keycloak not starting up and timing out on HHH000397: Using ASTQueryTranslatorFactory
by Madhu
Any idea whats going wrong here?
I have recently set up keycloak in HA and was able to bring up 2 nodes and things were working fine.
After a day or two , I stoped one node and was never to bring up keycloak back.
The start up of keycloak times out with here [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 57) HHH000397: Using ASTQueryTranslatorFactory
Steps tried :stopped the second node in cluster and tried bringing up both nodes again -> did not succeed (same error)tried bring up keycloak on standalone mode (not HA) -> did not succeed (same error)tried increasing the timeout to -Djboss.as.management.blocking.timeout=600 (same error)
I have about some 350 odd realms in my db (could that be the reason??)Will keycloak try to validate/migrate data etc on startup ?? I am asking this as i see these lines prior to the timeouts
08:17:25,264 INFO [org.hibernate.Version] (ServerService Thread Pool -- 58) HHH000412: Hibernate Core {5.1.10.Final}08:17:25,266 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 58) HHH000206: hibernate.properties not found08:17:25,268 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 58) HHH000021: Bytecode provider name : javassist08:17:25,302 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 58) HCANN000001: Hibernate Commons Annotations {5.0.1.Final}08:17:25,438 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 58) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect08:17:25,485 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 58) Envers integration enabled? : true08:17:26,026 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 58) HV000001: Hibernate Validator 5.3.5.Final08:17:26,628 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 58) HHH000397: Using ASTQueryTranslatorFactory
The actual exceptin is a
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
with different cause each time (possibly based on what thread is doing at
----------------------------Exception-----------------------------------------------------------------------------------------------------------------08:01:19,392 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 57) HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...]08:01:19,440 INFO [org.hibernate.Version] (ServerService Thread Pool -- 57) HHH000412: Hibernate Core {5.1.10.Final}08:01:19,442 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 57) HHH000206: hibernate.properties not found08:01:19,443 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 57) HHH000021: Bytecode provider name : javassist08:01:19,472 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 57) HCANN000001: Hibernate Commons Annotations {5.0.1.Final}08:01:19,889 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 57) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect08:01:19,936 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 57) Envers integration enabled? : true08:01:20,425 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 57) HV000001: Hibernate Validator 5.3.5.Final08:01:21,242 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 57) HHH000397: Using ASTQueryTranslatorFactory08:06:16,695 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:e in state RUN08:06:16,702 WARN [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]08:06:16,703 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:e08:06:22,093 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 in state RUN08:06:22,094 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012095: Abort of action id 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 invoked while multiple threads active within it.08:06:22,095 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012381: Action id 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 completed with multiple threads - thread ServerService Thread Pool -- 57 was in progress with java.net.SocketInputStream.socketRead0(Native Method)java.net.SocketInputStream.socketRead(SocketInputStream.java:116)java.net.SocketInputStream.read(SocketInputStream.java:171)java.net.SocketInputStream.read(SocketInputStream.java:141)com.mysql.cj.protocol.ReadAheadInputStream.fill(ReadAheadInputStream.java:107)com.mysql.cj.protocol.ReadAheadInputStream.readFromUnderlyingStreamIfNecessary(ReadAheadInputStream.java:150)com.mysql.cj.protocol.ReadAheadInputStream.read(ReadAheadInputStream.java:180)java.io.FilterInputStream.read(FilterInputStream.java:133)com.mysql.cj.protocol.FullReadInputStream.readFully(FullReadInputStream.java:64)com.mysql.cj.protocol.a.SimplePacketReader.readHeader(SimplePacketReader.java:63)com.mysql.cj.protocol.a.SimplePacketReader.readHeader(SimplePacketReader.java:45)com.mysql.cj.protocol.a.TimeTrackingPacketReader.readHeader(TimeTrackingPacketReader.java:52)com.mysql.cj.protocol.a.TimeTrackingPacketReader.readHeader(TimeTrackingPacketReader.java:41)com.mysql.cj.protocol.a.MultiPacketReader.readHeader(MultiPacketReader.java:54)com.mysql.cj.protocol.a.MultiPacketReader.readHeader(MultiPacketReader.java:44)com.mysql.cj.protocol.a.NativeProtocol.readMessage(NativeProtocol.java:557)com.mysql.cj.protocol.a.NativeProtocol.checkErrorMessage(NativeProtocol.java:735)com.mysql.cj.protocol.a.NativeProtocol.sendCommand(NativeProtocol.java:674)com.mysql.cj.protocol.a.NativeProtocol.sendQueryPacket(NativeProtocol.java:966)com.mysql.cj.NativeSession.execSQL(NativeSession.java:1165)com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:937)com.mysql.cj.jdbc.ClientPreparedStatement.executeQuery(ClientPreparedStatement.java:1019)org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504)org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.getResultSet(AbstractLoadPlanBasedLoader.java:434)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeQueryStatement(AbstractLoadPlanBasedLoader.java:186)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:121)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86)org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88)org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688)org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75)org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004)org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567)org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563)org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132)org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork(AbstractPersistentCollection.java:161)org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork(AbstractPersistentCollection.java:146)org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)org.hibernate.collection.internal.AbstractPersistentCollection.readSize(AbstractPersistentCollection.java:145)org.hibernate.collection.internal.PersistentMap.size(PersistentMap.java:123)java.util.HashMap.putMapEntries(HashMap.java:501)java.util.HashMap.putAll(HashMap.java:785)org.keycloak.models.jpa.ClientScopeAdapter.getAttributes(ClientScopeAdapter.java:309)org.keycloak.models.cache.infinispan.entities.CachedClientScope.<init>(CachedClientScope.java:56)org.keycloak.models.cache.infinispan.RealmCacheSession.getClientScopeById(RealmCacheSession.java:1147)org.keycloak.models.jpa.RealmAdapter.getClientScopes(RealmAdapter.java:1779)org.keycloak.models.cache.infinispan.entities.CachedRealm.cacheClientScopes(CachedRealm.java:285)org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:232)org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)org.keycloak.services.managers.ApplianceBootstrap.isNewInstall(ApplianceBootstrap.java:46)org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:211)org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)java.lang.reflect.Constructor.newInstance(Constructor.java:423)org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$807/210507936.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)java.util.concurrent.FutureTask.run(FutureTask.java:266)java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)java.lang.Thread.run(Thread.java:748)org.jboss.threads.JBossThread.run(JBossThread.java:320)
08:06:22,096 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012108: CheckedAction::check - atomic action 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 aborting with 1 threads active!08:06:22,098 WARN [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]08:06:22,099 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:1908:06:22,101 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 57) SQL Error: 0, SQLState: null08:06:22,101 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 57) IJ031070: Transaction cannot proceed: STATUS_ROLLEDBACK08:06:22,103 WARN [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 57) ARJUNA012077: Abort called on already aborted atomic action 0:ffffac1f12aa:-1fdf5642:5bd9614a:1908:06:22,129 WARN [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 57) ARJUNA012077: Abort called on already aborted atomic action 0:ffffac1f12aa:-1fdf5642:5bd9614a:e08:06:22,135 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 57) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:320)Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) ... 6 moreCaused by: org.hibernate.exception.GenericJDBCException: could not prepare statement at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.prepareQueryStatement(AbstractLoadPlanBasedLoader.java:241) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeQueryStatement(AbstractLoadPlanBasedLoader.java:185) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:121) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86) at org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88) at org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688) at org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75) at org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004) at org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567) at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) at org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563) at org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132) at org.hibernate.collection.internal.PersistentBag.iterator(PersistentBag.java:277) at org.keycloak.models.jpa.ClientScopeAdapter.getProtocolMappers(ClientScopeAdapter.java:104) at org.keycloak.models.cache.infinispan.entities.CachedClientScope.