Password algorithm into Keycloak
by Richard Lavallee
Is it feasible to import username and hashed-password strings to Keycloak in one batch? Must I migrate the bcrypt algorithm we use along with it onto Keycloak somehow? Looking for guidance/documentation for doing such please.
-Richard
7 years, 9 months
KEYCLOAK-3202 Creating users causes memory leak
by Valerij Timofeev
Hi Stian,
You are the assignee in KEYCLOAK-3202
<https://issues.jboss.org/browse/KEYCLOAK-3202>, so I addressed this email
to you directly.
I guess that this issue could be the cause of trouble in our production
environment.
There are 4 EAP-6 nodes with Keycloak adapters and 2 Keycloak 1.9.4
standalone servers running in 2 clusters respectively.
We experience logout failures approximately after one and a half days of
operation.
Restarting EAP 6 nodes temporary resolves the logout problem.
Durable load tests in out test environment showed that login and logout of
existing users don't result in above behaviour.
We added to the durable load test additional scenario creating new users
and were able to reproduce logout failure: users are getting empty page and
not the login screen as expected. Page reload navigates back into the
protected web application .
Logout is accomplished in a Java web applictaion by calling OIDC logout
endpoint:
*FacesContext .getCurrentInstance()
.getExternalContext()
.redirect(keycloakDeployment.getLogoutUrl().queryParam("redirect_uri",
redirectURL).toTemplate());*
Logout is initiated via h:commandLink, so I suppose that the OIDC logout
endpoint is called via the GET method. Should we use the POST method
instead?
Has servlet logout any advantages?
*((HttpServletRequest)
FacesContext.getCurrentInstance().getExternalContext().getRequest()).logout();*
I'd appreciate quick response*, *because restarting production EAP cluster
every day is not a pleasant option ;-)
Thank you in advance
Kind regards
Valerij Timofeev
7 years, 9 months
KEYCLOAK-1014 Reset password leads to 400 Bad Request - still unresolved?
by Valerij Timofeev
Hi,
our customers are experiencing problems in situations where resetting
password is started in one web browser and accomplished in another one.
This scenario occurs if a user surfs with one kind of web browser, but an
email application opens password reset link in another one.
I suppose that the root cause is the same like the documented in
KEYCLOAK-1014 one.
We run Keycloak 1.9.4 standalone servers in our production at the moment,
but already started to roll out RH SSO 7.0 in other stages. So a bug fix
should be scheduled for this version as well.
Kind regards
Valerij Timofeev
7 years, 9 months
Two way communication required between Keycloak Server and REST API BAckend Server?
by Adrian Matei
Hi everyone,
Does a Keycloak secured REST Api on JBoss EAP 6.1 (access-type bearer only)
need to communicate with the Keycloak Server once the Adapter and
standalone.xml are properly configured?
Currently both servers are on the same DMZ zone, but we'd like to move the
REST Api Server in Intranet zone.
(test - the REST backend seems to be callable as long as the token is
valid, though the Keycloak Server was shutdown, but I ask myself why do I
need to specify the auth-server-url in standalone.xml, or keycloak.json
file)
Thanks
Adrian
7 years, 9 months
Re: [keycloak-user] Keycloak unable to open JDBC connection
by Ricardo Chu
The jboss documentation describes how to setup the validation check for
Oracle with nice examples:
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Applicatio...
Another option is to use the Wildfly administrator pages to setup
the datasource. This option will create a new datasource that includes the
validation check. This tutorial describes what this looks like:
http://www.itprogrammingtutorials.com/2014/java/jboss/connection-pool-jbo...
Rick
On Sat, Jul 16, 2016 at 9:35 AM, Ricardo Chu <rick(a)chucrew.net> wrote:
> The jboss documentation describes how to setup the validation check for
> Oracle with nice examples:
>
> https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Applicatio...
>
> Another option is to use the Wildfly administrator pages to setup
> the datasource. This option will create a new datasource that includes the
> validation check. This tutorial describes what this looks like:
> http://www.itprogrammingtutorials.com/2014/java/jboss/connection-pool-jbo...
>
> Rick
>
> On Fri, Jul 15, 2016 at 4:51 AM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> See
>> http://stackoverflow.com/questions/31455450/auto-recover-connections-in-w...
>>
>> On 14 July 2016 at 15:27, Thomas Barcia <TBarcia(a)wfscorp.com> wrote:
>>
>>> I have Keycloak 1.9.8-Final running against an Oracle database and it
>>> appears that when the connections are unused for a period of time (usually
>>> overnight) Keycloak is unable to open a JDBC connection to the database. I
>>> spoke with the DBAs and the database is not closing the connections.
>>> According to the DBAs I need to enable connection validation but I’m not a
>>> programmer and can’t find a good example of how it’s done. Can anyone
>>> provide some help with this? Am I on the right track in resolving the
>>> issue?
