It seems that for view/update UserFederation, we currently require
permissions to "view-users" or "manage-users" . This looks like a bug
as
admin, who is able just to manage users, shouldn't be allowed to manage
user federation providers. It seems this should either be "view-realm"
or "manage-realm" or separate dedicated roles for user federation
providers.
Could you please create JIRA?
Thanks,
Marek
On 14/09/16 09:41, Edgar Vonk - Info.nl wrote:
Hi Marek,
Very sorry, this was our fault. We were using an outdated and customized version of the
users.js file from Keycloak in our theme and this was causing the issue.
We do now see a somewhat related issue in that our user admin accounts (with the
manage-users realm-management role) now also see the ‘Configure - User Federation’ menu
item and are actually able to change some (but not all) settings in our user federation
(and can even delete them I think). Maybe any ideas on how to make sure these users no
longer get access to Configure - User Federation?
cheers
Edgar
> On 08 Sep 2016, at 14:04, Marek Posolda <mposolda(a)redhat.com> wrote:
>
> Hi Edgar,
>
> I was trying to reproduce, but wasn't able. The expected format to invoke this
endpoint should be /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users
/{userId} so I understand why it fails. But I am not seeing anything in admin console UI,
which invokes it from this format.
>
> Feel free to create JIRA if you find steps to reproduce it from clean KC.
>
> Marek
>
> On 07/09/16 13:33, Edgar Vonk - Info.nl wrote:
>> Hi Marek,
>>
>> It’s the brute force detection REST endpoint that is causing the issue.
>>
>>
/auth/admin/realms/our-custom-realm/attack-detection/brute-force/users?username=edgar(a)info.nl
>>
>> gives a: “Failed to load resource: the server responded with a status of 405
(Method Not Allowed)"
>>
>>
>>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl <Edgar(a)info.nl> wrote:
>>>
>>> Hi Marek,
>>>
>>> Thanks for the quick reply. Sorry, forgot to mention that: I did also add the
view-users role. However the issue remains unfortunately.
>>>
>>> Will try to find the endpoint in question and report back!
>>>
>>> cheers
>>>
>>>> On 07 Sep 2016, at 11:24, Marek Posolda <mposolda(a)redhat.com>
wrote:
>>>>
>>>> I guess you need to add "view-users" role as well?
>>>>
>>>> For tracking, you can try to enable FF plugin like Firebug (or similar in
Chrome) and see what REST endpoint exactly returns 405 and what role it requires.
>>>>
>>>> Marek
>>>>
>>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote:
>>>>> Using a specific user admin account that is part of our Keycloak
customers realm (not the master realm) with permissions to edit users only (manage-users
realm-management role) whenever I click on a user in the Keycloak admin interface (Manage
- Users) I get a "Error! An unexpected server error has occurred” with the stacktrace
below in the logs. All actions do seem to work properly however. It also happens when I
create a user, but also there the user is created just fine it seems.
>>>>>
>>>>> I am guessing it is a permission issue on some REST endpoint in the
admin interface or something?
>>>>>
>>>>>
>>>>> [0m[31m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException:
RESTEASY003650: No resource method found for GET, return 405 with Allow header
>>>>> at
org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377)
>>>>> at
org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116)
>>>>> at
org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
>>>>> at
org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>>> at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>> at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>>> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>> at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>>> at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>> at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>>> at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>> at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>> at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>> at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>>> at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>>> at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>> at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>> at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>>> at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>> at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>>> at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>>> at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>>> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>