4:39 p.m.
Hi everyone,
Do Keycloak adapters support user authorization? I mean, of course they do
:) For example, the API I have secured with Keycloak receives a Keycloak
access token from the client. How can I validate the token (check user
roles) in my code? I am interested in the Java (wildfly) and Javascript
adapters.
Manually I am using jwt.io to check the token. I am just curious if the
Keycloak adapters support smth similar out of the box.
Thank you for your answers.
Regards,
Pavel Maslov, MS
8:53 p.m.
For Java HttpServletRequest.isUserInRole() works. If you typecast the
principal to KeycloakPrincipal you can obtain the AccessToken.
On 12/6/2015 5:39 PM, Pavel Maslov wrote:
Hi everyone,
Do Keycloak adapters support user authorization? I mean, of course they
do :) For example, the API I have secured with Keycloak receives a
Keycloak access token from the client. How can I validate the token
(check user roles) in my code? I am interested in the Java (wildfly) and
Javascript adapters.
Manually I am using jwt.io <http://jwt.io> to check the token. I am just
curious if the Keycloak adapters support smth similar out of the box.
Thank you for your answers.
Regards,
Pavel Maslov, MS
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:30 a.m.
Hi Bill,
I added the *org.keycloak.KeycloakPrincipal* definition in order to get the
token:
KeycloakPrincipal kcPrincipal = (KeycloakPrincipal) srvl.getUserPrincipal();
String token = kcPrincipal.getKeycloakSecurityContext().getTokenString();
but cannot deploy the project to the Wildfly server:
10:23:31,250 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service
thread 1-2) Deploying javax.ws.rs.core.Application: class
si.liis.apitime.service.ApiTimeApplication
10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./apitime-rest:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
to start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_85]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_85]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
Caused by: java.lang.NoClassDefFoundError: com/google/zxing/WriterException
at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
[rt.jar:1.7.0_85]
at java.lang.Class.privateGetPublicMethods(Class.java:2743)
[rt.jar:1.7.0_85]
at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
at
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
at
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
at
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
at
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
at
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
... 3 more
10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
address: ([("deployment" => "apitime-rest.war")]) - failure
description:
{"JBAS014671: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
to start service
Caused by: java.lang.NoClassDefFoundError:
com/google/zxing/WriterException"}}
10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread - 1)
JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back with
the following failure message:
{"JBAS014671: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
to start service
Caused by: java.lang.NoClassDefFoundError:
com/google/zxing/WriterException"}}
I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
Any solution?
Thanks.
Regards,
Pavel Maslov, MS
On Mon, Dec 7, 2015 at 3:53 AM, Bill Burke <bburke(a)redhat.com> wrote:
For Java HttpServletRequest.isUserInRole() works. If you typecast
the
principal to KeycloakPrincipal you can obtain the AccessToken.
On 12/6/2015 5:39 PM, Pavel Maslov wrote:
> Hi everyone,
>
>
> Do Keycloak adapters support user authorization? I mean, of course they
> do :) For example, the API I have secured with Keycloak receives a
> Keycloak access token from the client. How can I validate the token
> (check user roles) in my code? I am interested in the Java (wildfly) and
> Javascript adapters.
>
> Manually I am using jwt.io <http://jwt.io> to check the token. I am just
> curious if the Keycloak adapters support smth similar out of the box.
>
> Thank you for your answers.
>
>
> Regards,
> Pavel Maslov, MS
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:51 a.m.
Its not clear to me how you get the assigned roles from the AccessToken.
For instance, is the realm has configured the user to have roles "user"
and "editor" how do I find these in the AccessToken?
Tim
On 07/12/2015 02:53, Bill Burke wrote:
For Java HttpServletRequest.isUserInRole() works. If you typecast
the
principal to KeycloakPrincipal you can obtain the AccessToken.
On 12/6/2015 5:39 PM, Pavel Maslov wrote:
> Hi everyone,
>
>
> Do Keycloak adapters support user authorization? I mean, of course they
> do :) For example, the API I have secured with Keycloak receives a
> Keycloak access token from the client. How can I validate the token
> (check user roles) in my code? I am interested in the Java (wildfly) and
> Javascript adapters.
>
> Manually I am using jwt.io <http://jwt.io> to check the token. I am just
> curious if the Keycloak adapters support smth similar out of the box.
>
> Thank you for your answers.
>
>
> Regards,
> Pavel Maslov, MS
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
8:09 a.m.
AccessToken.getResourceAccess or AccessToken.getRealmAccess
On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
Its not clear to me how you get the assigned roles from the
AccessToken.
For instance, is the realm has configured the user to have roles "user"
and "editor" how do I find these in the AccessToken?
Tim
On 07/12/2015 02:53, Bill Burke wrote:
> For Java HttpServletRequest.isUserInRole() works. If you typecast the
> principal to KeycloakPrincipal you can obtain the AccessToken.
>
> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>> Hi everyone,
>>
>>
>> Do Keycloak adapters support user authorization? I mean, of course they
>> do :) For example, the API I have secured with Keycloak receives a
>> Keycloak access token from the client. How can I validate the token
>> (check user roles) in my code? I am interested in the Java (wildfly) and
>> Javascript adapters.
>>
>> Manually I am using jwt.io <http://jwt.io> to check the token. I am just
>> curious if the Keycloak adapters support smth similar out of the box.
>>
>> Thank you for your answers.
>>
>>
>> Regards,
>> Pavel Maslov, MS
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:17 a.m.
Why is HttpRequest.isUserInRole(<role>) not capable to return true when
the role is present in the AccessToken.getRealmAccess?
Regards,
Johan Bos
Le 16/12/2015 15:09, Bill Burke a écrit :
AccessToken.getResourceAccess or AccessToken.getRealmAccess
On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
> Its not clear to me how you get the assigned roles from the AccessToken.
> For instance, is the realm has configured the user to have roles "user"
> and "editor" how do I find these in the AccessToken?
>
> Tim
>
> On 07/12/2015 02:53, Bill Burke wrote:
>> For Java HttpServletRequest.isUserInRole() works. If you typecast the
>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>
>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>> Hi everyone,
>>>
>>>
>>> Do Keycloak adapters support user authorization? I mean, of course they
>>> do :) For example, the API I have secured with Keycloak receives a
>>> Keycloak access token from the client. How can I validate the token
>>> (check user roles) in my code? I am interested in the Java (wildfly) and
>>> Javascript adapters.
>>>
>>> Manually I am using jwt.io <http://jwt.io> to check the token. I am
just
>>> curious if the Keycloak adapters support smth similar out of the box.
>>>
>>> Thank you for your answers.
>>>
>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
8:45 a.m.
See use-resource-role-mappings switch:
If set to true, the getResourceAccess("resource-name") roles will be
mapped into isUserInRole, otherwise getRealmAccess is mapped into
isUserInRole
Not the best I know. We've been meaning to add some sort of role
mapping facility to the adapter.
On 12/16/2015 9:17 AM, Johan Bos wrote:
Why is HttpRequest.isUserInRole(<role>) not capable to return
true when
the role is present in the AccessToken.getRealmAccess?
Regards,
Johan Bos
Le 16/12/2015 15:09, Bill Burke a écrit :
> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>
> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>> Its not clear to me how you get the assigned roles from the AccessToken.
>> For instance, is the realm has configured the user to have roles
"user"
>> and "editor" how do I find these in the AccessToken?
>>
>> Tim
>>
>> On 07/12/2015 02:53, Bill Burke wrote:
>>> For Java HttpServletRequest.isUserInRole() works. If you typecast the
>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>
>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>> Hi everyone,
>>>>
>>>>
>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>> they
>>>> do :) For example, the API I have secured with Keycloak receives a
>>>> Keycloak access token from the client. How can I validate the token
>>>> (check user roles) in my code? I am interested in the Java
>>>> (wildfly) and
>>>> Javascript adapters.
>>>>
>>>> Manually I am using jwt.io <http://jwt.io> to check the token. I
am
>>>> just
>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>
>>>> Thank you for your answers.
>>>>
>>>>
>>>> Regards,
>>>> Pavel Maslov, MS
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:33 a.m.
So it is one or the other.
The switch is at realm level or per clients?
As I tend to make realm role for securing the clients only and
client/resource roles for internal client management, I should be fine
Still It would help to have some merging/mapping so from client we don't
have to so much rely on KeyCloak implementation to test roles... Issue
is that realm role can have same name as client role. But once there is
always some pitfall to avoid.
Thanks
Regards,
Johan Bos
Le 16/12/2015 15:45, Bill Burke a écrit :
See use-resource-role-mappings switch:
If set to true, the getResourceAccess("resource-name") roles will be
mapped into isUserInRole, otherwise getRealmAccess is mapped into
isUserInRole
Not the best I know. We've been meaning to add some sort of role
mapping facility to the adapter.
On 12/16/2015 9:17 AM, Johan Bos wrote:
> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
> the role is present in the AccessToken.getRealmAccess?
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 15:09, Bill Burke a écrit :
>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>
>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>> Its not clear to me how you get the assigned roles from the AccessToken.
>>> For instance, is the realm has configured the user to have roles
"user"
>>> and "editor" how do I find these in the AccessToken?
>>>
>>> Tim
>>>
>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>> For Java HttpServletRequest.isUserInRole() works. If you typecast the
>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>
>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>> Hi everyone,
>>>>>
>>>>>
>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>> they
>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>> Keycloak access token from the client. How can I validate the token
>>>>> (check user roles) in my code? I am interested in the Java
>>>>> (wildfly) and
>>>>> Javascript adapters.
>>>>>
>>>>> Manually I am using jwt.io <http://jwt.io> to check the token.
I am
>>>>> just
>>>>> curious if the Keycloak adapters support smth similar out of the
box.
>>>>>
>>>>> Thank you for your answers.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Pavel Maslov, MS
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
9:45 a.m.
oh when you said:
use-resource-role-mappings
it is only available through the keycloak.json
Nothing from Keycloak Admin UI allows you to set the options, so have the installation
file ready with everything ?
Regards,
Johan Bos
Le 16/12/2015 16:33, Johan Bos a écrit :
So it is one or the other.
The switch is at realm level or per clients?
As I tend to make realm role for securing the clients only and
client/resource roles for internal client management, I should be fine
Still It would help to have some merging/mapping so from client we
don't have to so much rely on KeyCloak implementation to test roles...
