Hello,
This doesn't seem to work in an EAR. In my case, I have the following
structure:
customer-management.ear
|---
|-- lib
|-- META-INF
|-- customer-management-data.jar
|-- customer-management-façade.jar
|-- customer-management-repository.jar
|-- customer-management-rest.war
|----
|-- META-INF
|-- WEB-INF
|----
|-- classes
|-- lib
|-- beans.xml
|-- web.xml
...
...
Here in web.xml I have:
<module-name>customer-management-rest</module-name
And in standalone.xml I have:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"
<secure-deployment name="customer-manager-rest.war"
<realm>demo-realm</realm
<resource>customer-manager-client</resource
<bearer-only>true</bearer-only
<auth-server-url>http://localhost:18080/auth</auth-server-url
<ssl-required>EXTERNAL</ssl-required
</secure-deployment
</subsystem
This won't work as there is no such a customer-manager-rest.war deployed. It
is embedded in the customer-management.ear and this needs to be expressed
somehow. So:
· Either the EAR securization is not supported in keycloak subsystem
(would be very surprising)
· Or it is supported and, in this case, I need to know the right
notation. I tried customer-manager.ear. customer-manager-rest.war ‘cause
IÂ’ve seen that somewhere on the net, but it doesnÂ’t work.
Please advise.
Many thanks in advance,
Kind regards,
Nicolas
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Darrell Wu
Sent: mardi 19 décembre 2017 22:03
To: keycloak-user
Subject: Re: [keycloak-user] Keycloak 3.4.0.Final - Can't secure an EAR
(Nicolas DUMINIL)
Hi Nicolas,
The secure deployment name attribute should match your module-name in the
web.xml in your WAR with .war appended
In your case it should be something like
customer-management-rest.war assuming you have the following in your
web.xml
<module-name>customer-management-rest</module-name
Darrell
On 20 December 2017 at 07:34, <
<mailto:keycloak-user-request@lists.jboss.org
keycloak-user-request(a)lists.jboss.org
wrote:
Send keycloak-user mailing list submissions to
<mailto:keycloak-user@lists.jboss.org>
keycloak-user(a)lists.jboss.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.jboss.org/mailman/listinfo/keycloak-user
or, via email, send a message with subject or body 'help' to
<mailto:keycloak-user-request@lists.jboss.org>
keycloak-user-request(a)lists.jboss.org
You can reach the person managing the list at
<mailto:keycloak-user-owner@lists.jboss.org>
keycloak-user-owner(a)lists.jboss.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of keycloak-user digest..."
Today's Topics:
1. Re: Prevent federated users from setting a password (Rens
Verhage)
2. Re: Failed to initialize in KC 3.4 (Bob McWhirter)
3. Keycloak 3.4.0.Final - Can't secure an EAR (Nicolas
DUMINIL)
4. How to check permissions on lot of resources (Teddy CHAMBARD)
5. AdapterRsaTokenVerifier throws NullPointerException on
getPublicKey after processing expired token (Dmitry Korchemkin)
----------------------------------------------------------------------
Message: 1
Date: Tue, 19 Dec 2017 07:56:32 +0000
From: Rens Verhage < <mailto:Rens.Verhage@topicus.nl>
Rens.Verhage(a)topicus.nl
Subject: Re: [keycloak-user] Prevent federated users from setting a
password
To: " <mailto:keycloak-user@lists.jboss.org>
keycloak-user(a)lists.jboss.org" <
<mailto:keycloak-user@lists.jboss.org
keycloak-user(a)lists.jboss.org
Message-ID: <
<mailto:94BBDF41-9A45-4F30-B5C0-2AE3387BF63A@topicus.nl>
94BBDF41-9A45-4F30-B5C0-2AE3387BF63A(a)topicus.nl
Content-Type: text/plain; charset="utf-8"
Sat down with a colleague and did some out of the box thinking. Came
up with a solution that works best for us: set up 2 realms, A and B.
A
contains all users that log in with username and password and is an
identity provider to realm B. This way we have levelled the playing
field, in B all users log in through an IdP and we can treat them all
the
same.
Rens
On 18 Dec 2017, at 12:19, Rens Verhage
<Rens.Verhage(a)topicus.nl<mailto:
<mailto:Rens.Verhage@topicus.nl>
Rens.Verhage(a)topicus.nl>> wrote:
Hi all,
We?re implementing Keycloak in an existing multi-tenant application
and have to make a choice: 1 realm for all our tenants or each tenant
its own realm?
>From an administrator?s point of view, one single realm for all
user
accounts seems a good choice. However, there is one important
requirement that until now, we haven?t been able to fulfil this way:
A tenant might choose to let their users log in through an external
identity provider, ADFS will be fairly common. Users that will log in
this way will be required to always do so and therefore are not
allowed to set a password in Keycloak. Deleting a user will be as
easy
as removing the user from the Active Directory.
However, not all tenants will have their own identity provider. For
these tenants, users must be able to log in with a username and
password. They also get a forgot password link, so they can reset
their password once forgotten. Now that raises a problem. Users that
log in through their identity provider can use this link to set a
password and thus bypass their identity provider. Should such a user
be removed from the AD, he or she can still log in using this
password.
Can we somehow prevent federated identities from ever setting a
password?
Or is this not possible and are we forced to setup multiple realms?
Rens
_______________________________________________
keycloak-user mailing list
<mailto:keycloak-user@lists.jboss.org%3cmailto:keycloak-user@lists.jboss.org
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org
> <
https://lists.jboss.org/mailman/listinfo/keycloak-user
https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------
Message: 2
Date: Tue, 19 Dec 2017 09:28:50 -0500
> From: Bob McWhirter < <mailto:bmcwhirt@redhat.com> bmcwhirt(a)redhat.com
Subject: Re: [keycloak-user] Failed to initialize in KC 3.4
> To: Abhishek Koserwal < <mailto:akoserwa@redhat.com> akoserwa(a)redhat.com
> Cc: keycloak-user < <mailto:keycloak-user@lists.jboss.org
keycloak-user(a)lists.jboss.org
Message-ID:
<CA+45JvEmMJ_=3LBWHNrWqoC5Huy1Dv+9mK42a38TJHxTPmxk_Q@mail.
>
gmail.com
Content-Type: text/plain; charset="UTF-8"
And you may wish to use a fully-qualified rooted path to
keycloak.json, if you?re doing a single-page-app with browser-based
routing, as it seems to look for the argument relative to the current
window location, which may not be / when doing SPAs. Using an
absolute path works in that case, such as ?/keycloak.json?
-Bob
On Mon, Dec 18, 2017 at 1:55 AM, Abhishek Koserwal
> < <mailto:akoserwa@redhat.com> akoserwa(a)redhat.com
wrote:
> You need to instantiate like this, it will work.
>
> var keycloak = Keycloak('keycloak.json');
>
> I tested with KC 3.4.1.
>
> Thanks
>
>
> On Thu, Dec 14, 2017 at 6:08 PM, Marek Posolda <
<mailto:mposolda@redhat.com> mposolda(a)redhat.com
>
wrote:
>
> > The best is likely to look at Keycloak quickstart/examples
for JS
> > adapter and compare what is different.
> >
> > Marek
> >
> > On 12/12/17 10:45, Corentin Dupont wrote:
> > > Hi guys,
> > >
> > > I use this code in my javascript application:
> > >
> > > var keycloak = Keycloak();
> > >
keycloak.init().success(function(authenticated) {
> > > alert(authenticated ?
'authenticated' : 'not
> > authenticated');
> > > }).error(function() {
> > > alert('failed to initialize');
> > > });
> > >
> > > Since I updated Keycloak I get the message 'failed
to initialize'.
> > > It was working well with the previous version of KC
3.2.
> > >
> > > What could it be? How can I get a better error
message?
> > >
> > >
> > > Thanks!