<init>(CachedClientScope.java:50) at org.keycloak.models.cache.infinispan.RealmCacheSession.getClientScopeById(RealmCacheSession.java:1147) at org.keycloak.models.jpa.RealmAdapter.getClientScopes(RealmAdapter.java:1779) at org.keycloak.models.cache.infinispan.entities.CachedRealm.cacheClientScopes(CachedRealm.java:285) at org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:232) at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399) at org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102) at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459) at org.keycloak.services.managers.ApplianceBootstrap.isNewInstall(ApplianceBootstrap.java:46) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:211) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 28 moreCaused by: java.sql.SQLException: IJ031070: Transaction cannot proceed: STATUS_ROLLEDBACK at org.jboss.jca.adapters.jdbc.WrapperDataSource.checkTransactionActive(WrapperDataSource.java:245) at org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransactionActive(WrappedConnection.java:1928) at org.jboss.jca.adapters.jdbc.WrappedConnection.checkStatus(WrappedConnection.java:1943) at org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransaction(WrappedConnection.java:1917) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:447) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 61 more
08:06:22,168 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal08:06:22,196 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: org.hibernate.exception.GenericJDBCException: could not prepare statement Caused by: java.sql.SQLException: IJ031070: Transaction cannot proceed: STATUS_ROLLEDBACK"}}08:06:22,218 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:/jboss/datasources/KeycloakDS]
6 years, 2 months
Help Linsting Users
by paolo lizarazu
Hi All,
I am having some issues trying to list Keycloak user from and Spring Boot
application(SBA).
I want to have the SpringBootApp can be secured by keycloak and if the user
has the proper privileges can make the required actions, for my specific
case list the users
For my Realm(Test) I have created a client System-Management which is
configure like
Settings
* cliente protocol :openid-connect
* access Type :confidential
* standard flow enabled :true
* implicit flow enabled :false
* direct access grants enabled :false
* service account enalbed :true
* authorization enabled :true
* valid redirect uris : *
* web origins :*
Scope
* full Sxope Allowed :true
the spring boot application has configured the keycloak properties and it
is redirecting and to login and after success again redirected to the
application, with a second link in the application I want to list the
keycloak users but the request fail with 403 response
#Keycloak Configuration
keycloak.auth-server-url=http://localhost:9080/auth
keycloak.realm=test
keycloak.resource=system-management
keycloak.use-resource-role-mappings=false
keycloak.public-client=false
keycloak.credentials.secret=964ccde0-888e-4103-86a6-1f90961d6852
keycloak.principal-attribute=preferred_username
here my security config
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public KeycloakClientRequestFactory keycloakClientRequestFactory;
// Submits the KeycloakAuthenticationProvider to the AuthenticationManager
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider
= keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new
SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
// Specifies the session authentication strategy
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new
SessionRegistryImpl());
}
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public KeycloakRestTemplate keycloakRestTemplate() {
KeycloakRestTemplate restTemplate = new
KeycloakRestTemplate(keycloakClientRequestFactory);
// we should add here the interceptor on debug mode
return restTemplate;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.antMatchers("/customers*","/users*")
.authenticated();
}
@Bean
public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(
KeycloakAuthenticationProcessingFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
and finally my service to get users
@Service
public class KeycloakService {
@Value("${keycloak.auth-server-url}")
private String SERVER_URL;
@Value("${keycloak.realm}")
private String REALM;
@Value("${keycloak.resource}")
private String CLIENT_ID;
@Value("${keycloak.credentials.secret}")
private String CLIENT_SECRET;
@Autowired
AccessToken accessToken;
private Keycloak getInstance() {
return KeycloakBuilder
.builder()
.serverUrl(SERVER_URL)
.authorization(accessToken.getAccessTokenHash())
.grantType(CLIENT_CREDENTIALS)
.clientId(CLIENT_ID)
.clientSecret(CLIENT_SECRET)
.realm(REALM)
.build();
}
public List<UserRepresentation> getUsers(){
return getInstance().realm(REALM).users().list();
}
any help will be grateful.
Note. the idea is to have an user administration out of keycloak.
