Additional jpaConnectionProvider for UserFederation via database
by Matuszak, Eduard
Hello
I am trying to implement a userfederation-provider based on a jpa-connection. My approach was:
According to an additional datasource-defintion for the federated DB in the standalone.xml
<datasource jta="true" jndi-name="java:jboss/datasources/CCPDS" pool-name="CCPDS" enabled="true" use-ccm="true">
<connection-url>jdbc:oracle:thin:@servername:1521:schemaname</connection-url>
..
, I tried to register this datasource as an additional connectionJpa-entry in keycloak-server.json as follows:
..
"connectionsJpa": {
"default": {
"dataSource": "java:jboss/datasources/CCPKCDS",
"databaseSchema": "update"
},
"FED-DB": {
"dataSource": "java:jboss/datasources/CCPDS"
}
},
..
According to these configuration I hoped to be able to establish the appropriate entity manager by coding:
// Get the appropriate entity manager from the KeycloakSession
EntityManager em = session.getProvider(JpaConnectionProvider.class, "FED-DB").getEntityManager();
This did not work, indeed there is still only one (default) JpaConnectionProvider available in the session (JpaConnectionProviderList size is 1):
Set<JpaConnectionProvider> JpaConnectionProviderList = session.getAllProviders(JpaConnectionProvider.class);
My question is: isn't it in principle possible to register a second jpaConnector additionally to the default one or is there something missing or wrong in my approach?
Thanks for any help in advance.
Best regards, Eduard Matuszak
Dr. Eduard Matuszak
Worldline, an atos company
T +49 (211)399 398 63
M +49 (163)166 23 67
F +49(211) 399 22 430
eduard.matuszak(a)atos.net<mailto:eduard.matuszak@atos.net>
Max-Stromeyer-Straße 116
78467 Konstanz
Germany
de.worldline.com<http://worldline.com/de/1/Home.html>
worldline.jobs.de<http://worldline.jobs.de>
facebook.com/WorldlineKarriere<http://www.facebook.com/WorldlineKarriere>
Worldline GmbH
Geschäftsführer: Wolf Kunisch
Aufsichtsratsvorsitzender: Christophe Duquenne
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 40 417
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted.
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
8 years, 11 months
Admin Rest API Documentation Issue (1.6.1.Final)
by Lohitha Chiranjeewa
Hi,
Client level role mappings related endpoints are currently misleading
because it gives the feeling that the client-id could be passed instead of
the id-of-client. But that's not the case. Hence please update the
endpoints which has the signature:
...role-mappings/clients/{client}... -->
...role-mappings/clients/{id-of-client}...
8 years, 11 months
Clarify "Create a new client" via Admin REST API
by Juraj Janosik
Hi,
I want to clarify the "Create a new client" via REST API
especially for body parameter "id" from "ClientRepresentation".
If I set the parameter "id" in the request body (see example below),
the value is set to the client. No new id value is generated for the
client, which is the typically behavior of "Create a new role for the realm
or client
<http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_role_for...>"
and "Create a new user
<http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user>".
Is this a correct behavior?
Tested data example:
"Create Client":
"method":"POST","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients"
"body":
"{
"id":"3",
"clientId":"testclient-3",
"name": "testclient-3",
"description": "TESTCLIENT-3",
"enabled": true,
"redirectUris":[ "\\" ],
"publicClient": true
}"
"headers":
[["Content-Type","application/json"],
["Authorization","Bearer <ACCESS_TOKEN>]]
Output for GET clients looks like:
{
"*id": "3"*,
"clientId": "testclient-3",
"name": "testclient-3",
"description": "TESTCLIENT-3",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"redirectUris":
[
"\"
],
"webOrigins":
[
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"serviceAccountsEnabled": false,
"directGrantsOnly": false,
"publicClient": true,
"frontchannelLogout": false,
"attributes":
{
},
...
Thanks a lot.
Best Regards,
Juraj
8 years, 12 months
Infinispan caching issues because of unserializable classes
by Lohitha Chiranjeewa
When Infinispan caching is enabled in ASYNC mode, exceptions get logged at
startup due to serialization issues. Basically the following classes have
to implement the Serialiazable interface:
org.keycloak.models.OTPPolicy
org.keycloak.models.
RequiredActionProviderModel
There could be other classes as well.