> > >
_______________________________________________
> > >
keycloak-user mailing list
> > > > <mailto:keycloak-user@lists.jboss.org
keycloak-user(a)lists.jboss.org
> > > > <
https://lists.jboss.org/mailman/listinfo/keycloak-user
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
_______________________________________________
> >
keycloak-user mailing list
> > <mailto:keycloak-user@lists.jboss.org>
keycloak-user(a)lists.jboss.org
> > > <
https://lists.jboss.org/mailman/listinfo/keycloak-user
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
> Regards,
> Abhishek Koserwal
> Software Application Engineer, ADS
> Red Hat (Pune, India)
> IRC: akoserwa
>
> The capacity to learn is a gift; The ability to learn is a
skill;
> The willingness to learn is a choice -- Brian Herbert
>
_______________________________________________
>
keycloak-user mailing list
> <mailto:keycloak-user@lists.jboss.org>
keycloak-user(a)lists.jboss.org
> > <
https://lists.jboss.org/mailman/listinfo/keycloak-user
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
------------------------------
Message: 3
Date: Tue, 19 Dec 2017 17:26:22 +0100
> From: "Nicolas DUMINIL" <
<mailto:nicolas.duminil@simplex-software.fr
nicolas.duminil(a)simplex-software.fr
Subject: [keycloak-user] Keycloak 3.4.0.Final - Can't secure an
EAR
> To: < <mailto:keycloak-user@lists.jboss.org
keycloak-user(a)lists.jboss.org
> Message-ID: < <mailto:00c001d378e6$1c40db20$54c29160$@simplex-software.fr
00c001d378e6$1c40db20$54c29160$(a)simplex-software.fr
Content-Type: text/plain; charset="us-ascii"
Hello,
I'm using Keycloak 3.4.0.Final.
I have an EAR containing a WAR. The WAR contains REST services that I
need to secure. The Wildfly config is as follows:
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1"
<secure-deployment
> name="customer-management.ear.customer-management-rest.war"
> <realm>demo</realm
> <auth-server-url> < <
http://localhost:18080/auth
http://localhost:18080/auth
> <
http://localhost:18080/auth%3c/auth-server-url
http://localhost:18080/auth</auth-server-url
> <public-client>true</public-client
> <ssl-required>EXTERNAL</ssl-required
> <resource>customer-client</resource
> </secure-deployment
> </subsystem
The notation I used for the <secure-deployment> element is
ear-name.ear.war-name.war. But it doesn't seem to work. It raises
the
following exception:
Caused by:
org.jboss.as.server.deployment.DeploymentUnitProcessingExcept
ion:
WarMetaData not found for customer-management.ear. Make sure you have
specified a WAR as your secure-deployment in the Keycloak
subsystem."},
I found this syntax by googling for solutions but it's probably
wrong.
Please notice that I cannot used the JSON syntax.
Kind regards,
Nicolas DUMINIL
------------------------------
Message: 4
Date: Tue, 19 Dec 2017 17:50:33 +0000
> From: Teddy CHAMBARD < <mailto:t.chambard@bee-buzziness.com
t.chambard(a)bee-buzziness.com
Subject: [keycloak-user] How to check permissions on lot of resources
To: " <mailto:keycloak-user@lists.jboss.org>
keycloak-user(a)lists.jboss.org" <
<mailto:keycloak-user@lists.jboss.org
keycloak-user(a)lists.jboss.org
> Cc: TeamScalabilite < <mailto:TeamScalabilite@bee-buzziness.com
TeamScalabilite(a)bee-buzziness.com
Message-ID: <
<mailto:1a4a5599db2c4bf69934aa23bf53e77c@BBUZ-EXCH01.bbuzg.net
1a4a5599db2c4bf69934aa23bf53e77c(a)BBUZ-EXCH01.bbuzg.net
Content-Type: text/plain; charset="us-ascii"
Hello,
I'm trying to protect resources with keycloak, but I wonder how
to
protect millions...
I created successfully resources with the Protection API (UMA 2.0),
and also created necessary permsions and policies with the Admin REST
API.
What I would like to do is simply get the list of resources I should
be able to access.
To simplify my needs, here is a simple example :
Bob asks for resource1 and resource2 throught entitlement API
Regarding my policies and permissions Bob only have rights on
resource
1 but not on resource2.
I was thinking making a POST request with the following payload :
{
"permissions" : [
{
"resource_set_name" : "resource1"
}, {
"resource_set_name" : "resource2"
}
]
}
would return a RPT with the list of permitted resources (resource1),
but I got 403 forbidden without the list of granted resources.
So, I know I could run two separated requests to get my
authorizations, but when I have thousands of resources to check, I
can't run thousands http requests on entitlement API.
The question is how can I filter the data I retrieved from my
database
with keycloak in order to get only granted data ?
Keycloak is wonderful, and I would really continue to use it despite
this trouble that I encounter.
Thank you very much by advance for your help.