6 years, 2 months
keycloak-client-admin java examples & docs
by Wyllys Ingersoll
Im trying to write a keystone client for a 3rd party java service that will
authenticate to Keycloak using the org.keycloak.admin.client.Keycloak
interfaces. There are a couple of snippets of code examples online, such
as here:
https://www.keycloak.org/docs/4.5/server_development/#example-using-java
and others such as
https://gist.github.com/thomasdarimont/43689aefb37540624e35 but none of
them actually work (at least not for me) I always get the following
exception when working with the 4.5.0.Final packages:
java.lang.IllegalArgumentException: interface
org.keycloak.admin.client.token.TokenService is not visible from class
loader
I've seen this same exception mentioned in several threads, but have not
seen a working solution/workaround or even a good explanation of why the
error is occurring.
The javadocs at https://www.keycloak.org/docs-api/4.5/javadocs/ do not
include the docs for the admin.client.Keycloak classes.
Can anyone point me to a *working* example of using the Keycloak
admin-client java API or some online java docs for those classes?
thanks,
Wyllys Ingersoll
6 years, 2 months
keycloak docker image clustering section is not working as expected
by Meissa M'baye Sakho
Hello everyone,
There a confusing section in the clustering [1] section of the keycloak
docker image.
The documentation states that:
*JGROUPS_DISCOVERY_PROPERTIES - an optional parameter with the discovery
protocol properties in the following format: *
*PROP1=FOO,PROP2=BAR *
I can confirm that this parameter is not optional at all.
When I run the image with the JGROUPS_DISCOVERY_PROTOCOL environnement
variable set and without the JGROUPS_DISCOVERY_PROPERTIES set (since it's
said to be optionnal), the container fails to start with the error message
below:
*10:50:11,999 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([*
* ("subsystem" => "jgroups"),*
* ("channel" => "ee")*
*]) - failure description: {"WFLYCTL0080: Failed services" =>
{"org.wildfly.clustering.jgroups.channel.ee
<http://org.wildfly.clustering.jgroups.channel.ee>" =>
"java.lang.IllegalArgumentException: dns_query can not be null or empty*
* Caused by: java.lang.IllegalArgumentException: dns_query can not be
null or empty"}}*
Setting the JGROUPS_DISCOVERY_PROPERTIES environnement variable fix the
error. So this is not an optional parameter.
[1]=https://hub.docker.com/r/jboss/keycloak/
Regards,
Meissa
6 years, 2 months
kubernetes discovery protocol for JGroups
by Meissa M'baye Sakho
Hello everyone,
Can someone tell me the difference between the dns.DNS_PING and
kubernetes.KUBE_PING protocols that we could use to enable keycloak
clustering?
It seems like both of them could be used in a kubernetes environment but I
can't see a documentation clearly explaining the
difference between them.
I would like to knwo which one is relevant in a openshift environnement
which one is in a non openshift environnement.
The official githup repo [1] does not say a lot about that?
[1]=https://github.com/jgroups-extras/jgroups-kubernetes/
Regards,
Meissa
6 years, 2 months
Re: [keycloak-user] R: Need to log in to all realms with unique admin users
by Dmitry Telegin
Ciao Mattia,
Let's assume your realm (non-master) is named "foo". Here are the steps:
1. In admin console, go to master realm -> clients -> broker -> Credentials, copy the secret;
2. go to foo realm -> Identity Providers, add Keycloak OpenID Connect provider, give it an alias (like "master");
3. set Client ID to "broker" (w/o quotes) and paste the Client Secret;
4. scroll down to "Import from URL", paste the following:
http://localhost:8180/auth/realms/master/.well-known/openid-configuration
and click Import. The necessary fields will be filled in automatically;
5. scroll up, copy Redirect URI (should be like http://localhost:8180/auth/realms/foo/broker/master/endpoint);
6. go to master realm -> clients -> broker, paste the URI to "Valid Redirect URIs", click save.
After that, your users will be able authenticate on non-master realms via the master realm. Upon the first successful login, the user will be presented with the Update Account Information form. If you want to bypass that, you can enable identity auto-linking.
For Keycloak 4.5.0, it's out of the box - just use "Automatically Link Brokered Account" authenticator in your first broker login flow.