Issue is that realm role can have same name as client role. But once
there is always some pitfall to avoid.
Thanks
Regards,
Johan Bos
Le 16/12/2015 15:45, Bill Burke a écrit :
> See use-resource-role-mappings switch:
>
> If set to true, the getResourceAccess("resource-name") roles will be
> mapped into isUserInRole, otherwise getRealmAccess is mapped into
> isUserInRole
>
> Not the best I know. We've been meaning to add some sort of role
> mapping facility to the adapter.
>
> On 12/16/2015 9:17 AM, Johan Bos wrote:
>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>> the role is present in the AccessToken.getRealmAccess?
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>
>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>> Its not clear to me how you get the assigned roles from the
>>>> AccessToken.
>>>> For instance, is the realm has configured the user to have roles
>>>> "user"
>>>> and "editor" how do I find these in the AccessToken?
>>>>
>>>> Tim
>>>>
>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>> For Java HttpServletRequest.isUserInRole() works. If you
>>>>> typecast the
>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>
>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>> Hi everyone,
>>>>>>
>>>>>>
>>>>>> Do Keycloak adapters support user authorization? I mean, of
course
>>>>>> they
>>>>>> do :) For example, the API I have secured with Keycloak receives
a
>>>>>> Keycloak access token from the client. How can I validate the
token
>>>>>> (check user roles) in my code? I am interested in the Java
>>>>>> (wildfly) and
>>>>>> Javascript adapters.
>>>>>>
>>>>>> Manually I am using jwt.io <http://jwt.io> to check the
token. I am
>>>>>> just
>>>>>> curious if the Keycloak adapters support smth similar out of the
>>>>>> box.
>>>>>>
>>>>>> Thank you for your answers.
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Pavel Maslov, MS
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:09 p.m.
I don't understand your question...This is a keycloak.json setting.
On 12/16/2015 10:45 AM, Johan Bos wrote:
oh when you said:
use-resource-role-mappings
it is only available through the keycloak.json
Nothing from Keycloak Admin UI allows you to set the options, so have the installation
file ready with everything ?
Regards,
Johan Bos
Le 16/12/2015 16:33, Johan Bos a écrit :
> So it is one or the other.
> The switch is at realm level or per clients?
>
> As I tend to make realm role for securing the clients only and
> client/resource roles for internal client management, I should be fine
>
> Still It would help to have some merging/mapping so from client we
> don't have to so much rely on KeyCloak implementation to test roles...
> Issue is that realm role can have same name as client role. But once
> there is always some pitfall to avoid.
>
> Thanks
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 15:45, Bill Burke a écrit :
>> See use-resource-role-mappings switch:
>>
>> If set to true, the getResourceAccess("resource-name") roles will be
>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>> isUserInRole
>>
>> Not the best I know. We've been meaning to add some sort of role
>> mapping facility to the adapter.
>>
>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true
when
>>> the role is present in the AccessToken.getRealmAccess?
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>
>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>> Its not clear to me how you get the assigned roles from the
>>>>> AccessToken.
>>>>> For instance, is the realm has configured the user to have roles
>>>>> "user"
>>>>> and "editor" how do I find these in the AccessToken?
>>>>>
>>>>> Tim
>>>>>
>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>> For Java HttpServletRequest.isUserInRole() works. If you
>>>>>> typecast the
>>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>>
>>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>> Hi everyone,
>>>>>>>
>>>>>>>
>>>>>>> Do Keycloak adapters support user authorization? I mean, of
course
>>>>>>> they
>>>>>>> do :) For example, the API I have secured with Keycloak
receives a
>>>>>>> Keycloak access token from the client. How can I validate the
token
>>>>>>> (check user roles) in my code? I am interested in the Java
>>>>>>> (wildfly) and
>>>>>>> Javascript adapters.
>>>>>>>
>>>>>>> Manually I am using jwt.io <http://jwt.io> to check the
token. I am
>>>>>>> just
>>>>>>> curious if the Keycloak adapters support smth similar out of
the
>>>>>>> box.
>>>>>>>
>>>>>>> Thank you for your answers.
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Pavel Maslov, MS
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:51 p.m.
You answered it. I was not familiar with the whole setting list. My
question was: does something in the ui make the setting change or is it a
manual setup?
I think you are saying it is only manual and it is fine.
It would probably best for future version to have all these extra adapter
setting avail. From admin UI so people has the switch/checkbox or input
form to make direct application change to the json
Moreover since you have a download installation button and a json setting
viewer
Le mercredi 16 décembre 2015, Johan Bos <johan.bos(a)c6.eu> a écrit :
oh when you said:
use-resource-role-mappings
it is only available through the keycloak.json
Nothing from Keycloak Admin UI allows you to set the options, so have the installation
file ready with everything ?
Regards,
Johan Bos
Le 16/12/2015 16:33, Johan Bos a écrit :
So it is one or the other.
The switch is at realm level or per clients?
As I tend to make realm role for securing the clients only and
client/resource roles for internal client management, I should be fine
Still It would help to have some merging/mapping so from client we don't
have to so much rely on KeyCloak implementation to test roles... Issue is
that realm role can have same name as client role. But once there is always
some pitfall to avoid.
Thanks
Regards,
Johan Bos
Le 16/12/2015 15:45, Bill Burke a écrit :
See use-resource-role-mappings switch:
If set to true, the getResourceAccess("resource-name") roles will be
mapped into isUserInRole, otherwise getRealmAccess is mapped into
isUserInRole
Not the best I know. We've been meaning to add some sort of role
mapping facility to the adapter.
On 12/16/2015 9:17 AM, Johan Bos wrote:
Why is HttpRequest.isUserInRole(<role>) not capable to return true when
the role is present in the AccessToken.getRealmAccess?
Regards,
Johan Bos
Le 16/12/2015 15:09, Bill Burke a écrit :
AccessToken.getResourceAccess or AccessToken.getRealmAccess
On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
Its not clear to me how you get the assigned roles from the AccessToken.
For instance, is the realm has configured the user to have roles "user"
and "editor" how do I find these in the AccessToken?
Tim
On 07/12/2015 02:53, Bill Burke wrote:
For Java HttpServletRequest.isUserInRole() works. If you typecast the
principal to KeycloakPrincipal you can obtain the AccessToken.
On 12/6/2015 5:39 PM, Pavel Maslov wrote:
Hi everyone,
Do Keycloak adapters support user authorization? I mean, of course
they
do :) For example, the API I have secured with Keycloak receives a
Keycloak access token from the client. How can I validate the token
(check user roles) in my code? I am interested in the Java
(wildfly) and
Javascript adapters.
Manually I am using jwt.io <http://jwt.io> <http://jwt.io> to check the
token. I am
just
curious if the Keycloak adapters support smth similar out of the box.
Thank you for your answers.
Regards,
Pavel Maslov, MS
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<javascript:_e(%7B%7D,'cvml','keycloak-user@lists.jboss.org');>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<javascript:_e(%7B%7D,'cvml','keycloak-user@lists.jboss.org');>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<javascript:_e(%7B%7D,'cvml','keycloak-user@lists.jboss.org');>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing listkeycloak-user(a)lists.jboss.org
<javascript:_e(%7B%7D,'cvml','keycloak-user@lists.jboss.org');>https://lists.jboss.org/mailman/listinfo/keycloak-user
3:39 a.m.
Guys, I am repeating my question here. Any ideas on this?
I added the *org.keycloak.KeycloakPrincipal* definition in order to get the
token:
KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
srvl.getUserPrincipal();
String token = kcPrincipal.getKeycloakSecurityContext().getTokenString();
but cannot deploy the project to the Wildfly server:
10:23:31,250 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
service thread 1-2) Deploying javax.ws.rs.core.Application: class
si.liis.apitime.service.ApiTimeApplication
10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./apitime-rest:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
to start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_85]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_85]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
Caused by: java.lang.NoClassDefFoundError: com/google/zxing/WriterException
at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
[rt.jar:1.7.0_85]
at java.lang.Class.privateGetPublicMethods(Class.java:2743)
[rt.jar:1.7.0_85]
at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
at
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
at
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
at
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
at
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
at
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
... 3 more
10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
address: ([("deployment" => "apitime-rest.war")]) - failure
description:
{"JBAS014671: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
to start service
Caused by: java.lang.NoClassDefFoundError:
com/google/zxing/WriterException"}}
10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread - 1)
JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back with
the following failure message:
{"JBAS014671: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
to start service
Caused by: java.lang.NoClassDefFoundError:
com/google/zxing/WriterException"}}
I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
Any solution?
Thanks.
Regards,
Pavel Maslov, MS
On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos(a)c6.eu> wrote:
You answered it. I was not familiar with the whole setting list. My
question was: does something in the ui make the setting change or is it a
manual setup?
I think you are saying it is only manual and it is fine.
It would probably best for future version to have all these extra adapter
setting avail. From admin UI so people has the switch/checkbox or input
form to make direct application change to the json
Moreover since you have a download installation button and a json setting
viewer
Le mercredi 16 décembre 2015, Johan Bos <johan.bos(a)c6.eu> a écrit :
> oh when you said:
>
> use-resource-role-mappings
>
> it is only available through the keycloak.json
>
> Nothing from Keycloak Admin UI allows you to set the options, so have the
installation file ready with everything ?
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 16:33, Johan Bos a écrit :
>
> So it is one or the other.
> The switch is at realm level or per clients?
>
> As I tend to make realm role for securing the clients only and
> client/resource roles for internal client management, I should be fine
>
> Still It would help to have some merging/mapping so from client we don't
> have to so much rely on KeyCloak implementation to test roles... Issue is
> that realm role can have same name as client role. But once there is always
> some pitfall to avoid.
>
> Thanks
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 15:45, Bill Burke a écrit :
>
> See use-resource-role-mappings switch:
>
> If set to true, the getResourceAccess("resource-name") roles will be
> mapped into isUserInRole, otherwise getRealmAccess is mapped into
> isUserInRole
>
> Not the best I know. We've been meaning to add some sort of role
> mapping facility to the adapter.
>
> On 12/16/2015 9:17 AM, Johan Bos wrote:
>
> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
> the role is present in the AccessToken.getRealmAccess?