>>>
>>>
>>>
>>> Thanks.
>>>
>>>
>>>
>>> This is from my standalone-ha.xml:
>>>
>>> <datasource jndi-name="java:jboss/datasources/KeycloakDS"
>>> pool-name="KeycloakDS" enabled="true" use-java-context="true">
>>>
>>> <connection-url>jdbc:oracle:thin:@
>>> <servername>:<port>:<databasename></connection-url>
>>>
>>> <driver>oracle</driver>
>>>
>>> <pool>
>>>
>>> <min-pool-size>1</min-pool-size>
>>>
>>> <max-pool-size>5</max-pool-size>
>>>
>>> <prefill>true</prefill>
>>>
>>> </pool>
>>>
>>> <security>
>>>
>>> <user-name><name></user-name>
>>>
>>> <password><password></password>
>>>
>>> </security>
>>>
>>>
>>>
>>> </datasource>
>>>
>>> <drivers>
>>>
>>> <driver name="h2" module="com.h2database.h2">
>>>
>>>
>>> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>>>
>>> </driver>
>>>
>>> <driver name="oracle" module="com.oracle">
>>>
>>>
>>> <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
>>>
>>> </driver>
>>>
>>> </drivers>
>>>
>>>
>>>
>>> And this is the error:
>>>
>>> 2016-07-14 00:13:09,460 WARN
>>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) SQL Error: 0,
>>> SQLState: null
>>>
>>> 2016-07-14 00:13:09,461 ERROR
>>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2)
>>> javax.resource.ResourceException: IJ000453: Unable to get managed
>>> connection for java:jboss/datasources/KeycloakDS
>>>
>>> 2016-07-14 00:13:09,462 ERROR [org.keycloak.services] (Timer-2)
>>> KC-SERVICES0089: Failed to run scheduled task ClearExpiredUserSessions:
>>> javax.persistence.PersistenceException:
>>> org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC
>>> Connection
>>>
>>> at
>>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
>>>
>>> at
>>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)
>>>
>>> at
>>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1700)
>>>
>>> at
>>> org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:48)
>>>
>>> at
>>> org.keycloak.connections.jpa.JpaKeycloakTransaction.begin(JpaKeycloakTransaction.java:39)
>>>
>>> at
>>> org.keycloak.services.DefaultKeycloakTransactionManager.enlist(DefaultKeycloakTransactionManager.java:41)
>>>
>>> at
>>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:70)
>>>
>>> at
>>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:54)
>>>
>>> at
>>> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:101)
>>>
>>> at
>>> org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:51)
>>>
>>> at
>>> org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:33)
>>>
>>> at
>>> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:101)
>>>
>>> at
>>> org.keycloak.models.cache.infinispan.RealmCacheSession.getDelegate(RealmCacheSession.java:161)
>>>
>>> at
>>> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:424)
>>>
>>> at
>>> org.keycloak.services.scheduled.ClearExpiredUserSessions.run(ClearExpiredUserSessions.java:33)
>>>
>>> at
>>> org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:53)
>>>
>>> at
>>> org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:49)
>>>
>>> at
>>> org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90)
>>>
>>> at
>>> org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner.runTask(ClusterAwareScheduledTaskRunner.java:49)
>>>
>>> at
>>> org.keycloak.services.scheduled.ScheduledTaskRunner.run(ScheduledTaskRunner.java:44)
>>>
>>> at
>>> org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:51)
>>>
>>> at java.util.TimerThread.mainLoop(Timer.java:555)
>>>
>>>
>>>
>>> *Thomas Barcia*
>>>
>>> Unix Administrator
>>>
>>>
>>>
>>> World Fuel Services Corporation
>>>
>>> 9800 NW 41st Street|Miami, FL 33178
>>>
>>> office: 305.351.4910|email: tbarcia(a)wfscorp.com
>>>
>>> [image: Description: Description: wfs]
>>>
>>>
>>>
>>> *** This communication has been sent from World Fuel Services
>>> Corporation or its subsidiaries or its affiliates for the intended
>>> recipient
>>> only and may contain proprietary, confidential or privileged
>>> information.
>>> If you are not the intended recipient, any review, disclosure, copying,
>>> use, or distribution of the information included in this communication
>>> and any attachments is strictly prohibited. If you have received this
>>> communication in error, please notify us immediately by replying to this
>>> communication and delete the communication, including any
>>> attachments, from your computer. Electronic communications sent to or
>>> from World Fuel Services Corporation or its subsidiaries or its
>>> affiliates
>>> may be monitored for quality assurance and compliance purposes.***
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
7 years, 9 months
Keycloak wf8 adapter 2.0.0.Final and authz
by Christian Froehlich
Hi,
I got a NoClassDefFoundError when I try to use the Authorization provided
by keycloak. My Application is running on a wildfly 8 including the
coresponding wf8 adapter. Keycloak itself is runing as a standalone
server. The module "keycloak-authz-client" is missing in wf8 adapter when
I compare the adapter of wildfly 9/10 and wildfly 8. Is it a bug or is it
not possible to use the authorization within a wildfly 8?
