Hi Nicolas,
The secure deployment name attribute should match your module-name in the
web.xml in your WAR with .war appended
In your case it should be something like
customer-management-rest.war assuming you have the following in your
web.xml
<module-name>customer-management-rest</module-name>
Darrell
On 20 December 2017 at 07:34, <keycloak-user-request(a)lists.jboss.org> wrote:
Send keycloak-user mailing list submissions to
keycloak-user(a)lists.jboss.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.jboss.org/mailman/listinfo/keycloak-user
or, via email, send a message with subject or body 'help' to
keycloak-user-request(a)lists.jboss.org
You can reach the person managing the list at
keycloak-user-owner(a)lists.jboss.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of keycloak-user digest..."
Today's Topics:
1. Re: Prevent federated users from setting a password (Rens Verhage)
2. Re: Failed to initialize in KC 3.4 (Bob McWhirter)
3. Keycloak 3.4.0.Final - Can't secure an EAR (Nicolas DUMINIL)
4. How to check permissions on lot of resources (Teddy CHAMBARD)
5. AdapterRsaTokenVerifier throws NullPointerException on
getPublicKey after processing expired token (Dmitry Korchemkin)
----------------------------------------------------------------------
Message: 1
Date: Tue, 19 Dec 2017 07:56:32 +0000
From: Rens Verhage <Rens.Verhage(a)topicus.nl>
Subject: Re: [keycloak-user] Prevent federated users from setting a
password
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID: <94BBDF41-9A45-4F30-B5C0-2AE3387BF63A(a)topicus.nl>
Content-Type: text/plain; charset="utf-8"
Sat down with a colleague and did some out of the box thinking. Came up
with a solution that works best for us: set up 2 realms, A and B. A
contains all users that log in with username and password and is an
identity provider to realm B. This way we have levelled the playing field,
in B all users log in through an IdP and we can treat them all the same.
Rens
On 18 Dec 2017, at 12:19, Rens Verhage <Rens.Verhage(a)topicus.nl<mailto:
Rens.Verhage(a)topicus.nl>> wrote:
Hi all,
We?re implementing Keycloak in an existing multi-tenant application and
have to make a choice: 1 realm for all our tenants or each tenant its own
realm?
>From an administrator?s point of view, one single realm for all user
accounts seems a good choice. However, there is one important requirement
that until now, we haven?t been able to fulfil this way:
A tenant might choose to let their users log in through an external
identity provider, ADFS will be fairly common. Users that will log in this
way will be required to always do so and therefore are not allowed to set a
password in Keycloak. Deleting a user will be as easy as removing the user
from the Active Directory.
However, not all tenants will have their own identity provider. For these
tenants, users must be able to log in with a username and password. They
also get a forgot password link, so they can reset their password once
forgotten. Now that raises a problem. Users that log in through their
identity provider can use this link to set a password and thus bypass their
identity provider. Should such a user be removed from the AD, he or she can
still log in using this password.
Can we somehow prevent federated identities from ever setting a password?
Or is this not possible and are we forced to setup multiple realms?
Rens
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------
Message: 2
Date: Tue, 19 Dec 2017 09:28:50 -0500
From: Bob McWhirter <bmcwhirt(a)redhat.com>
Subject: Re: [keycloak-user] Failed to initialize in KC 3.4
To: Abhishek Koserwal <akoserwa(a)redhat.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Message-ID:
<CA+45JvEmMJ_=3LBWHNrWqoC5Huy1Dv+9mK42a38TJHxTPmxk_Q@mail.
gmail.com>
Content-Type: text/plain; charset="UTF-8"
And you may wish to use a fully-qualified rooted path to keycloak.json, if
you?re doing a single-page-app with browser-based routing, as it seems to
look for the argument relative to the current window location, which may
not be / when doing SPAs. Using an absolute path works in that case, such
as ?/keycloak.json?
-Bob
On Mon, Dec 18, 2017 at 1:55 AM, Abhishek Koserwal <akoserwa(a)redhat.com>
wrote:
> You need to instantiate like this, it will work.
