5:24 a.m.
Ok, thanks! I created https://issues.jboss.org/browse/KEYCLOAK-3576
On 14 Sep 2016, at 10:20, Marek Posolda <mposolda(a)redhat.com>
wrote:
It seems that for view/update UserFederation, we currently require permissions to
"view-users" or "manage-users" . This looks like a bug as admin, who
is able just to manage users, shouldn't be allowed to manage user federation
providers. It seems this should either be "view-realm" or
"manage-realm" or separate dedicated roles for user federation providers.
Could you please create JIRA?
Thanks,
Marek
On 14/09/16 09:41, Edgar Vonk - Info.nl wrote:
> Hi Marek,
>
> Very sorry, this was our fault. We were using an outdated and customized version of
the users.js file from Keycloak in our theme and this was causing the issue.
>
> We do now see a somewhat related issue in that our user admin accounts (with the
manage-users realm-management role) now also see the ‘Configure - User Federation’ menu
item and are actually able to change some (but not all) settings in our user federation
(and can even delete them I think). Maybe any ideas on how to make sure these users no
longer get access to Configure - User Federation?
>
> cheers
>
> Edgar
>
>
>> On 08 Sep 2016, at 14:04, Marek Posolda <mposolda(a)redhat.com> wrote:
>>
>> Hi Edgar,
>>
>> I was trying to reproduce, but wasn't able. The expected format to invoke
this endpoint should be
/auth/admin/realms/our-custom-realm/attack-detection/brute-force/users /{userId} so I
understand why it fails. But I am not seeing anything in admin console UI, which invokes
it from this format.
>>
>> Feel free to create JIRA if you find steps to reproduce it from clean KC.
>>
>> Marek
>>
>> On 07/09/16 13:33, Edgar Vonk - Info.nl wrote:
>>> Hi Marek,
>>>
>>> It’s the brute force detection REST endpoint that is causing the issue.
>>>
>>>
/auth/admin/realms/our-custom-realm/attack-detection/brute-force/users?username=edgar(a)info.nl
>>>
>>> gives a: “Failed to load resource: the server responded with a status of 405
(Method Not Allowed)"
>>>
>>>
>>>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl <Edgar(a)info.nl>
wrote:
>>>>
>>>> Hi Marek,
>>>>
>>>> Thanks for the quick reply. Sorry, forgot to mention that: I did also add
the view-users role. However the issue remains unfortunately.
>>>>
>>>> Will try to find the endpoint in question and report back!
>>>>
>>>> cheers
>>>>
>>>>> On 07 Sep 2016, at 11:24, Marek Posolda <mposolda(a)redhat.com>
wrote:
>>>>>
>>>>> I guess you need to add "view-users" role as well?
>>>>>
>>>>> For tracking, you can try to enable FF plugin like Firebug (or
similar in Chrome) and see what REST endpoint exactly returns 405 and what role it
requires.
>>>>>
>>>>> Marek
>>>>>
>>>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote:
>>>>>> Using a specific user admin account that is part of our Keycloak
customers realm (not the master realm) with permissions to edit users only (manage-users
realm-management role) whenever I click on a user in the Keycloak admin interface (Manage
- Users) I get a "Error! An unexpected server error has occurred” with the stacktrace
below in the logs. All actions do seem to work properly however. It also happens when I
create a user, but also there the user is created just fine it seems.
>>>>>>
>>>>>> I am guessing it is a permission issue on some REST endpoint in
the admin interface or something?
>>>>>>
>>>>>>
>>>>>> [0m[31m08:14:06,715 ERROR
[org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to
execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for
GET, return 405 with Allow header
>>>>>> at
org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377)
>>>>>> at
org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116)
>>>>>> at
org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
>>>>>> at
org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
>>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129)
>>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>>>> at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>>> at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>>> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>>>> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>>> at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>>>> at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>>> at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>>>> at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>> at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>>> at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>> at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>>>> at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>>>> at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>>> at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>>> at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>>>> at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>> at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>>>> at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>>>> at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>>>> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>>> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>