Here the stacktrace of my deployment error:
[31m2016-07-15 06:40:50,714 ERROR [org.jboss.msc.service.fail] (MSC
service thread 1-3) () MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./orbis-4u:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./orbis-4u: Failed to
start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_92]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_92]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_92]
Caused by: java.lang.NoClassDefFoundError:
org/keycloak/authorization/client/Configuration
at
org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:56)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:118)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:127)
at
org.keycloak.adapters.undertow.KeycloakServletExtension.handleDeployment(KeycloakServletExtension.java:135)
at
io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions(DeploymentManagerImpl.java:244)
at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:149)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:87)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
... 3 more
Caused by: java.lang.ClassNotFoundException:
org.keycloak.authorization.client.Configuration from [Module
"org.keycloak.keycloak-adapter-core:main" from local module loader
@3b94d659 (finder: local module finder @24b1d79b (roots:
/opt/orbis/oas/server/orbis-as-08.04.27.00.0015200-DACHL/modules,/opt/orbis/oas/server/orbis-as-08.04.27.00.0015200-DACHL/modules/system/layers/base,/opt/orbis/oas/server/orbis-as-08.04.27.00.0015200-DACHL/modules/system/add-ons/keycloak))]
at
org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213)
[jboss-modules.jar:1.3.3.Final]
at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459)
[jboss-modules.jar:1.3.3.Final]
at
org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408)
[jboss-modules.jar:1.3.3.Final]
at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389)
[jboss-modules.jar:1.3.3.Final]
at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134)
[jboss-modules.jar:1.3.3.Final]
... 13 more
[31m2016-07-15 06:40:50,744 ERROR
[org.jboss.as.controller.management-operation] (Controller Boot Thread) ()
JBAS014613: Operation ("deploy") failed - address: ([("deployment" =>
"orbis-4u.war")]) - failure description: {"JBAS014671: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./orbis-4u" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./orbis-4u: Failed to
start service
Caused by: java.lang.NoClassDefFoundError:
org/keycloak/authorization/client/Configuration
Caused by: java.lang.ClassNotFoundException:
org.keycloak.authorization.client.Configuration from [Module
\"org.keycloak.keycloak-adapter-core:main\" from local module loader
@3b94d659 (finder: local module finder @24b1d79b (roots:
/opt/orbis/oas/server/orbis-as-08.04.27.00.0015200-DACHL/modules,/opt/orbis/oas/server/orbis-as-08.04.27.00.0015200-DACHL/modules/system/layers/base,/opt/orbis/oas/server/orbis-as-08.04.27.00.0015200-DACHL/modules/system/add-ons/keycloak))]"}}
[0m06:40:50,780 INFO
[org.hibernate.hql.internal.QueryTranslatorFactoryInitiator]
(ServerService Thread Pool -- 49) HHH000397: Using
ASTQueryTranslatorFactory
[0m2016-07-15 06:40:50,856 INFO [org.jboss.as.server] (ServerService
Thread Pool -- 33) () JBAS018559: Deployed "orbis-4u.war" (runtime-name :
"orbis-4u.war")
[0m2016-07-15 06:40:50,870 INFO [org.jboss.as.controller] (Controller
Boot Thread) () JBAS014774: Service status report
JBAS014777: Services which failed to start: service
jboss.undertow.deployment.default-server.default-host./orbis-4u:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./orbis-4u: Failed to
start service
Regards Christian
7 years, 9 months
Connection timed out: logging out of Keycloak
by Richard Lavallee
Has anyone experienced a similar failure stack trace when initiating a Logout from Keycloak, please?