>
> var keycloak = Keycloak('keycloak.json');
>
> I tested with KC 3.4.1.
>
> Thanks
>
>
> On Thu, Dec 14, 2017 at 6:08 PM, Marek Posolda <mposolda(a)redhat.com>
> wrote:
>
> > The best is likely to look at Keycloak quickstart/examples for JS
> > adapter and compare what is different.
> >
> > Marek
> >
> > On 12/12/17 10:45, Corentin Dupont wrote:
> > > Hi guys,
> > >
> > > I use this code in my javascript application:
> > >
> > > var keycloak = Keycloak();
> > > keycloak.init().success(function(authenticated) {
> > > alert(authenticated ? 'authenticated' : 'not
> > authenticated');
> > > }).error(function() {
> > > alert('failed to initialize');
> > > });
> > >
> > > Since I updated Keycloak I get the message 'failed to
initialize'.
> > > It was working well with the previous version of KC 3.2.
> > >
> > > What could it be? How can I get a better error message?
> > >
> > >
> > > Thanks!
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
> Regards,
> Abhishek Koserwal
> Software Application Engineer, ADS
> Red Hat (Pune, India)
> IRC: akoserwa
>
> The capacity to learn is a gift; The ability to learn is a skill; The
> willingness to learn is a choice -- Brian Herbert
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
------------------------------
Message: 3
Date: Tue, 19 Dec 2017 17:26:22 +0100
From: "Nicolas DUMINIL" <nicolas.duminil(a)simplex-software.fr>
Subject: [keycloak-user] Keycloak 3.4.0.Final - Can't secure an EAR
To: <keycloak-user(a)lists.jboss.org>
Message-ID: <00c001d378e6$1c40db20$54c29160$(a)simplex-software.fr>
Content-Type: text/plain; charset="us-ascii"
Hello,
I'm using Keycloak 3.4.0.Final.
I have an EAR containing a WAR. The WAR contains REST services that I need
to secure. The Wildfly config is as follows:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment
name="customer-management.ear.customer-management-rest.war">
<realm>demo</realm>
<auth-server-url> <
http://localhost:18080/auth>
http://localhost:18080/auth</auth-server-url>
<public-client>true</public-client>
<ssl-required>EXTERNAL</ssl-required>
<resource>customer-client</resource>
</secure-deployment>
</subsystem>
The notation I used for the <secure-deployment> element is
ear-name.ear.war-name.war. But it doesn't seem to work. It raises the
following exception:
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingExcept
ion:
WarMetaData not found for customer-management.ear. Make sure you have
specified a WAR as your secure-deployment in the Keycloak subsystem."},
I found this syntax by googling for solutions but it's probably wrong.
Please notice that I cannot used the JSON syntax.
Kind regards,
Nicolas DUMINIL
------------------------------
Message: 4
Date: Tue, 19 Dec 2017 17:50:33 +0000
From: Teddy CHAMBARD <t.chambard(a)bee-buzziness.com>
Subject: [keycloak-user] How to check permissions on lot of resources
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Cc: TeamScalabilite <TeamScalabilite(a)bee-buzziness.com>
Message-ID: <1a4a5599db2c4bf69934aa23bf53e77c(a)BBUZ-EXCH01.bbuzg.net>
Content-Type: text/plain; charset="us-ascii"
Hello,
I'm trying to protect resources with keycloak, but I wonder how to protect
millions...
I created successfully resources with the Protection API (UMA 2.0), and
also created necessary permsions and policies with the Admin REST API.
What I would like to do is simply get the list of resources I should be
able to access.
To simplify my needs, here is a simple example :
Bob asks for resource1 and resource2 throught entitlement API
Regarding my policies and permissions Bob only have rights on resource 1
but not on resource2.
I was thinking making a POST request with the following payload :
{
"permissions" : [
{
"resource_set_name" : "resource1"
}, {
"resource_set_name" : "resource2"
}
]
}
would return a RPT with the list of permitted resources (resource1), but I
got 403 forbidden without the list of granted resources.