For Kyecloak <4.5.0, you can use this: https://github.com/ohioit/keycloak-link-idp-with-user
Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-10-29 at 15:09 +0000, Mattia Bello wrote:
> Dmitry,
> > i found that information in master realm settings ->>
OpenID Endpoint Configuration link:
>
> > {"issuer":"http://localhost:8180/au
th/realms/master",
> > "authorization_endpoint":"http://localhost:8180/auth/
realms/master/protocol/openid-connect/auth",
> > "token_endpoint":"http://lo
calhost:8180/auth/realms/master/protocol/openid-connect/token",
> > > "token_i
ntrospection_endpoint":"http://localhost:8180/auth/realms/master/protoc
ol/openid-connect/token/introspect",
> > "userinfo_endpoint":"http://localho
st:8180/auth/realms/master/protocol/openid-connect/userinfo",
> > > "end_sessi
on_endpoint":"http://localhost:8180/auth/realms/master/protocol/openid-
connect/logout",
> > "jwks_uri":"http://localhost:8180/auth/realms/master/pr
otocol/openid-connect/certs",
> > > "check_session_iframe":"http://localhost:8
180/auth/realms/master/protocol/openid-connect/login-status-
iframe.html",
> > "grant_types_supported":["authorization_code", "implicit",>
"refresh_token", "password", "client_credentials"],
> > > "response_types_supp
orted":["code","none","id_token","token","id_token token","code>
id_token","code token","code id_token token"],
> > "subject_types_supported"
:["public","pairwise"],
> > "id_token_signing_alg_values_supported":["RS256"
],
> "userinfo_signing_alg_values_supported":["RS256"],
> > "request_object_sig
ning_alg_values_supported":["none","RS256"],
> > "response_modes_supported":
["query","fragment","form_post"],
> > "registration_endpoint":"http://localh
ost:8180/auth/realms/master/clients-registrations/openid-connect",
> > > "toke
n_endpoint_auth_methods_supported":["private_key_jwt","client_secret_ba
sic", "client_secret_post","client_secret_jwt"],
> > "token_endpoint_auth_si
gning_alg_values_supported":["RS256"],
> > "claims_supported":["sub","iss","
auth_time","name","given_name",
> > "family_name","preferred_username","emai
l"],
> > "claim_types_supported":["normal"],"claims_parameter_supported":fal
se,
> > "scopes_supported":["openid","address","email","offline_access","pho
ne","profile"],
> "request_parameter_supported":true,
> > "request_uri_paramete
r_supported":true,
> "code_challenge_methods_supported":["plain","S256"],
> > "
tls_client_certificate_bound_access_tokens":true
> }
>
> > I used it to compile>
the form, as you can see from the image attached.
>
> > But, when i click on>
the TECNICO link inl ogin form, the keycloak page return this message:
>
> We're sorry...
> Invalid parameter: redirect_uri
>
> « Back to Application
>
> > and>
server logs are:
>
> > > > > 15:57:09,193 WARN [org.keycloak.events] (default>
task-21) type=LOGIN_ERROR, realmId=master, clientId=risolvo-app,>
userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri,>
redirect_uri=http://localhost:8180/auth/realms/default/broker/master-
oidc/endpoint
>
> What am i doing wrong?
>
> Thank you
>
> Inviato da Posta per Windows 10
>
> Da: Dmitry Telegin
> Inviato: venerdì 26 ottobre 2018 03:29
> A: Mattia Bello; keycloak-user(a)lists.jboss.org
> Oggetto: Re: [keycloak-user] Need to log in to all realms with unique admin users
>
> Mattia,
>
> Thanks for your explanation, the problem is clear now.
>
> I think you can solve it with the help of identity brokering [1]. For each non-master realm, you will have to configure brokering to master. After that, a badge will appear on the login screen, and after clicking it your users will be able to authenticate with their master realm credentials.
>
> If you're ok with this additional step, this could be an easy solution.
>
> [1] https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Fl...
>
> Dmitry
>
> On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote:
> > Sorry,
> > I probably did not explain well.