------------------------------
Message: 5
Date: Tue, 19 Dec 2017 21:34:15 +0300
> From: Dmitry Korchemkin < <mailto:moon3854@gmail.com> moon3854(a)gmail.com
Subject: [keycloak-user] AdapterRsaTokenVerifier throws
NullPointerException on getPublicKey after processing expired
token
> To: keycloak-user < <mailto:keycloak-user@lists.jboss.org
keycloak-user(a)lists.jboss.org
Message-ID:
<CAHpfDHM4=8fZu0niEhg2f4+MNjTDc2HEwixF-fNMnid3C-iF5A@
>
mail.gmail.com
Content-Type: text/plain; charset="UTF-8"
Hello,
Just upgraded to 3.4.1.Final to check if my issues with
NullPointerException (and resulting 500 status) when using keycloak
spring-security-adapter and expired tokens would be gone. There's
no
more an unexpected NullPointer from an empty kid value (fixed in
> KEYCLOAK-5636 < <
https://issues.jboss.org/browse/KEYCLOAK-5636
https://issues.jboss.org/browse/KEYCLOAK-5636>), but a
problem still remains.
This time it's publicKeyLocator being null in
AdapterRSATokenVerifier::getPublicKey. Somehow, after token was
already deemed inactive and TokenNotActiveException was already
printed, there's a second call to this method, this time with an
empty
deployment, and i'm pretty sure it's not my code calling it.
Since
there's no null check on locator field, it produces NullPointer
upon
trying to call pkLocator.getPublicKey, even if kid is being checked
for
null.
Here's the first exception, the one i'm expecting:
2017-12-19 14:55:54,341 DEBUG XNIO-2 task-24 no_request_id
c.n.c.m.s.i.d.IdpConfigResolver - Error to validate token with public
key
org.keycloak.exceptions.TokenNotActiveException: Token is not active
at org.keycloak.TokenVerifier$2.test(TokenVerifier.java:84)
at org.keycloak.TokenVerifier.verify(TokenVerifier.java:370)
at org.keycloak.RSATokenVerifier.verify(RSATokenVerifier.java:89)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
AdapterRSATokenVerifier.java:56)
at
security.idp.deployment.IdpConfigResolver.checkPublicKey(
IdpConfigResolver.java:149)
at
security.idp.deployment.IdpConfigResolver.generateKeycloakDeploymentFr
om
AuthorizationHeader(IdpConfigResolver.java:80)
at
security.idp.deployment.IdpConfigResolver.resolve(
IdpConfigResolver.java:57)
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(
AdapterDeploymentContext.java:88)
at
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProc
essi ngFilter.attemptAuthentication(KeycloakAuthenticationProcessi
ngFilter.java:138)
at
org.springframework.security.web.authentication.
AbstractAuthenticationProcessingFilter.doFilter(
AbstractAuthenticationProcessingFilter.java:212)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.logout.
LogoutFilter.doFilter(LogoutFilter.java:116)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.
doFilter(KeycloakPreAuthActionsFilter.java:84)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.context.SecurityContextPersistenceFil
t
er.doFilter(SecurityContextPersistenceFilter.java:105)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(
FilterChainProxy.java:214)
at
org.springframework.security.web.FilterChainProxy.doFilter(
FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(
DelegatingFilterProxy.java:263)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(
RequestContextFilter.java:99)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:107)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(
ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
RequestDispatcherImpl.java:221)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(
RequestDispatcherImpl.java:147)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forward(
RequestDispatcherImpl.java:111)
at
org.springframework.web.servlet.view.InternalResourceView.
renderMergedOutputModel(InternalResourceView.java:168)
at
org.springframework.web.servlet.view.AbstractView.
render(AbstractView.java:303)
at
org.springframework.web.servlet.DispatcherServlet.
render(DispatcherServlet.java:1286)
at
org.springframework.web.servlet.DispatcherServlet.processDispatchResul
t(
DispatcherServlet.java:1041)
at
org.springframework.web.servlet.DispatcherServlet.
doDispatch(DispatcherServlet.java:984)
at
org.springframework.web.servlet.DispatcherServlet.
doService(DispatcherServlet.java:901)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:970)
at
org.springframework.web.servlet.FrameworkServlet.
doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at
org.springframework.web.servlet.FrameworkServlet.
service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(
ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:81)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(
ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(
RequestDispatcherImpl.java:479)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(
RequestDispatcherImpl.java:412)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
ServletInitialHandler.java:319)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$
100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call
(
ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$
000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.