Is this already fixed in 1.7.0 code or shall I put a JIRA?
Regards,
Lohitha.
9 years
How to validate required for custom fields
by Jairo Alonso Henao Rojas
Hello,
I added several custom fields in the registration form, how I can do for them to be required?
See attached fields in register form.
Thanks
Jairo Henao Rojas
9 years
Keycloak service provider Metadata support for SAML support
by Arulkumar Ponnusamy
Hi All,
Does keycloak service provider support with metadata ? I don't find any
reference document on this for keycloak. There is no adapter which talk
about metadata. Even I looked at the examples, and there are three examples
which talk about POST, REDIRECT and encryption.
Any reference document on Keycloak SAML Service provider Metadata?
9 years
User Federaion: sending emails
by Frank van Veen
Hi,
Currently I'm working on importing users with a user federation implementation. The way we want to import a user is by copying user metadata into keycloak followed by sending a email with a password reset link to the freshly imported user. Is the achievable with keycloak 1.6.1?
Best regards,
Frank van Veen
9 years
How to enable Infinispan cache for realms, users and user sessions in Keycloak 1.6.1?
by Lohitha Chiranjeewa
Hi,
We're in the process of assessing the impact on upgrading from Keycloak
1.2.0 to 1.6.1. We came across an issue when trying to enable Infinispan
cache through the keycloak-server.json file as we used to do in 1.2.0.
We have the following entries in 1.6.1:
"realm": {
"provider": "infinispan"
},
"user": {
"provider": "infinispan"
},
"userSessionPersister": {
"provider": "infinispan"
},
.........
"connectionsInfinispan": {
"default" : {
"cacheContainer" : "java:comp/env/infinispan/Keycloak"
}
}
All configurations in 1.6.1 standalone-ha.xml file remains comparable (and
correct to the best of our knowledge) with the ones in 1.2.0.
With the above configs, when we start the Keycloak service the following
error(s) get logged:
18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 64) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
[rt.jar:1.7.0_45]
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
[rt.jar:1.7.0_45]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_45]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_45]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
[jboss-threads-2.2.0.Final.jar:2.2.0.Final]
Caused by: java.lang.RuntimeException: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.RuntimeException: Failed to find provider infinispan
for realm
at
org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
at
org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method) [rt.jar:1.7.0_45]
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
[rt.jar:1.7.0_45]
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[rt.jar:1.7.0_45]
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
[rt.jar:1.7.0_45]
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
... 19 more
Is the new way to enable Infinispan different to what we had earlier? If
so, can someone please point out the correct way?
Regards,
Lohitha.
9 years
Re: [keycloak-user] Sign In button URL (Bill Burke)
by Adrian Matei
Hi Bill,
Thank you for the reply. Yes I am using the Spring security adapter (xml
configuration). I have received a private reply from Pavel Maslov regarding
the sign in url:
{{keycloakBaseUrl}}/realms/{{realmName}}/protocol/openid-connect/auth?client_id={{client_id}}&response_type=code&redirect_uri={{your-web-app}}
which works great.
Another problem that I am having now is that when I am logging in from a
"not"-protected resource (permitAll in securityContext), and want to be
redirected back to the same resource, it logs me in indeed, but the spring
security tags in my jsps don't recognize that, until I am accessing a
secured resource defined in security context.... Any thoughts there?
Thanks,
Adrian
Message: 2
Date: Fri, 27 Nov 2015 13:02:32 -0500
From: Bill Burke <bburke(a)redhat.com>
Subject: Re: [keycloak-user] Sign In button URL
To: keycloak-user(a)lists.jboss.org
Message-ID: <56589AB8.5030708(a)redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
How is your Spring web app handling OpenID Connect or SAML
requests/respones? We do have a Spring security adapter.
Initial OAuth2 request:
/realms/{realm-name}/protocol/openid-connect/auth
Code to Token request:
/realms/{realm-name}/protocol/openid-connect/token
On 11/27/2015 11:19 AM, Adrian Matei wrote:
> hi guys,
>
> can still help a poor guy Friday in the afternoon?
>
> What is the url I need to have the sign in button pointing to, in my
> Spring web app, that will ask me to login via keycloak and redirect me
> back exactly to the page I made the request from?
>
> Thanks,
> Adrian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
9 years