> > I have a client application that is accessible from all realms.
> > I would like with a realm master user to be able to access the client application of each realm, without creating users on each realm.
> > I tried this but when I log in to the client application with the user created in the realm master the log in fails because it says that the user does not exist.
> > Reading the documentation it is explained that the users created in the realm master are used to manage the realm as admin, so you can create new realm and users and groups within the various realms, but it is not specified that with this user you can access a client application defined in realms.
> > Is it possible to access to clients of the various realms with the realm master users, without duplicating them in every realm, or not?
> > Thank you
> >
> > Get Outlook for Android
> >
> >
> >
> >
> > On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin" <dt(a)acutus.pro> wrote:
> >
> > > Hello Mattia, answers inline,
> > >
> > > On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote:
> > > > We have this situation:
> > > >
> > > > master realm -> used to manage other realms
> > > >
> > > > realm1, realm2, realm3, .. -> are retailers and contain companies
> > > >
> > > > for each realm we have group1, group2, group3, .. -> are companies and contain a group of users
> > > >
> > > > we have to see all the retailers (realms), the companies (groups) and the users
> > > >
> > > > How can I do it?
> > > >
> > > > Can i create a master realm user and use it to access all the other realms?
> > >
> > > Yes you can. In fact, there is already such a user - it's admin that
> > > you've created on the first run. If you want more users with such an
> > > access in master realm, grant them "admin" realm role. If you look into
> > > "admin" role details, you'll see that it automatically includes all the
> > > client roles of *-realm clients, that's how it works under the hood.
> > >
> > > If you don't want to grant that powerful admin role, go to user -> Role
> > > mappings and assign the necessary client roles from the *-realm
> > > clients. The user will get access to the admin functions for that realm(s).
> > >
> > > >
> > > > Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm?
> > >
> > > This is possible too. Create a user in the target realm, go to Role
> > > mappings and assign the necessary roles from the realm-management
> > > client.
> > >
> > > Good luck,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info(a)acutus.pro
> > >
> > > >
> > > > Thank to all
> > > >
> > > >
> > > >
> > > > Mattia Bello
> > > > Developer
> > > >
> > > > > > > > [Descrizione: cid:image001.jpg@01CEB308.188717E0]
> > > > Horsa S.p.A.
> > > > Via Cadorna, 67
> > > > Vimodrone (MI)
> > > > Mobile (+39) 340 36 07 937
> > > > https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y <https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it%2F&e=ab6f9afd&h...>;
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > > https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y
> > >
>
6 years, 2 months
RV: How to force login (¿best practice?)
by Pablo Bravo
Hi all,
We are currently implementing keycloak and we are facing an issue that we are not sure what's the best way to solve it.
We have different webapps making use of the sso and that's working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp.
Initially this second webapp does not know which user is coming (and it's not necessary to be logged in to make use of it). When clicking on "login", it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens "transparently" to the user, since the redirection to keycloak is very fast and it's not noticeable. This behaviour is not very user friendly.
The question is: Taking into account that this second webapp can't know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients.
What's the best practice for this use case?
Thanks in advance!
Pablo
6 years, 2 months
Keycloak as a Service - Beta testers wanted
by DevOps - Tromsso
Hi all,
After successfully using Keycloak for a while now a small group of engineers would like to see if there is space for Authentication-as-a-Service powered by Keycloak. Our aim is to securely manage a Keycloak cluster where organisations can provision realms and be billed based on the number of active users per month. There are some limitations (we do not allow addition of SPI’s for security reasons) however we hope for most use cases this should be good enough.
We have our initial project and are slowly adding beta users to play with our interface and provide us with feedback as we develop.
**Production use is not recommended** but we will offer free unlimited usage during the Beta period and when moving to the production cluster provide the option to migrate users/realms as required.
If anybody on this mailing list is interested please get in touch or sign up to be a Beta tester at our website below - we are happy to hear all feedback and answer questions moving forward.
Many thanks,
Team Tromsso
https://tromsso.com/
6 years, 2 months