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 15:09, Bill Burke a écrit :
>
> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>
> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>
> Its not clear to me how you get the assigned roles from the AccessToken.
> For instance, is the realm has configured the user to have roles "user"
> and "editor" how do I find these in the AccessToken?
>
> Tim
>
> On 07/12/2015 02:53, Bill Burke wrote:
>
> For Java HttpServletRequest.isUserInRole() works. If you typecast the
> principal to KeycloakPrincipal you can obtain the AccessToken.
>
> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>
> Hi everyone,
>
>
> Do Keycloak adapters support user authorization? I mean, of course
> they
> do :) For example, the API I have secured with Keycloak receives a
> Keycloak access token from the client. How can I validate the token
> (check user roles) in my code? I am interested in the Java
> (wildfly) and
> Javascript adapters.
>
> Manually I am using jwt.io <http://jwt.io> <http://jwt.io> to check the
> token. I am
> just
> curious if the Keycloak adapters support smth similar out of the box.
>
> Thank you for your answers.
>
>
> Regards,
> Pavel Maslov, MS
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:56 a.m.
You don't get these error if you remove the 2 code lines?
When deploying your apps, it is not enough to add the keycloak core
dependency to access the keycloak principal, you also need to add all
possible dependency the keycloak lib is relying onto.
Basically on latest version of keycloak, I added almost everything that
comes in the adapter zip to my project/api dependency for runtime.
No idea how it was dealt with in previous version. Only dealt with
keycloak 1.6 and 1.7.
Since you had to provide some lib to your server (mine was tomcat 7) to
dealt with the keycloak implantation to secure my app, as soon as I
needed to acces keycloak token from my app code, I was required to add
the libs the adapter for tomcat 7 is providing.
Regards,
Johan Bos
Le 17/12/2015 10:39, Pavel Maslov a écrit :
Guys, I am repeating my question here. Any ideas on this?
I added the *org.keycloak.KeycloakPrincipal* definition in order
to get the token:
KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
srvl.getUserPrincipal();
String token =
kcPrincipal.getKeycloakSecurityContext().getTokenString();
but cannot deploy the project to the Wildfly server:
10:23:31,250 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
(MSC service thread 1-2) Deploying javax.ws.rs.core.Application:
class si.liis.apitime.service.ApiTimeApplication
10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service
thread 1-2) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./apitime-rest:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest:
Failed to start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_85]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_85]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
Caused by: java.lang.NoClassDefFoundError:
com/google/zxing/WriterException
at java.lang.Class.getDeclaredMethods0(Native Method)
[rt.jar:1.7.0_85]
at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
[rt.jar:1.7.0_85]
at java.lang.Class.privateGetPublicMethods(Class.java:2743)
[rt.jar:1.7.0_85]
at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
at
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
at
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
at
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
at
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
at
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
... 3 more
10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 1) JBAS014613: Operation ("redeploy")
failed - address: ([("deployment" => "apitime-rest.war")]) -
failure description: {"JBAS014671: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest"
=> "org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest:
Failed to start service
Caused by: java.lang.NoClassDefFoundError:
com/google/zxing/WriterException"}}
10:23:31,285 ERROR [org.jboss.as.server]
(management-handler-thread - 1) JBAS015860: Redeploy of deployment
"apitime-rest.war" was rolled back with the following failure
message:
{"JBAS014671: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest"
=> "org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest:
Failed to start service
Caused by: java.lang.NoClassDefFoundError:
com/google/zxing/WriterException"}}
I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
Any solution?
Thanks.
Regards,
Pavel Maslov, MS
On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos(a)c6.eu
<mailto:johan.bos@c6.eu>> wrote:
You answered it. I was not familiar with the whole setting list.
My question was: does something in the ui make the setting change
or is it a manual setup?
I think you are saying it is only manual and it is fine.
It would probably best for future version to have all these extra
adapter setting avail. From admin UI so people has the
switch/checkbox or input form to make direct application change to
the json
Moreover since you have a download installation button and a json
setting viewer
Le mercredi 16 décembre 2015, Johan Bos <johan.bos(a)c6.eu
<mailto:johan.bos@c6.eu>> a écrit :
oh when you said:
use-resource-role-mappings
it is only available through the keycloak.json
Nothing from Keycloak Admin UI allows you to set the options, so have the
installation file ready with everything ?
Regards,
Johan Bos
Le 16/12/2015 16:33, Johan Bos a écrit :
> So it is one or the other.
> The switch is at realm level or per clients?
>
> As I tend to make realm role for securing the clients only
> and client/resource roles for internal client management, I
> should be fine
>
> Still It would help to have some merging/mapping so from
> client we don't have to so much rely on KeyCloak
> implementation to test roles... Issue is that realm role can
> have same name as client role. But once there is always some
> pitfall to avoid.
>
> Thanks
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 15:45, Bill Burke a écrit :
>> See use-resource-role-mappings switch:
>>
>> If set to true, the getResourceAccess("resource-name") roles
>> will be
>> mapped into isUserInRole, otherwise getRealmAccess is mapped
>> into
>> isUserInRole
>>
>> Not the best I know. We've been meaning to add some sort of
>> role
>> mapping facility to the adapter.
>>
>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>> Why is HttpRequest.isUserInRole(<role>) not capable to
>>> return true when
>>> the role is present in the AccessToken.getRealmAccess?
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>
>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>> Its not clear to me how you get the assigned roles from
>>>>> the AccessToken.
>>>>> For instance, is the realm has configured the user to
>>>>> have roles "user"
>>>>> and "editor" how do I find these in the
AccessToken?
>>>>>
>>>>> Tim
>>>>>
>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>> For Java HttpServletRequest.isUserInRole() works. If
>>>>>> you typecast the
>>>>>> principal to KeycloakPrincipal you can obtain the
>>>>>> AccessToken.
>>>>>>
>>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>> Hi everyone,
>>>>>>>
>>>>>>>
>>>>>>> Do Keycloak adapters support user authorization? I
>>>>>>> mean, of course
>>>>>>> they
>>>>>>> do :) For example, the API I have secured with
Keycloak
>>>>>>> receives a
>>>>>>> Keycloak access token from the client. How can I
>>>>>>> validate the token
>>>>>>> (check user roles) in my code? I am interested in the
Java
>>>>>>> (wildfly) and
>>>>>>> Javascript adapters.
>>>>>>>
>>>>>>> Manually I am using jwt.io <http://jwt.io>
>>>>>>> <http://jwt.io> <http://jwt.io> to check
the token. I am
>>>>>>> just
>>>>>>> curious if the Keycloak adapters support smth
similar
>>>>>>> out of the box.
>>>>>>>
>>>>>>> Thank you for your answers.
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Pavel Maslov, MS
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:01 a.m.
Hi Jonah,
You don't get these error if you remove the 2 code lines?
Exactly. However, once I include these 2 lines, I cannot deploy
the war
file to the Wildfly server.
I have to point out that there are no errors during build/packaging.
Regards,
Pavel Maslov, MS
On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos(a)c6.eu> wrote:
> You don't get these error if you remove the 2 code lines?
> When deploying your apps, it is not enough to add the keycloak core
> dependency to access the keycloak principal, you also need to add all
> possible dependency the keycloak lib is relying onto.
> Basically on latest version of keycloak, I added almost
everything that
> comes in the adapter zip to my project/api dependency for runtime.
> No idea how it was dealt with in previous version. Only dealt with
> keycloak 1.6 and 1.7.
> Since you had to provide some lib to your server (mine was
tomcat 7) to
> dealt with the keycloak implantation to secure my app, as soon as I needed
> to acces keycloak token from my app code, I was required to add the libs
> the adapter for tomcat 7 is providing.
> Regards,
> Johan Bos
> Le 17/12/2015 10:39, Pavel Maslov a écrit :
> Guys, I am repeating my question here. Any ideas on this?
> I added the *org.keycloak.KeycloakPrincipal* definition in
order to get
>> the token:
> > >> KeycloakPrincipal
kcPrincipal = (KeycloakPrincipal)
>> srvl.getUserPrincipal();
>> String token = kcPrincipal.getKeycloakSecurityContext().getTokenString();
> >> but cannot deploy the project to the Wildfly server:
> >> 10:23:31,250 INFO
[org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>> si.liis.apitime.service.ApiTimeApplication
>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
>> MSC000001: Failed to start service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>> org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>> at
>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> [rt.jar:1.7.0_85]
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> [rt.jar:1.7.0_85]
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>> Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException
>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>> [rt.jar:1.7.0_85]
>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>> [rt.jar:1.7.0_85]
>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>> at
>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>> at
>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>> at
>>
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>> at
>>
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>> at
>>
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>> at
>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>> at
>>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>> at
>>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>> at
>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>> at
>>
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>> at
>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>> at
>>
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>> at
>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>> at
>>
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>> at
>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>> at
>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>> at
>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> at
>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> ... 3 more
> >> 10:23:31,285 ERROR
[org.jboss.as.controller.management-operation]
>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy")
failed -
>> address: ([("deployment" => "apitime-rest.war")]) -
failure description:
>> {"JBAS014671: Failed services" = >>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" = >> "org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>> Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException"}}
>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread - 1)
>> JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back
with
>> the following failure message:
>> {"JBAS014671: Failed services" = >>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" = >> "org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>> Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException"}}
> > > >>
I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>> Any solution?
>> Thanks.
> > > Regards,
> Pavel Maslov, MS
> On Wed, Dec 16, 2015 at 10:51 PM, Johan B.
<johan.bos(a)c6.eu> wrote:
>> You answered it. I was not familiar with the whole
setting list. My
>> question was: does something in the ui make the setting change or is it a
>> manual setup?
>> I think you are saying it is only manual and it is fine.
>> It would probably best for future version to have all these extra adapter
>> setting avail. From admin UI so people has the switch/checkbox or input
>> form to make direct application change to the json
>> Moreover since you have a download installation button and a json setting
>> viewer
> >> Le mercredi 16 décembre 2015, Johan Bos <
<johan.bos(a)c6.eu >> johan.bos(a)c6.eu> a écrit
:
> >>> oh when you said:
>> >>>
use-resource-role-mappings
>> >>> it is only available
through the keycloak.json
>> >>> Nothing from Keycloak
Admin UI allows you to set the options, so have the installation file ready with
everything ?
