Arquillian / Remote Container / EJB Security
by Lauer Markus
Hello,
We'd like to access secured EJBs (@RolesAllowed) from Arquillian tests.
While it is no problem to get a valid access token, we stuck at howto
"inject" the token into the session to actual access the secured EJBs.
Is it possible to use the JAAS LoginModule (LoginContext etc.) for this?
Can someone provide an example?
Please note: There is a solution with @RunAs. But this only allows to
specify one role at once.
Regards,
Markus.
________________________________
Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgeführte URL in Ihren Browser oder folgen Sie dem Link.
http://disclaimer.tec-saar.de/co-met.htm
8 years, 9 months
@SecurityDomain for wildfly 10?
by Hristo Stoyanov
Do we still need @SecurityDomain for wildfly 10 ejbs in addition for the
older jboss server?
If so, I think in section 8.2.1, the example ejb code has the wrong import
for that annotation. It should be : import
org.jboss.annotation.security.SecurityDomain?
/Hristo Stoyanov
8 years, 9 months
Guidelines Load- / Stress-Testing Keycloak
by Thomas Darimont
Hello group,
has anyone already stress tested a Keycloak deployment?
The Keycloak Testsuite contains a rudimentary stress test for login/logout
[0],
but we were wondering whether someone has already done more thorough
testing here that they are willing to share.
We're looking into stress testing Keycloak with gatling [1] to get a sense
for when Keycloak falls over and some information about JVM memory
requirements during high load.
Furthermore, are there any suggestions for use-cases that should be tested
in particular, e.g.:
-
Simple Page Invocations (Unauthenticated, Authenticated)
-
Login
-
Logout
-
Registration
-
Account Page
-
Complex flows
-
Login, goto account page, Logout
-
Login, goto account page, change password, Logout, Login with new
password
-
Service Requests
-
Aquire Refresh Token
-
Aquire Access Token
Are there any (knwon) potentially expensive operations that are not obvious
that should be tested in particular?
(in simulating a real-world load with high user counts, for example, are
there any particularly expensive operations where a high user count would
noticeably impact performance?)
What is the best way to initialize Keycloak (e.g. backed by a PostgreSQL
database) with varying (arbitrarily large) numbers of users, in order to
get realistic performance numbers?
Given that creating XX,000 users via the REST API might take some time, is
it enough to simply generate 10,000 * X records in the UserEntity table?
Cheers,
Thomas
[0] https://github.com/keycloak/keycloak/tree/master/testsuite/stress
[1] http://gatling.io/
8 years, 9 months
GMail throws suspicious error when sending email.
by Revanth Ayalasomayajula
Hi,
I am using keycloak1.5.0 for my product and when i am sending email for
execute actions, gmail throws me the following warning in the image
attached below. However, when i do forget password from my login screen the
email sent does not contain this warning. Can i help me debug as to why
this is happening. Execute actions is an important part of my product and
any help reg this would be highly appreciated.
Thanks.
8 years, 9 months
nginx with a reverse proxy to keycloak server
by Juan Diego
Hi,
I installed keycloak on a wildfly 10 server, I bought an installed the a
certificate. Everything seems to work accesing
https://mydomain.com:8443/auth/
My problem comes with my reverse proxy. I have other apps inside that
wildfly, and they have their own domain and they work perfectly with the
reverse proxy I set on.
When I access https://mydomain.com, i can see the first page of keycloak
but none of the images work,the links are broken.
Should I enable something on my keycloak so it can work.
This is my block
upstream wildfly {
server 127.0.0.1:8443 fail_timeout=0;
}
server {
listen 80;
server_name mydomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name mydomain.com;
ssl on;
ssl_certificate
/opt/wildfly/standalone/configuration/rrec/mydomain.com.crt;
ssl_certificate_key
/opt/wildfly/standalone/configuration/rrec/mydomain.com.rsa.key;
access_log /var/log/nginx/mydomain.com-access.log;
error_log /var/log/nginx/mydomain.com-error.log;
location = / {
return 301 https://mydomain.com/auth;
}
location /auth {
proxy_pass https://127.0.0.1:8443/auth/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
}
}
8 years, 9 months
Is Keycloak client admin thread safe?
by Hristo Stoyanov
Is org.Keycloak.admin.client.Keycloak threadsafe? I intend to use it as a
single admin client for the entire app ...
