error when an id is present in different realm
by Julien Lambot
Hi List
Nice to meet you
We have implemented several Keycloak servers with an ldap (AD) user
federation.
Our configuration has several realms (e.g.: one for internal users and one
for our customers)
The issue is that sometimes some users cannot login as the login key
(username) seems to be duplicated. Though, it's not currently duplicated in
the same realm. (logs bellow).
We are wondering how the unicity of the users are verified.
Because, we could have some "Pierre Dupont" in several realms and this
would be anoying not to permit them to connect.
Hope i'm clear and thanks for all the good stuff in Keycloak.
Regards
2017-12-21 15:13:26,655 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-1) RESTEASY002005: Failed executing GET /admin/realms/master:
org.jboss.resteasy.spi.UnauthorizedException: Bearer
at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:180)
at
org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:211)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
6 years, 4 months
Keycloak Database & Authenticator
by Marten Krings
Hello,
I'm trying to create a custom authenticator, however I'm running into some problems retrieving data from Keycloak's database.
I've built a Jpa entity provider according to this example:
https://github.com/keycloak/keycloak/tree/master/examples/providers/domai...
I've deployed this as a module according to the instructions provided with the example.
This part works wonderfully, and the new table appears in my database.
I've also tried implementing a serviceprovider, according to the same example as previously, I could deploy this, however when I try to get the provider at runtime in a custom authenticator with:
KeycloakSession.getProvider(ServiceProvider.class)
the keycloak installation returns a java.lang.NoClassDefFoundError.
KeycloakSession.getAllProviders(JpaEntityProvider.class) returns a HashSet containing 1 element, namely the desired provider, however this "Class has no fields". trying to do anything further using this object results in the above exception.
What am I doing wrong here?
Thanks,
Marten Krings
6 years, 4 months
keycloak not reading replicated remote cache?
by Simon Payne
Hi, hopefully someone has experience of how to setup keycloak with
infinispan as a remote cache.
My goal is to run keycloak across multiple data centres with replicated
database and cache, however i am struggling to get anything working.
I am running keycloak 3.4.1 and infinispan 9.1.3
I have 2 unclustered keycloak instances (A and B), sharing a remote cache
and sharing a postgreSQL backend.
When i log in to the admin console on one of the instances (lets say A),
through the shared remote store i'm expecting to see the session on the
other keycloak instance (B). Using the infinispan manager console i can
see that the sessions are being cached as the cache content entries value
increments, from both directions (A + B), however, the values never appear
within the other instance.
Here are snippets of my clustered.xml and standalone-ha.xml
clustered.xml
<replicated-cache-configuration name="sessions-cfg" mode="SYNC"
start="EAGER" batching="false">
<transaction mode="NON_XA" locking="PESSIMISTIC"/>
</replicated-cache-configuration>
<replicated-cache name="work" configuration="sessions-cfg" />
<replicated-cache name="sessions" configuration="sessions-cfg" />
<replicated-cache name="clientSessions" configuration="sessions-cfg"/>
<replicated-cache name="offlineSessions" configuration="sessions-cfg" />
<replicated-cache name="offlineClientSessions"
configuration="sessions-cfg"/>
<replicated-cache name="actionTokens" configuration="sessions-cfg" />
<replicated-cache name="loginFailures" configuration="sessions-cfg" />
standalone-ha.xml
<replicated-cache name="work" mode="SYNC">
<remote-store cache="work" remote-servers="remote-cache"
passivation="false" fetch-state="false" purge="false" preload="false"
shared="true">
<property name="rawValues">true</property>
<property
name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</replicated-cache>
<distributed-cache name="sessions" mode="SYNC" owners="1">
<remote-store cache="sessions" remote-servers="remote-cache"
passivation="false" fetch-state="false" purge="false" preload="false"
shared="true">
<property name="rawValues">true</property>
<property
name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</distributed-cache>
<distributed-cache name="offlineSessions" mode="SYNC" owners="1">
<remote-store cache="offlineSessions" remote-servers="remote-cache"
passivation="false" fetch-state="false" purge="false" preload="false"
shared="true">
<property name="rawValues">true</property>
<property
name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</distributed-cache>
<distributed-cache name="clientSessions" mode="SYNC" owners="1">
<remote-store cache="clientSessions" remote-servers="remote-cache"
passivation="false" fetch-state="false" purge="false" preload="false"
shared="true">
<property name="rawValues">true</property>
<property
name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</distributed-cache>
<distributed-cache name="offlineClientSessions" mode="SYNC" owners="1">
<remote-store cache="offlineClientSessions" remote-servers="remote-cache"
passivation="false" fetch-state="false" purge="false" preload="false"
shared="true">
<property name="rawValues">true</property>
<property
name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</distributed-cache>
<distributed-cache name="loginFailures" mode="SYNC" owners="1">
<remote-store cache="loginFailures" remote-servers="remote-cache"
passivation="false" fetch-state="false" purge="false" preload="false"
shared="true">
<property name="rawValues">true</property>
<property
name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</distributed-cache>
<distributed-cache name="actionTokens" mode="SYNC" owners="2">
<eviction max-entries="-1" strategy="NONE"/>
<expiration max-idle="-1" interval="300000"/>
<remote-store cache="actionTokens" remote-servers="remote-cache"
passivation="false" fetch-state="false" purge="false" preload="true"
shared="true">
<property name="rawValues">true</property>
<property
name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</distributed-cache>
<distributed-cache name="authenticationSessions" mode="SYNC" owners="1"/>
any ideas on what i might be missing?