>> >>> Regards,
>> >>> Johan Bos
>> >>> Le 16/12/2015 16:33,
Johan Bos a écrit :
>> >>> So it is one or the
other.
>>> The switch is at realm level or per clients?
>> >>> As I tend to make realm
role for securing the clients only and
>>> client/resource roles for internal client management, I should be fine
>> >>> Still It would help to
have some merging/mapping so from client we don't
>>> have to so much rely on KeyCloak implementation to test roles... Issue is
>>> that realm role can have same name as client role. But once there is always
>>> some pitfall to avoid.
>> >>> Thanks
>> >>> Regards,
>> >>> Johan Bos
>> >>> Le 16/12/2015 15:45,
Bill Burke a écrit :
>> >>> See
use-resource-role-mappings switch:
>> >>> If set to true, the
getResourceAccess("resource-name") roles will be
>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>> isUserInRole
>> >>> Not the best I know.
We've been meaning to add some sort of role
>>> mapping facility to the adapter.
>> >>> On 12/16/2015 9:17 AM,
Johan Bos wrote:
>> >>> Why is
HttpRequest.isUserInRole(<role>) not capable to return true when
>>> the role is present in the AccessToken.getRealmAccess?
>> >>> Regards,
>> >>> Johan Bos
>> >>> Le 16/12/2015 15:09,
Bill Burke a écrit :
>> >>>
AccessToken.getResourceAccess or AccessToken.getRealmAccess
>> >>> On 12/16/2015 4:51 AM,
Tim Dudgeon wrote:
>> >>> Its not clear to me how
you get the assigned roles from the AccessToken.
>>> For instance, is the realm has configured the user to have roles
"user"
>>> and "editor" how do I find these in the AccessToken?
>> >>> Tim
>> >>> On 07/12/2015 02:53,
Bill Burke wrote:
>> >>> For Java
HttpServletRequest.isUserInRole() works. If you typecast the
>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>> >>> On 12/6/2015 5:39 PM,
Pavel Maslov wrote:
>> >>> Hi everyone,
>> >> >>> Do Keycloak adapters support user authorization? I
mean, of course
>>> they
>>> do :) For example, the API I have secured with Keycloak receives a
>>> Keycloak access token from the client. How can I validate the token
>>> (check user roles) in my code? I am interested in the Java
>>> (wildfly) and
>>> Javascript adapters.
>> >>> Manually I am using
jwt.io <http://jwt.io><http://jwt.io
>>> <http://jwt.io> to check the token. I am
>>> just
>>> curious if the Keycloak adapters support smth similar out of the box.
>> >>> Thank you for your
answers.
>> >> >>> Regards,
>>> Pavel Maslov, MS
>> >> >>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>
_______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >> >>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >> >>
>> >>>
_______________________________________________
>>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>> >> >> >>
_______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
4:33 a.m.
If you are using WildFly you should install the client adapter subsystem
(see the docs for instructions). That way you don't have to add any
dependencies into your WAR.
On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff(a)gmail.com> wrote:
Hi Jonah,
You don't get these error if you remove the 2 code lines?
>
Exactly. However, once I include these 2 lines, I cannot deploy the war
file to the Wildfly server.
I have to point out that there are no errors during build/packaging.
Regards,
Pavel Maslov, MS
On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos(a)c6.eu> wrote:
> You don't get these error if you remove the 2 code lines?
> When deploying your apps, it is not enough to add the keycloak core
> dependency to access the keycloak principal, you also need to add all
> possible dependency the keycloak lib is relying onto.
>
> Basically on latest version of keycloak, I added almost everything that
> comes in the adapter zip to my project/api dependency for runtime.
> No idea how it was dealt with in previous version. Only dealt with
> keycloak 1.6 and 1.7.
>
> Since you had to provide some lib to your server (mine was tomcat 7) to
> dealt with the keycloak implantation to secure my app, as soon as I needed
> to acces keycloak token from my app code, I was required to add the libs
> the adapter for tomcat 7 is providing.
>
> Regards,
>
> Johan Bos
>
> Le 17/12/2015 10:39, Pavel Maslov a écrit :
>
> Guys, I am repeating my question here. Any ideas on this?
>
> I added the *org.keycloak.KeycloakPrincipal* definition in order to get
>> the token:
>>
>>
>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>> srvl.getUserPrincipal();
>> String token = kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>
>> but cannot deploy the project to the Wildfly server:
>>
>> 10:23:31,250 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>> si.liis.apitime.service.ApiTimeApplication
>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
>> MSC000001: Failed to start service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>> org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>> at
>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> [rt.jar:1.7.0_85]
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> [rt.jar:1.7.0_85]
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>> Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException
>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>> [rt.jar:1.7.0_85]
>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>> [rt.jar:1.7.0_85]
>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>> at
>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>> at
>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>> at
>>
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>> at
>>
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>> at
>>
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>> at
>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>> at
>>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>> at
>>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>> at
>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>> at
>>
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>> at
>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>> at
>>
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>> at
>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>> at
>>
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>> at
>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>> at
>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>> at
>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> at
>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> ... 3 more
>>
>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy")
failed -
>> address: ([("deployment" => "apitime-rest.war")]) -
failure description:
>> {"JBAS014671: Failed services" =>
>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest"
=>
>> "org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>> Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException"}}
>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread - 1)
>> JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back
with
>> the following failure message:
>> {"JBAS014671: Failed services" =>
>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest"
=>
>> "org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>> Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException"}}
>>
>>
>>
>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>> Any solution?
>> Thanks.
>>
>>
> Regards,
> Pavel Maslov, MS
>
> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos(a)c6.eu> wrote:
>
>> You answered it. I was not familiar with the whole setting list. My
>> question was: does something in the ui make the setting change or is it a
>> manual setup?
>> I think you are saying it is only manual and it is fine.
>> It would probably best for future version to have all these extra
>> adapter setting avail. From admin UI so people has the switch/checkbox or
>> input form to make direct application change to the json
>> Moreover since you have a download installation button and a json
>> setting viewer
>>
>> Le mercredi 16 décembre 2015, Johan Bos < <johan.bos(a)c6.eu>
>> johan.bos(a)c6.eu> a écrit :
>>
>>> oh when you said:
>>>
>>> use-resource-role-mappings
>>>
>>> it is only available through the keycloak.json
>>>
>>> Nothing from Keycloak Admin UI allows you to set the options, so have the
installation file ready with everything ?
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 16:33, Johan Bos a écrit :
>>>
>>> So it is one or the other.
>>> The switch is at realm level or per clients?
>>>
>>> As I tend to make realm role for securing the clients only and
>>> client/resource roles for internal client management, I should be fine
>>>
>>> Still It would help to have some merging/mapping so from client we
>>> don't have to so much rely on KeyCloak implementation to test roles...
>>> Issue is that realm role can have same name as client role. But once there
>>> is always some pitfall to avoid.
>>>
>>> Thanks
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>>
>>> See use-resource-role-mappings switch:
>>>
>>> If set to true, the getResourceAccess("resource-name") roles will
be
>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>> isUserInRole
>>>
>>> Not the best I know. We've been meaning to add some sort of role
>>> mapping facility to the adapter.
>>>
>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>
>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true
when
>>> the role is present in the AccessToken.getRealmAccess?
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>
>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>
>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>
>>> Its not clear to me how you get the assigned roles from the
>>> AccessToken.
>>> For instance, is the realm has configured the user to have roles
"user"
>>> and "editor" how do I find these in the AccessToken?
>>>
>>> Tim
>>>
>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>
>>> For Java HttpServletRequest.isUserInRole() works. If you typecast the
>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>
>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>
>>> Hi everyone,
>>>
>>>
>>> Do Keycloak adapters support user authorization? I mean, of course
>>> they
>>> do :) For example, the API I have secured with Keycloak receives a
>>> Keycloak access token from the client. How can I validate the token
>>> (check user roles) in my code? I am interested in the Java
>>> (wildfly) and
>>> Javascript adapters.
>>>
>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>> <http://jwt.io> to check the token. I am
>>> just
>>> curious if the Keycloak adapters support smth similar out of the box.
>>>
>>> Thank you for your answers.
>>>
>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:33 a.m.
From the stack trace you added earlier it looks like you've added
some
dependencies to your WAR you shouldn't add.
On 17 December 2015 at 11:33, Stian Thorgersen <sthorger(a)redhat.com> wrote:
If you are using WildFly you should install the client adapter
subsystem
(see the docs for instructions). That way you don't have to add any
dependencies into your WAR.
On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff(a)gmail.com>
wrote:
> Hi Jonah,
>
> You don't get these error if you remove the 2 code lines?
>>
> Exactly. However, once I include these 2 lines, I cannot deploy the war
> file to the Wildfly server.
>
> I have to point out that there are no errors during build/packaging.
>
> Regards,
> Pavel Maslov, MS
>
> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos(a)c6.eu> wrote:
>
>> You don't get these error if you remove the 2 code lines?
>> When deploying your apps, it is not enough to add the keycloak core
>> dependency to access the keycloak principal, you also need to add all
>> possible dependency the keycloak lib is relying onto.
>>
>> Basically on latest version of keycloak, I added almost everything that
>> comes in the adapter zip to my project/api dependency for runtime.
>> No idea how it was dealt with in previous version. Only dealt with
>> keycloak 1.6 and 1.7.
>>
>> Since you had to provide some lib to your server (mine was tomcat 7) to
>> dealt with the keycloak implantation to secure my app, as soon as I needed
>> to acces keycloak token from my app code, I was required to add the libs
>> the adapter for tomcat 7 is providing.
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 17/12/2015 10:39, Pavel Maslov a écrit :
>>
>> Guys, I am repeating my question here. Any ideas on this?
