header=X-Forwarded-Port=80
header=X-Forwarded-For=62.96.159.233
header=User-Agent=curl/7.43.0
header=host=login.dev.scoober.com
locale=[]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=62.96.159.233:0
remoteHost=62.96.159.233
scheme=http
host=login.dev.scoober.com
serverPort=8080
--------------------------RESPONSE--------------------------
contentLength=0
contentType=null
header=Connection=keep-alive
header=Location=http://login.dev.scoober.com/auth/admin/master/console/
header=Content-Length=0
header=Date=Fri, 30 Sep 2016 13:07:16 GMT
status=302
I assume that undertow is somehow blocking the X-Forwarded-* requests
and doesn’t accepts the remoteAddr as part of the ip-access-control
ACL (as this works with direct requests).
$ curl -LIv localhost:8080/auth/admin/master/console/
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> HEAD /auth/admin/master/console/ HTTP/1.1
> User-Agent: curl/7.40.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Cache-Control: no-cache
Cache-Control: no-cache
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-src 'self'
Content-Security-Policy: frame-src 'self'
< Date: Fri, 30 Sep 2016 13:19:15 GMT
Date: Fri, 30 Sep 2016 13:19:15 GMT
< Connection: keep-alive
Connection: keep-alive
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Content-Type: text/html;charset=utf-8
Content-Type: text/html;charset=utf-8
< Content-Length: 0
Content-Length: 0
< Content-Language: en
Content-Language: en
<
* Connection #0 to host localhost left intact
Setting the header:
$ curl -LIv -H “X-Forwarded-For: 172.31.19.199"
localhost:8080/auth/admin/master/console/
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> HEAD /auth/admin/master/console/ HTTP/1.1
> User-Agent: curl/7.40.0
> Host: localhost:8080
> Accept: */*
> X-Forwarded-For: 172.31.19.199
>
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Connection: keep-alive
Connection: keep-alive
< Content-Length: 74
Content-Length: 74
< Content-Type: text/html
Content-Type: text/html
< Date: Fri, 30 Sep 2016 13:19:10 GMT
Date: Fri, 30 Sep 2016 13:19:10 GMT
<
* Connection #0 to host localhost left intact
Any idea to solve this? Is there any other/better way to prevent the
master realm console being publicly available?
Thanks in advance,
Jan
8 years, 3 months
Updating lastLogon in LDAP/AD from Keycloak when user is authenticated
by Edgar Vonk - Info.nl
Hi,
We would like to have Keycloak update the lastLogon user attribute in our Active Directory server whenever a user logs in to our customer portal.
It is possible to do this from Keycloak?
The portal is secured using Keycloak so behind the scenes the Keycloak bind user is the one that authenticates the user in AD.
The only thing we have now is the user session information in Keycloak but that is not of much value to us because:
- in our situation AD is leading for all user data
- whenever we redeploy Keycloak (quite often) we empty out the Keycloak database and start new by synching users from AD
- if I am not mistaken currently user session data is not stored in the Keycloak database anyway?
cheers
Edgar
8 years, 3 months
Keycloak Filters and Roles
by Rui Neves
Hello,
I am using a java servlet with keycloak filters, so no security constraints can be applied. I would like to know how can I block some HttpMethods for users of a certain role. I created roles in keycloak, I tried to define the auth-constraints within the security-constraints but it always returns error 403 Unauthorized.
If I remove the auth constraint and security roles I am able to access the method. It seems that it is not recognizing keycloak roles or not mapping them between the servlet and keycloak.
I am blocking the method as shown below in the class:
@GET
@Path("/get")
@RolesAllowed("admin")
@Produces(MediaType.TEXT_PLAIN)
public String delU(@HeaderParam("user_id")) {
...
}
And I have the filters like the link below in the web.xml:
https://keycloak.gitbooks.io/securing-client-applications-guide/content/v...
Best Regards
8 years, 3 months