So, I know I could run two separated requests to get my authorizations,
but when I have thousands of resources to check, I can't run thousands http
requests on entitlement API.
The question is how can I filter the data I retrieved from my database
with keycloak in order to get only granted data ?
Keycloak is wonderful, and I would really continue to use it despite this
trouble that I encounter.
Thank you very much by advance for your help.
------------------------------
Message: 5
Date: Tue, 19 Dec 2017 21:34:15 +0300
From: Dmitry Korchemkin <moon3854(a)gmail.com>
Subject: [keycloak-user] AdapterRsaTokenVerifier throws
NullPointerException on getPublicKey after processing expired token
To: keycloak-user <keycloak-user(a)lists.jboss.org>
Message-ID:
<CAHpfDHM4=8fZu0niEhg2f4+MNjTDc2HEwixF-fNMnid3C-iF5A@
mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hello,
Just upgraded to 3.4.1.Final to check if my issues with
NullPointerException (and resulting 500 status) when using keycloak
spring-security-adapter and expired tokens would be gone. There's no more
an unexpected NullPointer from an empty kid value (fixed in KEYCLOAK-5636
<
https://issues.jboss.org/browse/KEYCLOAK-5636>), but a problem still
remains.
This time it's publicKeyLocator being null in
AdapterRSATokenVerifier::getPublicKey. Somehow, after token was already
deemed inactive and TokenNotActiveException was already printed, there's a
second call to this method, this time with an empty deployment, and i'm
pretty sure it's not my code calling it. Since there's no null check on
locator field, it produces NullPointer upon trying to call
pkLocator.getPublicKey, even if kid is being checked for null.
Here's the first exception, the one i'm expecting:
2017-12-19 14:55:54,341 DEBUG XNIO-2 task-24 no_request_id
c.n.c.m.s.i.d.IdpConfigResolver - Error to validate token with public key
org.keycloak.exceptions.TokenNotActiveException: Token is not active
at org.keycloak.TokenVerifier$2.test(TokenVerifier.java:84)
at org.keycloak.TokenVerifier.verify(TokenVerifier.java:370)
at org.keycloak.RSATokenVerifier.verify(RSATokenVerifier.java:89)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
AdapterRSATokenVerifier.java:56)
at
security.idp.deployment.IdpConfigResolver.checkPublicKey(
IdpConfigResolver.java:149)
at
security.idp.deployment.IdpConfigResolver.generateKeycloakDeploymentFrom
AuthorizationHeader(IdpConfigResolver.java:80)
at
security.idp.deployment.IdpConfigResolver.resolve(
IdpConfigResolver.java:57)
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(
AdapterDeploymentContext.java:88)
at
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessi
ngFilter.attemptAuthentication(KeycloakAuthenticationProcessi
ngFilter.java:138)
at
org.springframework.security.web.authentication.
AbstractAuthenticationProcessingFilter.doFilter(
AbstractAuthenticationProcessingFilter.java:212)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.logout.
LogoutFilter.doFilter(LogoutFilter.java:116)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.
doFilter(KeycloakPreAuthActionsFilter.java:84)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.context.SecurityContextPersistenceFilt
er.doFilter(SecurityContextPersistenceFilter.java:105)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(
FilterChainProxy.java:214)
at
org.springframework.security.web.FilterChainProxy.doFilter(
FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(
DelegatingFilterProxy.java:263)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(
RequestContextFilter.java:99)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:107)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(
ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
RequestDispatcherImpl.java:221)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(
RequestDispatcherImpl.java:147)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forward(
RequestDispatcherImpl.java:111)
at
org.springframework.web.servlet.view.InternalResourceView.
renderMergedOutputModel(InternalResourceView.java:168)
at
org.springframework.web.servlet.view.AbstractView.
render(AbstractView.java:303)
at
org.springframework.web.servlet.DispatcherServlet.
render(DispatcherServlet.java:1286)
at
org.springframework.web.servlet.DispatcherServlet.processDispatchResult(
DispatcherServlet.java:1041)
at
org.springframework.web.servlet.DispatcherServlet.