>>
>> I added the *org.keycloak.KeycloakPrincipal* definition in order to get
>>> the token:
>>>
>>>
>>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>> srvl.getUserPrincipal();
>>> String token =
>>> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>>
>>> but cannot deploy the project to the Wildfly server:
>>>
>>> 10:23:31,250 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>>> si.liis.apitime.service.ApiTimeApplication
>>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>> 1-2) MSC000001: Failed to start service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>> org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>> to start service
>>> at
>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>> at
>>>
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> [rt.jar:1.7.0_85]
>>> at
>>>
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> [rt.jar:1.7.0_85]
>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>> Caused by: java.lang.NoClassDefFoundError:
>>> com/google/zxing/WriterException
>>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>> [rt.jar:1.7.0_85]
>>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>> [rt.jar:1.7.0_85]
>>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>> at
>>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>> at
>>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>> at
>>>
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>> at
>>>
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>> at
>>>
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>> at
>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>> at
>>>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>> at
>>>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>> at
>>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>> at
>>>
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>> at
>>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>> at
>>>
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>> at
>>>
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>> at
>>>
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>> at
>>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>> at
>>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>> at
>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>> at
>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>> ... 3 more
>>>
>>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy")
failed -
>>> address: ([("deployment" => "apitime-rest.war")]) -
failure description:
>>> {"JBAS014671: Failed services" =>
>>>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>> "org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>> to start service
>>> Caused by: java.lang.NoClassDefFoundError:
>>> com/google/zxing/WriterException"}}
>>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread -
>>> 1) JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled
back
>>> with the following failure message:
>>> {"JBAS014671: Failed services" =>
>>>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>> "org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>> to start service
>>> Caused by: java.lang.NoClassDefFoundError:
>>> com/google/zxing/WriterException"}}
>>>
>>>
>>>
>>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>> Any solution?
>>> Thanks.
>>>
>>>
>> Regards,
>> Pavel Maslov, MS
>>
>> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos(a)c6.eu> wrote:
>>
>>> You answered it. I was not familiar with the whole setting list. My
>>> question was: does something in the ui make the setting change or is it a
>>> manual setup?
>>> I think you are saying it is only manual and it is fine.
>>> It would probably best for future version to have all these extra
>>> adapter setting avail. From admin UI so people has the switch/checkbox or
>>> input form to make direct application change to the json
>>> Moreover since you have a download installation button and a json
>>> setting viewer
>>>
>>> Le mercredi 16 décembre 2015, Johan Bos < <johan.bos(a)c6.eu>
>>> johan.bos(a)c6.eu> a écrit :
>>>
>>>> oh when you said:
>>>>
>>>> use-resource-role-mappings
>>>>
>>>> it is only available through the keycloak.json
>>>>
>>>> Nothing from Keycloak Admin UI allows you to set the options, so have the
installation file ready with everything ?
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 16:33, Johan Bos a écrit :
>>>>
>>>> So it is one or the other.
>>>> The switch is at realm level or per clients?
>>>>
>>>> As I tend to make realm role for securing the clients only and
>>>> client/resource roles for internal client management, I should be fine
>>>>
>>>> Still It would help to have some merging/mapping so from client we
>>>> don't have to so much rely on KeyCloak implementation to test
roles...
>>>> Issue is that realm role can have same name as client role. But once
there
>>>> is always some pitfall to avoid.
>>>>
>>>> Thanks
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>>>
>>>> See use-resource-role-mappings switch:
>>>>
>>>> If set to true, the getResourceAccess("resource-name") roles
will be
>>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>>> isUserInRole
>>>>
>>>> Not the best I know. We've been meaning to add some sort of role
>>>> mapping facility to the adapter.
>>>>
>>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>
>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true
>>>> when
>>>> the role is present in the AccessToken.getRealmAccess?
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>>
>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>
>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>
>>>> Its not clear to me how you get the assigned roles from the
>>>> AccessToken.
>>>> For instance, is the realm has configured the user to have roles
>>>> "user"
>>>> and "editor" how do I find these in the AccessToken?
>>>>
>>>> Tim
>>>>
>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>
>>>> For Java HttpServletRequest.isUserInRole() works. If you typecast the
>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>
>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>
>>>> Hi everyone,
>>>>
>>>>
>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>> they
>>>> do :) For example, the API I have secured with Keycloak receives a
>>>> Keycloak access token from the client. How can I validate the token
>>>> (check user roles) in my code? I am interested in the Java
>>>> (wildfly) and
>>>> Javascript adapters.
>>>>
>>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>>> <http://jwt.io> to check the token. I am
>>>> just
>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>
>>>> Thank you for your answers.
>>>>
>>>>
>>>> Regards,
>>>> Pavel Maslov, MS
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
4:41 a.m.
I had the same issue when deploying in eclipse IDE my webapp.
Even if my runtime env. Tomcat 7 had the adapters for keycloak well
installed into the lib folder, It was detecting it.
But as soon as I needed to make reference to keycloak principal in my
project and wanted to debug it (inspect what the info in token I could
used), I got runtime invocation exception.
I solved it by editing the runtime tomcat classpath from eclipse and add
the needed adapter jars, but not all.
Like you said, some are used by the app server during init that should
not be part of the runtime dep. otherwise you can also get
NoClassDefFound on something you don't need.
Regards,
Johan Bos
Le 17/12/2015 11:33, Stian Thorgersen a écrit :
From the stack trace you added earlier it looks like you've added
some
dependencies to your WAR you shouldn't add.
On 17 December 2015 at 11:33, Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>> wrote:
If you are using WildFly you should install the client adapter
subsystem (see the docs for instructions). That way you don't have
to add any dependencies into your WAR.
On 17 December 2015 at 11:01, Pavel Maslov
<pavel.masloff(a)gmail.com <mailto:pavel.masloff@gmail.com>> wrote:
Hi Jonah,
You don't get these error if you remove the 2 code lines?
Exactly. However, once I include these 2 lines, I cannot
deploy the war file to the Wildfly server.
I have to point out that there are no errors during
build/packaging.
Regards,
Pavel Maslov, MS
On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos(a)c6.eu
<mailto:johan.bos@c6.eu>> wrote:
You don't get these error if you remove the 2 code lines?
When deploying your apps, it is not enough to add the
keycloak core dependency to access the keycloak principal,
you also need to add all possible dependency the keycloak
lib is relying onto.
Basically on latest version of keycloak, I added almost
everything that comes in the adapter zip to my project/api
dependency for runtime.
No idea how it was dealt with in previous version. Only
dealt with keycloak 1.6 and 1.7.
Since you had to provide some lib to your server (mine was
tomcat 7) to dealt with the keycloak implantation to
secure my app, as soon as I needed to acces keycloak token
from my app code, I was required to add the libs the
adapter for tomcat 7 is providing.
Regards,
Johan Bos
Le 17/12/2015 10:39, Pavel Maslov a écrit :
> Guys, I am repeating my question here. Any ideas on this?
>
> I added the
> *org.keycloak.KeycloakPrincipal* definition in order
> to get the token:
>
>
> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
> srvl.getUserPrincipal();
> String token =
> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>
> but cannot deploy the project to the Wildfly server:
>
> 10:23:31,250 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
> service thread 1-2) Deploying
> javax.ws.rs.core.Application: class
> si.liis.apitime.service.ApiTimeApplication
> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC
> service thread 1-2) MSC000001: Failed to start
> service
> jboss.undertow.deployment.default-server.default-host./apitime-rest:
> org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest:
> Failed to start service
> at
>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> at
>
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_85]
> at
>
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_85]
> at java.lang.Thread.run(Thread.java:745)
> [rt.jar:1.7.0_85]
> Caused by: java.lang.NoClassDefFoundError:
> com/google/zxing/WriterException
> at java.lang.Class.getDeclaredMethods0(Native Method)
> [rt.jar:1.7.0_85]
> at
> java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
> [rt.jar:1.7.0_85]
> at
> java.lang.Class.privateGetPublicMethods(Class.java:2743)
> [rt.jar:1.7.0_85]
> at java.lang.Class.getMethods(Class.java:1480)
> [rt.jar:1.7.0_85]
> at
>
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
> at
>
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
> at
>
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
> at
>
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
> at
>
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
> at
>
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
> at
>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
> at
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> at
>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> at
>
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
> at
>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> at
>
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
> at
>
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
> at
>
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
> at
>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
> at
>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
> at
>
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> at
>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> ... 3 more
>
> 10:23:31,285 ERROR
> [org.jboss.as.controller.management-operation]
> (management-handler-thread - 1) JBAS014613: Operation
> ("redeploy") failed - address: ([("deployment"
=>
> "apitime-rest.war")]) - failure description:
> {"JBAS014671: Failed services" =>
>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest"
> => "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest:
> Failed to start service
> Caused by: java.lang.NoClassDefFoundError:
> com/google/zxing/WriterException"}}
> 10:23:31,285 ERROR [org.jboss.as.server]
> (management-handler-thread - 1) JBAS015860: Redeploy
> of deployment "apitime-rest.war" was rolled back with
> the following failure message:
> {"JBAS014671: Failed services" =>
>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest"
> => "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest:
> Failed to start service
> Caused by: java.lang.NoClassDefFoundError:
> com/google/zxing/WriterException"}}
>
>
> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
> Any solution?
> Thanks.
>
>
> Regards,
> Pavel Maslov, MS
>
> On Wed, Dec 16, 2015 at 10:51 PM, Johan B.
> <johan.bos(a)c6.eu <mailto:johan.bos@c6.eu>> wrote:
>
> You answered it. I was not familiar with the whole
> setting list. My question was: does something in the
> ui make the setting change or is it a manual setup?
> I think you are saying it is only manual and it is fine.
> It would probably best for future version to have all
> these extra adapter setting avail. From admin UI so
> people has the switch/checkbox or input form to make
> direct application change to the json
> Moreover since you have a download installation
> button and a json setting viewer
>
> Le mercredi 16 décembre 2015, Johan Bos
> <johan.bos(a)c6.eu <mailto:johan.bos@c6.eu>> a écrit :
>
> oh when you said:
>
> use-resource-role-mappings
>
> it is only available through the keycloak.json
>
> Nothing from Keycloak Admin UI allows you to set the options, so
have the installation file ready with everything ?
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 16:33, Johan Bos a écrit :
>> So it is one or the other.
>> The switch is at realm level or per clients?
>>
>> As I tend to make realm role for securing the
>> clients only and client/resource roles for
>> internal client management, I should be fine
>>
>> Still It would help to have some merging/mapping
>> so from client we don't have to so much rely on
>> KeyCloak implementation to test roles... Issue
>> is that realm role can have same name as client
>> role. But once there is always some pitfall to
>> avoid.