Thanks
Simon.
6 years, 4 months
Unable to register provider implementation: not a subtype exception
by Alessandro Tundo
Hi folks!
I followed the documentation for implementing and registering a SPI but I'm
not able to deploy it correctly.
The raised exception is:
*java.util.ServiceConfigurationError:
org.keycloak.credential.hash.PasswordHashProviderFactory: Provider
org.wikitolearn.keycloak.provider.MediaWikiBTypePasswordHashProviderFactory
not a subtype*
I tried both registration ways but the outcome is the same. The .jar I'm
trying to deployt has the following structure:
-
META-INF/services/org.keycloak.credential.hash.PasswordHashProviderFactory
- org/wikitolearn/keycloak/provider/
MediaWikiBTypePasswordHashProviderFactory.class
- org/wikitolearn/keycloak/provider/
MediaWikiBTypePasswordHashProvider.class
The factory and the provider implements
respectively PasswordHashProviderFactory and PasswordHashProvider.
I would like also to point out that the SPI works correctly in my Keycloak
fork. But as you can imagine, a fork is not a good option. Especially when
are available more elegant ways to extend the software programatically
without a fork.
I'm looking forward to receiving your reply asap.
Thank you!
Alessandro
6 years, 4 months
offline sessions lost after restart
by Phillip Fleischer
Hi,
We recently upgraded to 3.4.0.Final from 3.0.0.Final and we noticed that refresh_tokens for offline sessions stopped working after restarting the services… My perception was before we upgraded that while user sessions would get lost that offline sessions were backed by the database by default in offline_user_session, so even local caches would preload sessions from the database which still seems to be updated.
When calling refresh
{
"error": "invalid_grant",
"error_description": "Offline user session not found"
}
Since we have an infinispan cluster with jgroups we tried to remedy it by increasing the owners from the default standalone-ha.xml configuration from 1 to 2. However this had no effect.
<distributed-cache name="offlineSessions" mode="SYNC" owners="2" />
Questions:
- Did the database persistence get disabled and only infinispan is used now (why do we continue to write to database?)
- Should I expect the distributed cache to behave in a way that sessions are not lost? Do we need to diagnose our cluster or jgroups configuration?
-- Phil
6 years, 4 months
ADFS SAML Identity provider using Keycloak-3.2.1
by Guin Ness
Hi.
I'm trying to get ADFS SAML Identity provider working and stuck on
configuration:
If I set NameIDPolicy!=Unspecified I get InvalidNameIDPolicy from ADFS
(despite the fact that my ADFS supports NameIDPolicy=Persistent)
If I set NameIDPolicy=Unspecified I get Internal server error:
NullPointerException at
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:390).
I am using Keycloak-3.2.1.Final on RHEL7.1
Did anybody encouter this? Is it a bug or did I do something wrong?
Thanks in advanced! ;)
6 years, 4 months
AdapterRsaTokenVerifier throws NullPointerException on getPublicKey after processing expired token
by Dmitry Korchemkin
Hello,
Just upgraded to 3.4.1.Final to check if my issues with
NullPointerException (and resulting 500 status) when using keycloak
spring-security-adapter and expired tokens would be gone. There's no more
an unexpected NullPointer from an empty kid value (fixed in KEYCLOAK-5636
<https://issues.jboss.org/browse/KEYCLOAK-5636>), but a problem still
remains.
This time it's publicKeyLocator being null in
AdapterRSATokenVerifier::getPublicKey. Somehow, after token was already
deemed inactive and TokenNotActiveException was already printed, there's a
second call to this method, this time with an empty deployment, and i'm
pretty sure it's not my code calling it. Since there's no null check on
locator field, it produces NullPointer upon trying to call
pkLocator.getPublicKey, even if kid is being checked for null.