java:332)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
However, it is immediately followed by this:
2017-12-19 14:55:54,343 ERROR XNIO-2 task-24 no_request_id
i.u.request
-
UT005022: Exception generating error page /error
org.springframework.web.util.NestedServletException: Request
processing failed; nested exception is java.lang.RuntimeException:
java.lang.NullPointerException
at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:982)
at
org.springframework.web.servlet.FrameworkServlet.
doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at
org.springframework.web.servlet.FrameworkServlet.
service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(
ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:81)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(
ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(
RequestDispatcherImpl.java:479)
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(
RequestDispatcherImpl.java:412)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
ServletInitialHandler.java:319)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$
100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call
(
ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$
000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.
java:332)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
RequestDispatcherImpl.java:245)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(
RequestDispatcherImpl.java:147)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forward(
RequestDispatcherImpl.java:111)
at
org.springframework.web.servlet.view.InternalResourceView.
renderMergedOutputModel(InternalResourceView.java:168)
at
org.springframework.web.servlet.view.AbstractView.
render(AbstractView.java:303)
at
org.springframework.web.servlet.DispatcherServlet.
render(DispatcherServlet.java:1286)
at
org.springframework.web.servlet.DispatcherServlet.processDispatchResul
t(
DispatcherServlet.java:1041)
at
org.springframework.web.servlet.DispatcherServlet.
doDispatch(DispatcherServlet.java:984)
at
org.springframework.web.servlet.DispatcherServlet.
doService(DispatcherServlet.java:901)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:970)
... 29 common frames omitted
Caused by: java.lang.NullPointerException: null
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(
AdapterRSATokenVerifier.java:44)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
AdapterRSATokenVerifier.java:55)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
AdapterRSATokenVerifier.java:37)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToke
n(
BearerTokenRequestAuthenticator.java:87)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
BearerTokenRequestAuthenticator.java:82)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(
RequestAuthenticator.java:68)
at
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProc
essi ngFilter.attemptAuthentication(KeycloakAuthenticationProcessi
ngFilter.java:147)
at
org.springframework.security.web.authentication.
AbstractAuthenticationProcessingFilter.doFilter(
AbstractAuthenticationProcessingFilter.java:212)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.logout.
LogoutFilter.doFilter(LogoutFilter.java:116)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.
doFilter(KeycloakPreAuthActionsFilter.java:84)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.context.SecurityContextPersistenceFil
t
er.doFilter(SecurityContextPersistenceFilter.java:105)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
org.springframework.security.web.FilterChainProxy$
VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(
FilterChainProxy.java:214)
at
org.springframework.security.web.FilterChainProxy.doFilter(
FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(
DelegatingFilterProxy.java:263)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(
RequestContextFilter.java:99)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:107)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
org.springframework.web.filter.OncePerRequestFilter.
doFilter(OncePerRequestFilter.java:101)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(
ServletChain.java:64)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:274)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
ServletInitialHandler.java:209)
at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
RequestDispatcherImpl.java:221)
... 38 common frames omitted
Needless to say, i'm not expecting any error pages to be shown
and i
have no idea where would keycloak get such a deployment that does not
even have keyLocator.
One place where i call AdapterRSATokenVerifier.verifyToken has a
deployment with explicitly set HardcodedPublicKeyLocator, which
workes
in every other instance of token validation i've encountered so
far.
I'd report this as a bug right away and make a request with a
null
check on pkLocator, but somehow it seems the issue is not that
simple,
empty deployment shouldn't be there in the first place. In the
mean
tiime, any idea how can i get around this second verify() call or
maybe disable the /error page behaviour?
Best regards,
Dmitry
------------------------------
_______________________________________________
keycloak-user mailing list
<mailto:keycloak-user@lists.jboss.org>
keycloak-user(a)lists.jboss.org
> <
https://lists.jboss.org/mailman/listinfo/keycloak-user
https://lists.jboss.org/mailman/listinfo/keycloak-user
End of keycloak-user Digest, Vol 48, Issue 29
*********************************************
_______________________________________________
keycloak-user mailing list
<mailto:keycloak-user@lists.jboss.org> keycloak-user(a)lists.jboss.org
<
https://lists.jboss.org/mailman/listinfo/keycloak-user
https://lists.jboss.org/mailman/listinfo/keycloak-user