>>
>> Thanks
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>> See use-resource-role-mappings switch:
>>>
>>> If set to true, the
>>> getResourceAccess("resource-name") roles will
be
>>> mapped into isUserInRole, otherwise
>>> getRealmAccess is mapped into
>>> isUserInRole
>>>
>>> Not the best I know. We've been meaning to add
>>> some sort of role
>>> mapping facility to the adapter.
>>>
>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>> Why is HttpRequest.isUserInRole(<role>) not
>>>> capable to return true when
>>>> the role is present in the
>>>> AccessToken.getRealmAccess?
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>>> AccessToken.getResourceAccess or
>>>>> AccessToken.getRealmAccess
>>>>>
>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>> Its not clear to me how you get the assigned
>>>>>> roles from the AccessToken.
>>>>>> For instance, is the realm has configured
>>>>>> the user to have roles "user"
>>>>>> and "editor" how do I find these in
the
>>>>>> AccessToken?
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>>> For Java
HttpServletRequest.isUserInRole()
>>>>>>> works. If you typecast the
>>>>>>> principal to KeycloakPrincipal you can
>>>>>>> obtain the AccessToken.
>>>>>>>
>>>>>>> On 12/6/2015 5:39 PM, Pavel Maslov
wrote:
>>>>>>>> Hi everyone,
>>>>>>>>
>>>>>>>>
>>>>>>>> Do Keycloak adapters support user
>>>>>>>> authorization? I mean, of course
>>>>>>>> they
>>>>>>>> do :) For example, the API I have
secured
>>>>>>>> with Keycloak receives a
>>>>>>>> Keycloak access token from the
client. How
>>>>>>>> can I validate the token
>>>>>>>> (check user roles) in my code? I am
>>>>>>>> interested in the Java
>>>>>>>> (wildfly) and
>>>>>>>> Javascript adapters.
>>>>>>>>
>>>>>>>> Manually I am using jwt.io
<http://jwt.io>
>>>>>>>> <http://jwt.io>
<http://jwt.io> to check
>>>>>>>> the token. I am
>>>>>>>> just
>>>>>>>> curious if the Keycloak adapters
support
>>>>>>>> smth similar out of the box.
>>>>>>>>
>>>>>>>> Thank you for your answers.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Pavel Maslov, MS
>>>>>>>>
>>>>>>>>
>>>>>>>>
_______________________________________________
>>>>>>>>
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>>
>>>>>>
_______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:49 a.m.
I added these two lines to a working REST service which is already secured
with Keycloak. The only thing is that I am checking user's roles using
*annotations*. What I want to do now is handle this manually (by creating a
test servlet that will pul user's roles out of the token).
From the log I can see that it's missing com/google/zxing:
Caused by: java.lang.NoClassDefFoundError: com/google/zxing/
WriterException"
I have no idea what it means.
Regards,
Pavel Maslov, MS
On Thu, Dec 17, 2015 at 11:33 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
If you are using WildFly you should install the client adapter
subsystem
(see the docs for instructions). That way you don't have to add any
dependencies into your WAR.
On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff(a)gmail.com>
wrote:
> Hi Jonah,
>
> You don't get these error if you remove the 2 code lines?
>>
> Exactly. However, once I include these 2 lines, I cannot deploy the war
> file to the Wildfly server.
>
> I have to point out that there are no errors during build/packaging.
>
> Regards,
> Pavel Maslov, MS
>
> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos(a)c6.eu> wrote:
>
>> You don't get these error if you remove the 2 code lines?
>> When deploying your apps, it is not enough to add the keycloak core
>> dependency to access the keycloak principal, you also need to add all
>> possible dependency the keycloak lib is relying onto.
>>
>> Basically on latest version of keycloak, I added almost everything that
>> comes in the adapter zip to my project/api dependency for runtime.
>> No idea how it was dealt with in previous version. Only dealt with
>> keycloak 1.6 and 1.7.
>>
>> Since you had to provide some lib to your server (mine was tomcat 7) to
>> dealt with the keycloak implantation to secure my app, as soon as I needed
>> to acces keycloak token from my app code, I was required to add the libs
>> the adapter for tomcat 7 is providing.
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 17/12/2015 10:39, Pavel Maslov a écrit :
>>
>> Guys, I am repeating my question here. Any ideas on this?
>>
>> I added the *org.keycloak.KeycloakPrincipal* definition in order to get
>>> the token:
>>>
>>>
>>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>> srvl.getUserPrincipal();
>>> String token =
>>> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>>
>>> but cannot deploy the project to the Wildfly server:
>>>
>>> 10:23:31,250 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>>> si.liis.apitime.service.ApiTimeApplication
>>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>> 1-2) MSC000001: Failed to start service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>> org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>> to start service
>>> at
>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>> at
>>>
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> [rt.jar:1.7.0_85]
>>> at
>>>
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> [rt.jar:1.7.0_85]
>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>> Caused by: java.lang.NoClassDefFoundError:
>>> com/google/zxing/WriterException
>>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>> [rt.jar:1.7.0_85]
>>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>> [rt.jar:1.7.0_85]
>>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>> at
>>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>> at
>>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>> at
>>>
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>> at
>>>
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>> at
>>>
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>> at
>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>> at
>>>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>> at
>>>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>> at
>>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>> at
>>>
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>> at
>>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>> at
>>>
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>> at
>>>
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>> at
>>>
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>> at
>>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>> at
>>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>> at
>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>> at
>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>> ... 3 more
>>>
>>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy")
failed -
>>> address: ([("deployment" => "apitime-rest.war")]) -
failure description:
>>> {"JBAS014671: Failed services" =>
>>>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>> "org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>> to start service
>>> Caused by: java.lang.NoClassDefFoundError:
>>> com/google/zxing/WriterException"}}
>>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread -
>>> 1) JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled
back
>>> with the following failure message:
>>> {"JBAS014671: Failed services" =>
>>>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>> "org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>> to start service
>>> Caused by: java.lang.NoClassDefFoundError:
>>> com/google/zxing/WriterException"}}
>>>
>>>
>>>
>>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>> Any solution?
>>> Thanks.
>>>
>>>
>> Regards,
>> Pavel Maslov, MS
>>
>> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos(a)c6.eu> wrote:
>>
>>> You answered it. I was not familiar with the whole setting list. My
>>> question was: does something in the ui make the setting change or is it a
>>> manual setup?
>>> I think you are saying it is only manual and it is fine.
>>> It would probably best for future version to have all these extra
>>> adapter setting avail. From admin UI so people has the switch/checkbox or
>>> input form to make direct application change to the json
>>> Moreover since you have a download installation button and a json
>>> setting viewer
>>>
>>> Le mercredi 16 décembre 2015, Johan Bos < <johan.bos(a)c6.eu>
>>> johan.bos(a)c6.eu> a écrit :
>>>
>>>> oh when you said:
>>>>
>>>> use-resource-role-mappings
>>>>
>>>> it is only available through the keycloak.json
>>>>
>>>> Nothing from Keycloak Admin UI allows you to set the options, so have the
installation file ready with everything ?
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 16:33, Johan Bos a écrit :
>>>>
>>>> So it is one or the other.
>>>> The switch is at realm level or per clients?
>>>>
>>>> As I tend to make realm role for securing the clients only and
>>>> client/resource roles for internal client management, I should be fine
>>>>
>>>> Still It would help to have some merging/mapping so from client we
>>>> don't have to so much rely on KeyCloak implementation to test
roles...
>>>> Issue is that realm role can have same name as client role. But once
there
>>>> is always some pitfall to avoid.
>>>>
>>>> Thanks
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>>>
>>>> See use-resource-role-mappings switch:
>>>>
>>>> If set to true, the getResourceAccess("resource-name") roles
will be
>>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>>> isUserInRole
>>>>
>>>> Not the best I know. We've been meaning to add some sort of role
>>>> mapping facility to the adapter.
>>>>
>>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>
>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true
>>>> when
>>>> the role is present in the AccessToken.getRealmAccess?
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>>
>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>
>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>
>>>> Its not clear to me how you get the assigned roles from the
>>>> AccessToken.
>>>> For instance, is the realm has configured the user to have roles
>>>> "user"
>>>> and "editor" how do I find these in the AccessToken?
>>>>
>>>> Tim
>>>>
>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>
>>>> For Java HttpServletRequest.isUserInRole() works. If you typecast the
>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>
>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>
>>>> Hi everyone,
>>>>
>>>>
>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>> they
>>>> do :) For example, the API I have secured with Keycloak receives a
>>>> Keycloak access token from the client. How can I validate the token
>>>> (check user roles) in my code? I am interested in the Java
>>>> (wildfly) and
>>>> Javascript adapters.
>>>>
>>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>>> <http://jwt.io> to check the token. I am
>>>> just
>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>
>>>> Thank you for your answers.
>>>>
>>>>
>>>> Regards,
>>>> Pavel Maslov, MS
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
5:02 a.m.
The class it's complaining about above is only used by QRCodeResource,
which is part of the Keycloak server. This means you are including Keycloak
server side dependencies into your WAR.
On 17 December 2015 at 11:49, Pavel Maslov <pavel.masloff(a)gmail.com> wrote:
I added these two lines to a working REST service which is already
secured
with Keycloak. The only thing is that I am checking user's roles using
*annotations*. What I want to do now is handle this manually (by creating
a test servlet that will pul user's roles out of the token).
From the log I can see that it's missing com/google/zxing:
> Caused by: java.lang.NoClassDefFoundError: com/google/zxing/
> WriterException"
I have no idea what it means.
Regards,
Pavel Maslov, MS
On Thu, Dec 17, 2015 at 11:33 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> If you are using WildFly you should install the client adapter subsystem
> (see the docs for instructions). That way you don't have to add any
> dependencies into your WAR.
>
> On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff(a)gmail.com>
> wrote:
>
>> Hi Jonah,
>>
>> You don't get these error if you remove the 2 code lines?
>>>
>> Exactly. However, once I include these 2 lines, I cannot deploy the war
>> file to the Wildfly server.
>>
>> I have to point out that there are no errors during build/packaging.
>>
>> Regards,
>> Pavel Maslov, MS
>>
>> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos(a)c6.eu> wrote:
>>
>>> You don't get these error if you remove the 2 code lines?
>>> When deploying your apps, it is not enough to add the keycloak core
>>> dependency to access the keycloak principal, you also need to add all
>>> possible dependency the keycloak lib is relying onto.
