JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources
5:16 p.m.
Hello,
we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support
multiple clients using multi tenancy. We followed the instructions of the documentation
[1] to build up a CustomKeycloakConfigResolver.
We configured the web.xml like this:
[web.xml]
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>portal</web-resource-name>
<url-pattern>/portal/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>/portal/pages/willkommen.jsf</url-pattern>
<url-pattern>/portal/pages/logout.jsf</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
...
<context-param>
<param-name>keycloak.config.resolver</param-name>
<param-value>de.sample.security.MandantBasedKeycloakConfigResolver</param-value>
</context-param>
...
</web-app>
As you can see everything under portal is restricted with two exceptions. The code of
MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code
[2]. In our example we consider that the url has a query parameter that provides an id
which we can map to a corresponding keycloak.json file. A sample would be
"https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1".
After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log
entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for
every resource that is loaded through get requests to display the site. I did not expect
that many invocation, since the resources are not protected.
Can you please tell me if this behaviour is correct? What is my error in adopting the
mulity tenancy sample? How can we prevent/workaround that many calls?
While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a
potentially similar problem. Here they use keycloak to secure a spring boot application
and have troubles when a sso redirection occurs.
Regards,
Andreas
[1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
[2] public KeycloakDeployment resolve(HttpFacade.Request request) {
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:" +
counter++);
final String mandantId = request.getFirstParam("kId");
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() -
requestFirstParam(kId):" + mandantId);
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" +
request.getURI());
if (mandantId == null || mandantId.isEmpty()) {
// throw new IllegalStateException("Not able to resolve realm for
parameter kId - Parameter not found!");
return null;
}
KeycloakDeployment deployment = cache.get(mandantId);
if (deployment == null) {
String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId);
InputStream is = getClass().getResourceAsStream("/" +
keycloakConfigFilename);
if (is == null) {
// throw new IllegalStateException("Not able to find the file /"
+ keycloakConfigFilename);
return null;
}
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is
IS==null?:" + (is == null));
deployment = KeycloakDeploymentBuilder.build(is);
cache.put(mandantId, deployment);
}
return deployment;
}
[3]
17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0
17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,933 INFO [stdout] (default task-4) INIT Willkommen
17:28:50,933 INFO [stdout] (default task-4) initialized mandant
<<<<<<<<<<<<<
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-5) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1
17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling
request to
/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost:
java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter
not found!
at
de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46)
[classes:]
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68)
[keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112]
.......
17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43
17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null
17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-50) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout
17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling
request to
/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost:
java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter
not found!
at
de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46)
[classes:]
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68)
[keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112]
9:21 a.m.
Hey guys, sorry for bouncing that topic again, but this issue currently is a show stopper
for us. We need to have multi-tenancy for our application, but as it works now it is not
feasible.
So we desparatly ask for your help.
Am 24. Oktober 2018 17:16:23 MESZ schrieb Andreas Lau <andreas.lau(a)outlook.com>:
Hello,
we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support
multiple clients using multi tenancy. We followed the instructions of the documentation
[1] to build up a CustomKeycloakConfigResolver.
We configured the web.xml like this:
[web.xml]
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>portal</web-resource-name>
<url-pattern>/portal/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>/portal/pages/willkommen.jsf</url-pattern>
<url-pattern>/portal/pages/logout.jsf</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
...
<context-param>
<param-name>keycloak.config.resolver</param-name>
<param-value>de.sample.security.MandantBasedKeycloakConfigResolver</param-value>
</context-param>
...
</web-app>
As you can see everything under portal is restricted with two exceptions. The code of
MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code
[2]. In our example we consider that the url has a query parameter that provides an id
which we can map to a corresponding keycloak.json file. A sample would be
"https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1".
After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log
entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for
every resource that is loaded through get requests to display the site. I did not expect
that many invocation, since the resources are not protected.
Can you please tell me if this behaviour is correct? What is my error in adopting the
mulity tenancy sample? How can we prevent/workaround that many calls?
While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a
potentially similar problem. Here they use keycloak to secure a spring boot application
and have troubles when a sso redirection occurs.
Regards,
Andreas
[1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
[2] public KeycloakDeployment resolve(HttpFacade.Request request) {
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:" +
counter++);
final String mandantId = request.getFirstParam("kId");
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() -
requestFirstParam(kId):" + mandantId);
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" +
request.getURI());
if (mandantId == null || mandantId.isEmpty()) {
// throw new IllegalStateException("Not able to resolve realm for
parameter kId - Parameter not found!");
return null;
}
KeycloakDeployment deployment = cache.get(mandantId);
if (deployment == null) {
String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId);
InputStream is = getClass().getResourceAsStream("/" +
keycloakConfigFilename);
if (is == null) {
// throw new IllegalStateException("Not able to find the file /"
+ keycloakConfigFilename);
return null;
}
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is
IS==null?:" + (is == null));
deployment = KeycloakDeploymentBuilder.build(is);
cache.put(mandantId, deployment);
}
return deployment;
}
[3]
17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0
17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,933 INFO [stdout] (default task-4) INIT Willkommen
17:28:50,933 INFO [stdout] (default task-4) initialized mandant
<<<<<<<<<<<<<
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-5) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1
17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling
request to
/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost:
java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter
not found!
at
de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46)
[classes:]
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68)
[keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112]
.......
