Thanks for the reply, Bill. See below for stack trace.
Not sure if it's related, though.... our client app does an anonymous login to JBoss
remoting at startup. These anonymous logins always throw an exception in our
BearerTokenLoginModule, and they are generally harmless (JBoss LoginContext consumes them
and allows our client app access anyway). The below was logged at ERROR level in our
JBoss server log, which doesn't usually happen.
Wish I could give you more, but this was an outage that affected several people, so we
were more concerned with a quick resolution than an investigation :)
Thanks,
Jamie
org.keycloak.VerificationException: Couldn't parse token
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:24)
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16)
at
ca.cira.jboss.loginmodules.AbstractKeycloakLoginModule.bearerAuth(AbstractKeycloakLoginModule.java:187)
at
ca.cira.jboss.loginmodules.BearerTokenLoginModule.doAuth(BearerTokenLoginModule.java:18)
at
ca.cira.jboss.loginmodules.AbstractKeycloakLoginModule.login(AbstractKeycloakLoginModule.java:95)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408)
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
at
org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:446)
at
org.jboss.as.security.service.SimpleSecurityManager.push(SimpleSecurityManager.java:347)
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:52)
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:48)
at
org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:83)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
at
org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.invokeMethod(MethodInvocationMessageHandler.java:329)
at
org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.access$100(MethodInvocationMessageHandler.java:70)
at
org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler$1.run(MethodInvocationMessageHandler.java:203)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:122)
Caused by: java.lang.IllegalArgumentException: Parsing error
at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:27)
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:22)
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Bill Burke
Sent: April-21-15 1:09 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Do realm public keys expire?
I thought it was only certificates that expire. You have a stack trace/log file
available?
On 4/21/2015 12:27 PM, Jamie Beznoski wrote:
Hi,
We set up a realm to use in conjunction with a JBoss login module -
the BearerTokenLoginModule available here:
https://github.com/keycloak/keycloak/blob/master/integration/adapter-c
ore/src/main/java/org/keycloak/adapters/jaas/BearerTokenLoginModule.ja
va
Our application in question is a standalone Java app that invokes EJBs
remotely on our JBoss server. The JBoss EJB remoting subsystem is
secured by the BearerTokenLoginModule.
This configuration worked well for us for several months, but last
week we started to see issues. Our client app could no longer
authenticate against the JBoss server. We generated a new realm
public key (Settings
-> Keys -> Generate new keys) and the issue was resolved.
Unfortunately, we were fire-fighting at the time and can't provide you
with much more information than that.
Anyway, my (hopefully easy) question is: do the realm keys expire
after a certain period?
Thanks,
Jamie Beznoski
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user