>>>
>>> Basically on latest version of keycloak, I added almost everything that
>>> comes in the adapter zip to my project/api dependency for runtime.
>>> No idea how it was dealt with in previous version. Only dealt with
>>> keycloak 1.6 and 1.7.
>>>
>>> Since you had to provide some lib to your server (mine was tomcat 7) to
>>> dealt with the keycloak implantation to secure my app, as soon as I needed
>>> to acces keycloak token from my app code, I was required to add the libs
>>> the adapter for tomcat 7 is providing.
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 17/12/2015 10:39, Pavel Maslov a écrit :
>>>
>>> Guys, I am repeating my question here. Any ideas on this?
>>>
>>> I added the *org.keycloak.KeycloakPrincipal* definition in order to
>>>> get the token:
>>>>
>>>>
>>>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>>> srvl.getUserPrincipal();
>>>> String token =
>>>> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>>>
>>>> but cannot deploy the project to the Wildfly server:
>>>>
>>>> 10:23:31,250 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>>>> si.liis.apitime.service.ApiTimeApplication
>>>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>>> 1-2) MSC000001: Failed to start service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>>> org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
Failed
>>>> to start service
>>>> at
>>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> at
>>>>
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>> [rt.jar:1.7.0_85]
>>>> at
>>>>
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>>> Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException
>>>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>>> at
>>>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>>> at
>>>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>>> at
>>>>
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>>> at
>>>>
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>>> at
>>>>
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>>> at
>>>>
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>>> at
>>>>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>> at
>>>>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>> at
>>>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>> at
>>>>
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>>> at
>>>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>> at
>>>>
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>>> at
>>>>
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>>> at
>>>>
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>>> at
>>>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>>> at
>>>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>>> at
>>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> at
>>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> ... 3 more
>>>>
>>>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>>>> (management-handler-thread - 1) JBAS014613: Operation
("redeploy") failed -
>>>> address: ([("deployment" => "apitime-rest.war")])
- failure description:
>>>> {"JBAS014671: Failed services" =>
>>>>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>> "org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
Failed
>>>> to start service
>>>> Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException"}}
>>>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread -
>>>> 1) JBAS015860: Redeploy of deployment "apitime-rest.war" was
rolled back
>>>> with the following failure message:
>>>> {"JBAS014671: Failed services" =>
>>>>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>> "org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
Failed
>>>> to start service
>>>> Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException"}}
>>>>
>>>>
>>>>
>>>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>>> Any solution?
>>>> Thanks.
>>>>
>>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos(a)c6.eu> wrote:
>>>
>>>> You answered it. I was not familiar with the whole setting list. My
>>>> question was: does something in the ui make the setting change or is it
a
>>>> manual setup?
>>>> I think you are saying it is only manual and it is fine.
>>>> It would probably best for future version to have all these extra
>>>> adapter setting avail. From admin UI so people has the switch/checkbox
or
>>>> input form to make direct application change to the json
>>>> Moreover since you have a download installation button and a json
>>>> setting viewer
>>>>
>>>> Le mercredi 16 décembre 2015, Johan Bos < <johan.bos(a)c6.eu>
>>>> johan.bos(a)c6.eu> a écrit :
>>>>
>>>>> oh when you said:
>>>>>
>>>>> use-resource-role-mappings
>>>>>
>>>>> it is only available through the keycloak.json
>>>>>
>>>>> Nothing from Keycloak Admin UI allows you to set the options, so have
the installation file ready with everything ?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 16:33, Johan Bos a écrit :
>>>>>
>>>>> So it is one or the other.
>>>>> The switch is at realm level or per clients?
>>>>>
>>>>> As I tend to make realm role for securing the clients only and
>>>>> client/resource roles for internal client management, I should be
fine
>>>>>
>>>>> Still It would help to have some merging/mapping so from client we
>>>>> don't have to so much rely on KeyCloak implementation to test
roles...
>>>>> Issue is that realm role can have same name as client role. But once
there
>>>>> is always some pitfall to avoid.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>>>>
>>>>> See use-resource-role-mappings switch:
>>>>>
>>>>> If set to true, the getResourceAccess("resource-name")
roles will be
>>>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>>>> isUserInRole
>>>>>
>>>>> Not the best I know. We've been meaning to add some sort of
role
>>>>> mapping facility to the adapter.
>>>>>
>>>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>>
>>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return
true
>>>>> when
>>>>> the role is present in the AccessToken.getRealmAccess?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>>>
>>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>>
>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>
>>>>> Its not clear to me how you get the assigned roles from the
>>>>> AccessToken.
>>>>> For instance, is the realm has configured the user to have roles
>>>>> "user"
>>>>> and "editor" how do I find these in the AccessToken?
>>>>>
>>>>> Tim
>>>>>
>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>
>>>>> For Java HttpServletRequest.isUserInRole() works. If you typecast
>>>>> the
>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>
>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>
>>>>> Hi everyone,
>>>>>
>>>>>
>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>> they
>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>> Keycloak access token from the client. How can I validate the token
>>>>> (check user roles) in my code? I am interested in the Java
>>>>> (wildfly) and
>>>>> Javascript adapters.
>>>>>
>>>>> Manually I am using jwt.io
<http://jwt.io><http://jwt.io>
>>>>> <http://jwt.io> to check the token. I am
>>>>> just
>>>>> curious if the Keycloak adapters support smth similar out of the
box.
>>>>>
>>>>> Thank you for your answers.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Pavel Maslov, MS
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
5:13 a.m.
This class is not made available to application .wars. It's only used by
keycloak-server.war, and only available to it.
It's apparently required during annotation processing - meaning that the
annotation requiring it isn't supposed to be used from application .war.
The way to normally treat this kind of exception is to add
WEB-INF/jboss-deployment-structure.xml to your .war, and in it declare a
dependency on the module - like this:
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="com.google.zxing.core"/>
</dependencies>
</deployment>
</jboss-deployment-structure>
The modules live under KEYCLOAK_HOME/modules.
Possibly you may make a case for why this class should be
automatically available to every Keycloak protected application.
However, your problem here may be that you're trying to do something
that's not meant to be done this way, and so this may not be the
solution you need.
On Thu, Dec 17, 2015 at 11:49 AM, Pavel Maslov <pavel.masloff(a)gmail.com>
wrote:
I added these two lines to a working REST service which is already
secured
with Keycloak. The only thing is that I am checking user's roles using
*annotations*. What I want to do now is handle this manually (by creating
a test servlet that will pul user's roles out of the token).
From the log I can see that it's missing com/google/zxing:
> Caused by: java.lang.NoClassDefFoundError: com/google/zxing/
> WriterException"
I have no idea what it means.
Regards,
Pavel Maslov, MS
On Thu, Dec 17, 2015 at 11:33 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> If you are using WildFly you should install the client adapter subsystem
> (see the docs for instructions). That way you don't have to add any
> dependencies into your WAR.
>
> On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff(a)gmail.com>
> wrote:
>
>> Hi Jonah,
>>
>> You don't get these error if you remove the 2 code lines?
>>>
>> Exactly. However, once I include these 2 lines, I cannot deploy the war
>> file to the Wildfly server.
>>
>> I have to point out that there are no errors during build/packaging.
>>
>> Regards,
>> Pavel Maslov, MS
>>
>> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos(a)c6.eu> wrote:
>>
>>> You don't get these error if you remove the 2 code lines?
>>> When deploying your apps, it is not enough to add the keycloak core
>>> dependency to access the keycloak principal, you also need to add all
>>> possible dependency the keycloak lib is relying onto.
>>>
>>> Basically on latest version of keycloak, I added almost everything that
>>> comes in the adapter zip to my project/api dependency for runtime.
>>> No idea how it was dealt with in previous version. Only dealt with
>>> keycloak 1.6 and 1.7.
>>>
>>> Since you had to provide some lib to your server (mine was tomcat 7) to
>>> dealt with the keycloak implantation to secure my app, as soon as I needed
>>> to acces keycloak token from my app code, I was required to add the libs
>>> the adapter for tomcat 7 is providing.
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 17/12/2015 10:39, Pavel Maslov a écrit :
>>>
>>> Guys, I am repeating my question here. Any ideas on this?
>>>
>>> I added the *org.keycloak.KeycloakPrincipal* definition in order to
>>>> get the token:
>>>>
>>>>
>>>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>>> srvl.getUserPrincipal();
>>>> String token =
>>>> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>>>
>>>> but cannot deploy the project to the Wildfly server:
>>>>
>>>> 10:23:31,250 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>>>> si.liis.apitime.service.ApiTimeApplication
>>>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>>> 1-2) MSC000001: Failed to start service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>>> org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
Failed
>>>> to start service
>>>> at
>>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> at
>>>>
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>> [rt.jar:1.7.0_85]
>>>> at
>>>>
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>>> Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException
>>>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>>> at
>>>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>>> at
>>>>
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>>> at
>>>>
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>>> at
>>>>
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>>> at
>>>>
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>>> at
>>>>
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>>> at
>>>>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>> at
>>>>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>> at
>>>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>> at
>>>>
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>>> at
>>>>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>> at
>>>>
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>>> at
>>>>
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>>> at
>>>>
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>>> at
>>>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>>> at
>>>>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>>> at
>>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> at
>>>>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> ... 3 more
>>>>
>>>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>>>> (management-handler-thread - 1) JBAS014613: Operation
("redeploy") failed -
>>>> address: ([("deployment" => "apitime-rest.war")])
- failure description:
>>>> {"JBAS014671: Failed services" =>
>>>>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>> "org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
Failed
>>>> to start service
>>>> Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException"}}
>>>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread -
>>>> 1) JBAS015860: Redeploy of deployment "apitime-rest.war" was
rolled back
>>>> with the following failure message:
>>>> {"JBAS014671: Failed services" =>
>>>>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>> "org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
Failed
>>>> to start service
>>>> Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException"}}
>>>>
>>>>
>>>>
>>>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>>> Any solution?
>>>> Thanks.
>>>>
>>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos(a)c6.eu> wrote:
>>>
>>>> You answered it. I was not familiar with the whole setting list. My
>>>> question was: does something in the ui make the setting change or is it
a
>>>> manual setup?
>>>> I think you are saying it is only manual and it is fine.