This has something to do with the Admin URL, BUT...filling that in seems to cause a Proxy Error when attempting to logout normally, and doesn't seem to work in the first place. I am unsure on how to proceed forward on this, and I'm hoping someone in the community has worked with the Tomcat Adapter
-Richard
19:36:55,145 WARN [org.keycloak.services] (default task-30) KC-SERVICES0057: Logout for client 'myApp' failed: org.apache.http.conn.ConnectTimeoutException: Connect to 10.0.3.141:8083 [/10.0.3.141] failed: Connection timed out at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:149) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.keycloak.connections.httpclient.DefaultHttpClientFactory$1.postText(DefaultHttpClientFactory.java:70) at org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:251) at org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:195) at org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:150) at org.keycloak.protocol.oidc.OIDCLoginProtocol.backchannelLogout(OIDCLoginProtocol.java:209) at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:208) at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:142) at sun.reflect.GeneratedMethodAccessor584.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)Caused by: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at org.apache.http.conn.socket.PlainConnectionSocketFactory.connectSocket(PlainConnectionSocketFactory.java:74) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) ... 64 more
7 years, 9 months
Keycloak unable to open JDBC connection
by Thomas Barcia
I have Keycloak 1.9.8-Final running against an Oracle database and it appears that when the connections are unused for a period of time (usually overnight) Keycloak is unable to open a JDBC connection to the database. I spoke with the DBAs and the database is not closing the connections. According to the DBAs I need to enable connection validation but I'm not a programmer and can't find a good example of how it's done. Can anyone provide some help with this? Am I on the right track in resolving the issue?
Thanks.
This is from my standalone-ha.xml:
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
<connection-url>jdbc:oracle:thin:@<servername>:<port>:<databasename></connection-url>
<driver>oracle</driver>
<pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>5</max-pool-size>
<prefill>true</prefill>
</pool>
<security>
<user-name><name></user-name>
<password><password></password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
<driver name="oracle" module="com.oracle">
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
</driver>
</drivers>
And this is the error:
2016-07-14 00:13:09,460 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) SQL Error: 0, SQLState: null
2016-07-14 00:13:09,461 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
2016-07-14 00:13:09,462 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0089: Failed to run scheduled task ClearExpiredUserSessions: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection
at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)
at org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1700)
at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:48)
at org.keycloak.connections.jpa.JpaKeycloakTransaction.begin(JpaKeycloakTransaction.java:39)
at org.keycloak.services.DefaultKeycloakTransactionManager.enlist(DefaultKeycloakTransactionManager.java:41)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:70)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:54)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:101)
at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:51)
at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:33)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:101)
at org.keycloak.models.cache.infinispan.RealmCacheSession.getDelegate(RealmCacheSession.java:161)
at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:424)
at org.keycloak.services.scheduled.ClearExpiredUserSessions.run(ClearExpiredUserSessions.java:33)
at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:53)
at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:49)
at org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90)
at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner.runTask(ClusterAwareScheduledTaskRunner.java:49)
at org.keycloak.services.scheduled.ScheduledTaskRunner.run(ScheduledTaskRunner.java:44)
at org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:51)
at java.util.TimerThread.mainLoop(Timer.java:555)
Thomas Barcia
Unix Administrator
World Fuel Services Corporation
9800 NW 41st Street|Miami, FL 33178
office: 305.351.4910|email: tbarcia(a)wfscorp.com<mailto:tbarcia@wfscorp.com>
[Description: Description: wfs]
*** This communication has been sent from World Fuel Services
Corporation or its subsidiaries or its affiliates for the intended recipient
only and may contain proprietary, confidential or privileged information.
If you are not the intended recipient, any review, disclosure, copying,
use, or distribution of the information included in this communication
and any attachments is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to this
communication and delete the communication, including any
attachments, from your computer. Electronic communications sent to or
from World Fuel Services Corporation or its subsidiaries or its affiliates
may be monitored for quality assurance and compliance purposes.***
7 years, 9 months
One client application, users in many organizations
by Aikeaguinea
We have a client web application which accepts requests from users in
many different unrelated organizations. Two approaches I see are 1) to
create a realm per organization, or 2) create a single realm with our
application as client, and assign users to different groups based on
their organization.
If we go with approach 1, I'm not sure how we'd handle the client ID and
secret for our web app. If we had multiple realms in Keycloak, each with
one client for our web application, somehow the web application would
need to know which Keycloak client to use for which user, which sounds
complicated and maybe untenable. On the other hand, clients can't span
realms, can they?
If we go with 2, one complication is administration--e.g., bulk logout.
If all the users are in the same realm, it doesn't appear to me that
there's a way in the admin console to logout all sessions of users
belonging to one group, or to disable all users belonging to a group. Is
that right?
It also doesn't look straightforward to get from the API all the users
for a given group--you can get the groups a user is in, but I don't see
a call that does the inverse. Is there a way we could do this?
Or is there an entirely different approach I'm not thinking of?
--
Aikeaguinea
aikeaguinea(a)xsmail.com
--
http://www.fastmail.com - Accessible with your email software
or over the web
7 years, 9 months
Realm ID value oddity
by Guus der Kinderen
Hi there,
I'm looking at a server with a couple of realms in it (version 1.9.x). When
comparing the realm identifiers, I noticed that some realms have UUIDs,
while others have 'human readable' values for an ID.
As the ID is string-based, it probably does not matter much, but the
difference puzzles me. Is this a known ... isssue/characteristic?
Regards,
Guus
7 years, 9 months