Here's the first exception, the one i'm expecting:
2017-12-19 14:55:54,341 DEBUG XNIO-2 task-24 no_request_id
c.n.c.m.s.i.d.IdpConfigResolver - Error to validate token with public key
org.keycloak.exceptions.TokenNotActiveException: Token is not active
at org.keycloak.TokenVerifier$2.test(TokenVerifier.java:84)
at org.keycloak.TokenVerifier.verify(TokenVerifier.java:370)
at org.keycloak.RSATokenVerifier.verify(RSATokenVerifier.java:89)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:56)
at
security.idp.deployment.IdpConfigResolver.checkPublicKey(IdpConfigResolver.java:149)
at
security.idp.deployment.IdpConfigResolver.generateKeycloakDeploymentFromAuthorizationHeader(IdpConfigResolver.java:80)
at
security.idp.deployment.IdpConfigResolver.resolve(IdpConfigResolver.java:57)
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88)
at
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:138)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:84)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(RequestDispatcherImpl.java:147)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:111)
at
org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:168)
at
org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:303)
at
org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1286)
at
org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1041)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:984)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:81)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:479)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:412)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:319)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:332)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
However, it is immediately followed by this:
2017-12-19 14:55:54,343 ERROR XNIO-2 task-24 no_request_id i.u.request -
UT005022: Exception generating error page /error
org.springframework.web.util.NestedServletException: Request processing
failed; nested exception is java.lang.RuntimeException:
java.lang.NullPointerException
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:982)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:81)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:479)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:412)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:319)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:332)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:245)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(RequestDispatcherImpl.java:147)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:111)
at
org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:168)
at
org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:303)
at
org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1286)
at
org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1041)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:984)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
... 29 common frames omitted
Caused by: java.lang.NullPointerException: null
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:44)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:55)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
at
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:147)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:84)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221)
... 38 common frames omitted
Needless to say, i'm not expecting any error pages to be shown and i have
no idea where would keycloak get such a deployment that does not even have
keyLocator.
One place where i call AdapterRSATokenVerifier.verifyToken has a deployment
with explicitly set HardcodedPublicKeyLocator, which workes in every other
instance of token validation i've encountered so far.
I'd report this as a bug right away and make a request with a null check on
pkLocator, but somehow it seems the issue is not that simple, empty
deployment shouldn't be there in the first place. In the mean tiime, any
idea how can i get around this second verify() call or maybe disable the
/error page behaviour?
Best regards,
Dmitry
6 years, 4 months
How to check permissions on lot of resources
by Teddy CHAMBARD
Hello,
I'm trying to protect resources with keycloak, but I wonder how to protect millions...
I created successfully resources with the Protection API (UMA 2.0), and also created necessary permsions and policies with the Admin REST API.
What I would like to do is simply get the list of resources I should be able to access.
To simplify my needs, here is a simple example :
Bob asks for resource1 and resource2 throught entitlement API
Regarding my policies and permissions Bob only have rights on resource 1 but not on resource2.
I was thinking making a POST request with the following payload :
{
"permissions" : [
{
"resource_set_name" : "resource1"
}, {
"resource_set_name" : "resource2"
}
]
}
would return a RPT with the list of permitted resources (resource1), but I got 403 forbidden without the list of granted resources.
So, I know I could run two separated requests to get my authorizations, but when I have thousands of resources to check, I can't run thousands http requests on entitlement API.
The question is how can I filter the data I retrieved from my database with keycloak in order to get only granted data ?
Keycloak is wonderful, and I would really continue to use it despite this trouble that I encounter.
Thank you very much by advance for your help.
6 years, 4 months
Keycloak 3.4.0.Final - Can't secure an EAR
by Nicolas DUMINIL
Hello,
I'm using Keycloak 3.4.0.Final.
I have an EAR containing a WAR. The WAR contains REST services that I need
to secure. The Wildfly config is as follows:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment
name="customer-management.ear.customer-management-rest.war">
<realm>demo</realm>
<auth-server-url> <http://localhost:18080/auth>
http://localhost:18080/auth</auth-server-url>
<public-client>true</public-client>
<ssl-required>EXTERNAL</ssl-required>
<resource>customer-client</resource>
</secure-deployment>
</subsystem>
The notation I used for the <secure-deployment> element is
ear-name.ear.war-name.war. But it doesn't seem to work. It raises the
following exception:
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException:
WarMetaData not found for customer-management.ear. Make sure you have
specified a WAR as your secure-deployment in the Keycloak subsystem."},
I found this syntax by googling for solutions but it's probably wrong.
Please notice that I cannot used the JSON syntax.
Kind regards,
Nicolas DUMINIL
6 years, 4 months