>>>> It would probably best for future version to have all these extra
>>>> adapter setting avail. From admin UI so people has the switch/checkbox
or
>>>> input form to make direct application change to the json
>>>> Moreover since you have a download installation button and a json
>>>> setting viewer
>>>>
>>>> Le mercredi 16 décembre 2015, Johan Bos < <johan.bos(a)c6.eu>
>>>> johan.bos(a)c6.eu> a écrit :
>>>>
>>>>> oh when you said:
>>>>>
>>>>> use-resource-role-mappings
>>>>>
>>>>> it is only available through the keycloak.json
>>>>>
>>>>> Nothing from Keycloak Admin UI allows you to set the options, so have
the installation file ready with everything ?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 16:33, Johan Bos a écrit :
>>>>>
>>>>> So it is one or the other.
>>>>> The switch is at realm level or per clients?
>>>>>
>>>>> As I tend to make realm role for securing the clients only and
>>>>> client/resource roles for internal client management, I should be
fine
>>>>>
>>>>> Still It would help to have some merging/mapping so from client we
>>>>> don't have to so much rely on KeyCloak implementation to test
roles...
>>>>> Issue is that realm role can have same name as client role. But once
there
>>>>> is always some pitfall to avoid.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>>>>
>>>>> See use-resource-role-mappings switch:
>>>>>
>>>>> If set to true, the getResourceAccess("resource-name")
roles will be
>>>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>>>> isUserInRole
>>>>>
>>>>> Not the best I know. We've been meaning to add some sort of
role
>>>>> mapping facility to the adapter.
>>>>>
>>>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>>
>>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return
true
>>>>> when
>>>>> the role is present in the AccessToken.getRealmAccess?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>>>
>>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>>
>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>
>>>>> Its not clear to me how you get the assigned roles from the
>>>>> AccessToken.
>>>>> For instance, is the realm has configured the user to have roles
>>>>> "user"
>>>>> and "editor" how do I find these in the AccessToken?
>>>>>
>>>>> Tim
>>>>>
>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>
>>>>> For Java HttpServletRequest.isUserInRole() works. If you typecast
>>>>> the
>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>
>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>
>>>>> Hi everyone,
>>>>>
>>>>>
>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>> they
>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>> Keycloak access token from the client. How can I validate the token
>>>>> (check user roles) in my code? I am interested in the Java
>>>>> (wildfly) and
>>>>> Javascript adapters.
>>>>>
>>>>> Manually I am using jwt.io
<http://jwt.io><http://jwt.io>
>>>>> <http://jwt.io> to check the token. I am
>>>>> just
>>>>> curious if the Keycloak adapters support smth similar out of the
box.
>>>>>
>>>>> Thank you for your answers.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Pavel Maslov, MS
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:36 a.m.
Then you should do as it requests: add the required dependency until you
got the all and deploy with no error.
Why would it give you error during build?
The dependency of keycloak is not something you inherit in your project
simply by adding the keycloak core lib.
It mainly depends on how you build it. Third party dependencies are not
always a requirement to build a project.
As most of the unseen issue in deployment dependency management comes
from dependency only required at runtime.
Your build does'nt what the keycloak principal means other than the
direct keycloak lib.
This is basic Java project dependency: compile/runtime/provided are the
different option you have using mavenized project.
When using a lib from maven repo, you have the pom come with it and just
going through it, give you an idea of what you are missing.
Regards,
Johan Bos
Le 17/12/2015 11:01, Pavel Maslov a écrit :
Hi Jonah,
You don't get these error if you remove the 2 code lines?
Exactly. However, once I include these 2 lines, I cannot deploy the
war file to the Wildfly server.
I have to point out that there are no errors during build/packaging.
Regards,
Pavel Maslov, MS
On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos(a)c6.eu
<mailto:johan.bos@c6.eu>> wrote:
You don't get these error if you remove the 2 code lines?
When deploying your apps, it is not enough to add the keycloak
core dependency to access the keycloak principal, you also need to
add all possible dependency the keycloak lib is relying onto.
Basically on latest version of keycloak, I added almost everything
that comes in the adapter zip to my project/api dependency for
runtime.
No idea how it was dealt with in previous version. Only dealt with
keycloak 1.6 and 1.7.
Since you had to provide some lib to your server (mine was tomcat
7) to dealt with the keycloak implantation to secure my app, as
soon as I needed to acces keycloak token from my app code, I was
required to add the libs the adapter for tomcat 7 is providing.
Regards,
Johan Bos
Le 17/12/2015 10:39, Pavel Maslov a écrit :
> Guys, I am repeating my question here. Any ideas on this?
>
> I added the *org.keycloak.KeycloakPrincipal* definition in
> order to get the token:
>
>
> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
> srvl.getUserPrincipal();
> String token =
> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>
> but cannot deploy the project to the Wildfly server:
>
> 10:23:31,250 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service
> thread 1-2) Deploying javax.ws.rs.core.Application: class
> si.liis.apitime.service.ApiTimeApplication
> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service
> thread 1-2) MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.default-host./apitime-rest:
> org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest:
> Failed to start service
> at
>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> at
>
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_85]
> at
>
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_85]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
> Caused by: java.lang.NoClassDefFoundError:
> com/google/zxing/WriterException
> at java.lang.Class.getDeclaredMethods0(Native Method)
> [rt.jar:1.7.0_85]
> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
> [rt.jar:1.7.0_85]
> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
> [rt.jar:1.7.0_85]
> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
> at
>
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
> at
>
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
> at
>
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
> at
>
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
> at
>
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
> at
>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
> at
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> at
>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> at
>
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
> at
>
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> at
>
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
> at
>
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
> at
>
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
> at
>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
> at
>
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
> at
>
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> at
>
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> ... 3 more
>
> 10:23:31,285 ERROR
> [org.jboss.as.controller.management-operation]
> (management-handler-thread - 1) JBAS014613: Operation
> ("redeploy") failed - address: ([("deployment" =>
> "apitime-rest.war")]) - failure description: {"JBAS014671:
> Failed services" =>
>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest"
> => "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest:
> Failed to start service
> Caused by: java.lang.NoClassDefFoundError:
> com/google/zxing/WriterException"}}
> 10:23:31,285 ERROR [org.jboss.as.server]
> (management-handler-thread - 1) JBAS015860: Redeploy of
> deployment "apitime-rest.war" was rolled back with the
> following failure message:
> {"JBAS014671: Failed services" =>
>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest"
> => "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest:
> Failed to start service
> Caused by: java.lang.NoClassDefFoundError:
> com/google/zxing/WriterException"}}
>
>
> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
> Any solution?
> Thanks.
>
>
> Regards,
> Pavel Maslov, MS
>
> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos(a)c6.eu
> <mailto:johan.bos@c6.eu>> wrote:
>
> You answered it. I was not familiar with the whole setting
> list. My question was: does something in the ui make the
> setting change or is it a manual setup?
> I think you are saying it is only manual and it is fine.
> It would probably best for future version to have all these
> extra adapter setting avail. From admin UI so people has the
> switch/checkbox or input form to make direct application
> change to the json
> Moreover since you have a download installation button and a
> json setting viewer
>
> Le mercredi 16 décembre 2015, Johan Bos <johan.bos(a)c6.eu
> <mailto:johan.bos@c6.eu>> a écrit :
>
> oh when you said:
>
> use-resource-role-mappings
>
> it is only available through the keycloak.json
>
> Nothing from Keycloak Admin UI allows you to set the options, so have the
installation file ready with everything ?
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 16:33, Johan Bos a écrit :
>> So it is one or the other.
>> The switch is at realm level or per clients?
>>
>> As I tend to make realm role for securing the clients
>> only and client/resource roles for internal client
>> management, I should be fine
>>
>> Still It would help to have some merging/mapping so from
>> client we don't have to so much rely on KeyCloak
>> implementation to test roles... Issue is that realm role
>> can have same name as client role. But once there is
>> always some pitfall to avoid.
>>
>> Thanks
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>> See use-resource-role-mappings switch:
>>>
>>> If set to true, the getResourceAccess("resource-name")
>>> roles will be
>>> mapped into isUserInRole, otherwise getRealmAccess is
>>> mapped into
>>> isUserInRole
>>>
>>> Not the best I know. We've been meaning to add some
>>> sort of role
>>> mapping facility to the adapter.
>>>
>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>> Why is HttpRequest.isUserInRole(<role>) not capable to
>>>> return true when
>>>> the role is present in the AccessToken.getRealmAccess?
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>>> AccessToken.getResourceAccess or
>>>>> AccessToken.getRealmAccess
>>>>>
>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>> Its not clear to me how you get the assigned roles
>>>>>> from the AccessToken.
>>>>>> For instance, is the realm has configured the user
>>>>>> to have roles "user"
>>>>>> and "editor" how do I find these in the
AccessToken?
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>>> For Java HttpServletRequest.isUserInRole() works.
>>>>>>> If you typecast the
>>>>>>> principal to KeycloakPrincipal you can obtain
the
>>>>>>> AccessToken.
>>>>>>>
>>>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>>> Hi everyone,
>>>>>>>>
>>>>>>>>
>>>>>>>> Do Keycloak adapters support user
authorization? I
>>>>>>>> mean, of course
>>>>>>>> they
>>>>>>>> do :) For example, the API I have secured
with
>>>>>>>> Keycloak receives a
>>>>>>>> Keycloak access token from the client. How
can I
>>>>>>>> validate the token
>>>>>>>> (check user roles) in my code? I am
interested in
>>>>>>>> the Java
>>>>>>>> (wildfly) and
>>>>>>>> Javascript adapters.
>>>>>>>>
>>>>>>>> Manually I am using jwt.io
<http://jwt.io>
>>>>>>>> <http://jwt.io> <http://jwt.io>
to check the
>>>>>>>> token. I am
>>>>>>>> just
>>>>>>>> curious if the Keycloak adapters support
smth
>>>>>>>> similar out of the box.
>>>>>>>>
>>>>>>>> Thank you for your answers.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Pavel Maslov, MS
>>>>>>>>
>>>>>>>>
>>>>>>>>
_______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
3297
days inactive
3308
days old
20 comments
7 participants
participants (7)
-
Bill Burke -
Johan B. -
Johan Bos
-
Marko Strukelj -
Pavel Maslov -
Stian Thorgersen -
Tim Dudgeon