17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43
17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null
17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-50) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout
17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling
request to
/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost:
java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter
not found!
at
de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46)
[classes:]
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68)
[keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112]
________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:29 a.m.
Hello Andreas,
I'm afraid this is by design - one of the reasons may be Java EE programmatic security
[1], where the application can instigate login even from the resources not protected by
web.xml security constraints.
But I don't think you should be bothered - in your resolver, there is a cache for
KeycloakDeployments, and cache calls are cheap (and you will always have a cache hit,
except for the very first invocation).
Even if there had been the code to determine whether the resolver should or should not
kick in, according to web.xml rules, - this code would have been more expensive, let alone
it would have broken programmatic security. If you are super determined, you can craft a
simple performance test using e.g. Gatling [2] - I'm pretty sure the results for
resolver vs. no resolver will differ insignificantly.
[1] https://docs.oracle.com/javaee/7/tutorial/security-webtier003.htm
[2] https://gatling.io/
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Sat, 2018-10-27 at 07:21 +0000, Andreas Lau wrote:
Hey guys, sorry for bouncing that topic again, but this issue
currently is a show stopper for us. We need to have multi-tenancy for our application, but
as it works now it is not feasible.
So we desparatly ask for your help.
Am 24. Oktober 2018 17:16:23 MESZ schrieb Andreas Lau <andreas.lau(a)outlook.com>:
Hello,
we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support
multiple clients using multi tenancy. We followed the instructions of the documentation
[1] to build up a CustomKeycloakConfigResolver.
We configured the web.xml like this:
[web.xml]
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>portal</web-resource-name>
<url-pattern>/portal/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>/portal/pages/willkommen.jsf</url-pattern>
<url-pattern>/portal/pages/logout.jsf</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
...
<context-param>
<param-name>keycloak.config.resolver</param-name>
<param-value>de.sample.security.MandantBasedKeycloakConfigResolver</param-value>
</context-param>
...
</web-app>
As you can see everything under portal is restricted with two exceptions. The code of
MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code
[2]. In our example we consider that the url has a query parameter that provides an id
which we can map to a corresponding keycloak.json file. A sample would be
"https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1".
After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log
entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for
every resource that is loaded through get requests to display the site. I did not expect
that many invocation, since the resources are not protected.
Can you please tell me if this behaviour is correct? What is my error in adopting the
mulity tenancy sample? How can we prevent/workaround that many calls?
While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a
potentially similar problem. Here they use keycloak to secure a spring boot application
and have troubles when a sso redirection occurs.
Regards,
Andreas
[1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
[2] public KeycloakDeployment resolve(HttpFacade.Request request) {
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:"
+ counter++);
final String mandantId = request.getFirstParam("kId");
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() -
requestFirstParam(kId):" + mandantId);
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" +
request.getURI());
if (mandantId == null || mandantId.isEmpty()) {
// throw new IllegalStateException("Not able to resolve realm for
parameter kId - Parameter not found!");
return null;
}
KeycloakDeployment deployment = cache.get(mandantId);
if (deployment == null) {
String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId);
InputStream is = getClass().getResourceAsStream("/" +
keycloakConfigFilename);
if (is == null) {
// throw new IllegalStateException("Not able to find the file
/" + keycloakConfigFilename);
return null;
}
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is
IS==null?:" + (is == null));
deployment = KeycloakDeploymentBuilder.build(is);
cache.put(mandantId, deployment);
}
return deployment;
}
[3]
17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0
17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-4) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,933 INFO [stdout] (default task-4) INIT Willkommen
17:28:50,933 INFO [stdout] (default task-4) initialized mandant
<<<<<<<<<<<<<
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-5) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1
17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling
request to
/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost:
java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter
not found!
at
de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46)
[classes:]
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68)
[keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112]
.......
17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43
17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null
17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default
task-50) MandantBasedKeycloakConfigResolver.resolve() -
uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout
17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling
request to
/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost:
java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter
not found!
at
de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46)
[classes:]
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
[keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68)
[keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
[undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803)
[undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112]
________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2256
days inactive
2262
days old
2 comments
2 participants
participants (2)
-
Andreas Lau -
Dmitry Telegin