9:56 a.m.
Sorry for late response. We were all traveling last week for face to
face meetings.
Check out this:
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#j...
Look for KeycloakLoginModule You have to set this up in order to
propagate between component layers. I wish we didn't have to require
this extra step, but its just a falacy of the current Wildfly security
architecture.
On 3/18/2016 10:31 AM, Firdos Ali wrote:
The EJB is called from the server-side web app. This is a legacy app
using Struts, so after the user logs in from keycloak they are
redirected back to the webapp. The web application has access to the
user, however the EJB does not find a user and throws back the error.
I have the following in my jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/keycloak</security-domain>
</jboss-web>
I have the following in my jboss-ejb3.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss:ejb-jar
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:s="urn:security:1.1"
version="3.1" impl-version="2.0">
<assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain>keycloak</s:security-domain>
<s:run-as-principal></s:run-as-principal>
<s:missing-method-permissions-deny-access>true</s:missing-method-permissions-deny-access>
</s:security>
</assembly-descriptor>
</jboss:ejb-jar>
*From:*Stian Thorgersen [mailto:sthorger@redhat.com]
*Sent:* Friday, March 18, 2016 7:05 AM
*To:* Firdos Ali <ali(a)affordabletours.com>
*Cc:* keycloak-user <keycloak-user(a)lists.jboss.org>; Stian Thorgersen
<stian(a)redhat.com>
*Subject:* RE: [keycloak-user] EJB Invalid User + Log Out not working
How is the ejb being called? >From jax-rs service or server-side web
app? For there to be a user you need to be authenticated as a user so
either the server-side webapp has redirected to login page or there is
a bearer token included in the authorisation header of the http request.
On 15 Mar 2016 17:58, "Firdos Ali" <ali(a)affordabletours.com
<mailto:ali@affordabletours.com>> wrote:
Thank you for the prompt response.
I moved to keycloak 1.9.1 both on the server and updated the adapter,
however it is still not working. Let me clarify on a few other things
and hopefully that will provide some additional context
We put our project in an ear file which contains one jar file
inclusive of the stateless ejbs, one war file, and a few other
supporting jar files.
The war file has the keycloak.json with the following:
{
"realm": "affordabletours",
"realm-public-key": "some key",
"auth-server-url": "http://10.0.0.1:8080/auth",
"ssl-required": "external",
"resource": "keycloaktest",
"credentials": {
"secret": "some secret"
}
}
Are you suggesting that I change the resource “keycloaktest” access
type from ‘confidential’ to ‘bearer-only’? If so, I tried that and
unfortunately that did not work. I guess my confusion is how would
the jar file with the ejbs is aware of the security context when it is
only at the war level? Thanks
*From:*Stian Thorgersen [mailto:sthorger@redhat.com
<mailto:sthorger@redhat.com>]
*Sent:* Friday, March 11, 2016 12:29 AM
*To:* Firdos Ali <ali(a)affordabletours.com
<mailto:ali@affordabletours.com>>
*Cc:* keycloak-user <keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>
*Subject:* Re: [keycloak-user] EJB Invalid User + Log Out not working
On 10 March 2016 at 20:19, Firdos Ali <ali(a)affordabletours.com
<mailto:ali@affordabletours.com>> wrote:
Hello,
I am having a few problems with Keycloak. Let me first start with
the environment information:
Keycloak version: 1.9.0
Keycloak wildfly version: 10.0.0
Application wildfly version: 8.0.0
*Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323:
Invalid User*
I have followed the documentation by adding the keycloak adapter
to the application wildfly 8.0 and by server.xml has the following:
<extensions>
….
<extension
module="org.keycloak.keycloak-adapter-subsystem"/>
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:security:1.2">
….
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
</authentication>
</security-domain>
</security-domains>
</subsystem>
…
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
</profile>
MyEJB:
@Stateless
@Local(MyInt.*class*)
@SecurityDomain("keycloak")
*public**class*MyBean *implements*MyInt
...
@PermitAll
@TransactionAttribute(TransactionAttributeType.*/REQUIRES_NEW/*)
*public*boolean myMethod(...) *throws*Exception {
}
At the moment I am not using jboss-ej3.xml as I reference the
security domain in my EJB class. I added it and it did not help out
Stacktrace:
ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134:
EJB Invocation failed on component MyBean for method public
abstract boolean com.at.ejb.MyInt.myMethod(…) throws
java.lang.Exception: javax.ejb.EJBAccessException: JBAS013323:
Invalid User
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66)
[wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46)
[wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92)
[wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
[wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
[wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
[wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
at
org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)
at
org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
at
org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at
org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
at
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
Is there something I am missing from the documentation? Any
thoughts how to resolve this issue?
Is there a bearer token sent with the request that invokes the EJB? If
so try with 1.9.1. Could be
https://issues.jboss.org/browse/KEYCLOAK-2518 fixes this.
*Problem 2: Unable to log out a user from keycloak administration
console:*
After I click “Logout” on the administration console in Keycloak,
I see the following error on the keycloak server:
ERROR [io.undertow.request] (default task-26) UT005023: Exception
handling request to
/auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab:
org.jboss.resteasy.spi.UnhandledException:
java.lang.NoSuchMethodError:
org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder;
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
Are you using the standalone Keycloak server? Looking at javadocs for
httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses
httpclient 4.5, so looks like for some reason you have an old version
of httpclient.
Best regards,
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com