/Hristo Stoyanov
8 years, 9 months
Keycloak 1.9 - jboss eap6.4
by venito camelas
Hi, im trying to use keycloak 1.9 on a jboss eap-6.4
I downloaded keycloak 1.9.1 and keycloak overlay 1.9.1.
When I try to start jboss I get the following error:
Caused by: java.lang.NoSuchMethodError:
org.jboss.as.controller.ExtensionContext.registerSubsystem(Ljava/lang/String;Lorg/jboss/as/controller/ModelVersion;)Lorg/jboss/as/controller/SubsystemRegistration;
at
org.keycloak.subsystem.server.extension.KeycloakExtension.initialize(KeycloakExtension.java:70)
at
org.jboss.as.controller.extension.ExtensionAddHandler.initializeExtension(ExtensionAddHandler.java:97)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
at
org.jboss.as.controller.extension.ParallelExtensionAddHandler$ExtensionInitializeTask.call(ParallelExtensionAddHandler.java:139)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
at
org.jboss.as.controller.extension.ParallelExtensionAddHandler$ExtensionInitializeTask.call(ParallelExtensionAddHandler.java:125)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[rt.jar:1.8.0_45]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_45]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_45]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
at org.jboss.threads.JBossThread.run(JBossThread.java:122)
[jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
For what I understood reading the code, it is trying to call the method
register subsystem using 2 arguments and the ExtensionContext that jboss
eap 6.4 uses doesn't support 2 arguments, it supports 2 or more.
What am I missing?
8 years, 9 months
req.getUserPrincipal() returns NULL before navigating to a restricted url (after login)
by LEONARDO NUNES
Hi everyone,
I have a page1 that it's access is not restricted, at the page1 I have a Login button that directs to Keycloak and the redirect_uri is the page1.
After I login and get redirect to page1, I try to access the logged in user information with req.getUserPrincipal() but this method returns NULL at this moment.
If I navigate to a page that it's url is restricted and then return to the non-restricted page, then req.getUserPrincipal() returns the user object.
I noticed that I have to go to a restricted page before being able to access the user information at a non-restricted page.
The ticket below solved the problem of not accessing the user information at a non-restricted page, but still have this case when the user logged in at non-restricted page.
https://issues.jboss.org/browse/KEYCLOAK-2518
--
Leonardo
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
8 years, 9 months
req.getUserPrincipal() returns NULL before navigating to a restricted url (after login)
by LEONARDO NUNES
Hi everyone,
I have a page1 that it's access is not restricted, at the page1 I have a Login button that directs to Keycloak and the redirect_uri is the page1.
After I login and get redirect to page1, I try to access the logged in user information with req.getUserPrincipal() but this method returns NULL at this moment.
If I navigate to a page that it's url is restricted and then return to the non-restricted page, then req.getUserPrincipal() returns the user object.
I noticed that I have to go to a restricted page before being able to access the user information at a non-restricted page.
Keycloak version: 1.9.1.Final
The ticket below solved the problem of not accessing the user information at a non-restricted page, but still have this case when the user logged in at non-restricted page.
https://issues.jboss.org/browse/KEYCLOAK-2518
--
Leonardo
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
8 years, 9 months
Which OpenID Connect Flow to Use?
by Jared Sprague
Hello!
We are currently in the process of migrating our Customer Portal to Keycloak, and are trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based on our needs. What are example uses cases for both flows? When would you use one vs the other?
Here is the general use case we are trying to solve.
1. A user logs in and receives an access_token.
1. The user loads an Angular single-page-app that makes a call to a stateless REST api, passing an access token.
2. The REST API validates the access_token and forwards the request to the downstream system e.g. a data provider, including the access token in the request.
3. The data provider reprieves the access token and validates it and returns the response to the REST service, which returns the response to the Angular app.
The above flow should be able to continue anytime throughout the duration of the SSO session. So for the above flow which OpenID Connct flow would you recommend using? Standard, Implicit, or Hybrid?
Standard Flow
http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
Implicit Flow
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
Thank you!
- Jared Sprague
access.redhat.com
8 years, 9 months