doDispatch(DispatcherServlet.java:984)
at
org.springframework.web.servlet.DispatcherServlet.
doService(DispatcherServlet.java:901)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:970)
at
org.springframework.web.servlet.FrameworkServlet.
doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at
org.springframework.web.servlet.FrameworkServlet.
service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(
ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:81)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(
ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(
RequestDispatcherImpl.java:479)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(
RequestDispatcherImpl.java:412)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
ServletInitialHandler.java:319)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$
100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(
ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$
000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.
java:332)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
However, it is immediately followed by this:
2017-12-19 14:55:54,343 ERROR XNIO-2 task-24 no_request_id i.u.request -
UT005022: Exception generating error page /error
org.springframework.web.util.NestedServletException: Request processing
failed; nested exception is java.lang.RuntimeException:
java.lang.NullPointerException
at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:982)
at
org.springframework.web.servlet.FrameworkServlet.
doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at
org.springframework.web.servlet.FrameworkServlet.
service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(
ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:81)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(
ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(
RequestDispatcherImpl.java:479)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(
RequestDispatcherImpl.java:412)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
ServletInitialHandler.java:319)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$
100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(
ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$
000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.
java:332)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
RequestDispatcherImpl.java:245)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(
RequestDispatcherImpl.java:147)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forward(
RequestDispatcherImpl.java:111)
at
org.springframework.web.servlet.view.InternalResourceView.
renderMergedOutputModel(InternalResourceView.java:168)
at
org.springframework.web.servlet.view.AbstractView.
render(AbstractView.java:303)
at
org.springframework.web.servlet.DispatcherServlet.
render(DispatcherServlet.java:1286)
at
org.springframework.web.servlet.DispatcherServlet.processDispatchResult(
DispatcherServlet.java:1041)
at
org.springframework.web.servlet.DispatcherServlet.
doDispatch(DispatcherServlet.java:984)
at
org.springframework.web.servlet.DispatcherServlet.
doService(DispatcherServlet.java:901)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:970)
... 29 common frames omitted
Caused by: java.lang.NullPointerException: null
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(
AdapterRSATokenVerifier.java:44)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
AdapterRSATokenVerifier.java:55)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
AdapterRSATokenVerifier.java:37)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(
BearerTokenRequestAuthenticator.java:87)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
BearerTokenRequestAuthenticator.java:82)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(
RequestAuthenticator.java:68)
at
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessi
ngFilter.attemptAuthentication(KeycloakAuthenticationProcessi
ngFilter.java:147)
at
org.springframework.security.web.authentication.
AbstractAuthenticationProcessingFilter.doFilter(
AbstractAuthenticationProcessingFilter.java:212)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.logout.
LogoutFilter.doFilter(LogoutFilter.java:116)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.
doFilter(KeycloakPreAuthActionsFilter.java:84)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.context.SecurityContextPersistenceFilt
er.doFilter(SecurityContextPersistenceFilter.java:105)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(
FilterChainProxy.java:214)
at
org.springframework.security.web.FilterChainProxy.doFilter(
FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(
DelegatingFilterProxy.java:263)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(
RequestContextFilter.java:99)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:107)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(
ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
RequestDispatcherImpl.java:221)
... 38 common frames omitted
Needless to say, i'm not expecting any error pages to be shown and i have
no idea where would keycloak get such a deployment that does not even have
keyLocator.
One place where i call AdapterRSATokenVerifier.verifyToken has a
deployment
with explicitly set HardcodedPublicKeyLocator, which workes in every other
instance of token validation i've encountered so far.
I'd report this as a bug right away and make a request with a null check on
pkLocator, but somehow it seems the issue is not that simple, empty
deployment shouldn't be there in the first place. In the mean tiime, any
idea how can i get around this second verify() call or maybe disable the
/error page behaviour?
Best regards,
Dmitry
------------------------------
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
End of keycloak-user Digest, Vol 48, Issue 29
*********************************************