[keycloak-user] [Authorization] Get user roles from token

Pavel Maslov pavel.masloff at gmail.com
Thu Dec 17 05:49:56 EST 2015


I added these two lines to a working REST service which is already secured
with Keycloak. The only thing is that I am checking user's roles using
*annotations*. What I want to do now is handle this manually (by creating a
test servlet that will pul user's roles out of the token).

>From the log I can see that it's missing com/google/zxing:

> Caused by: java.lang.NoClassDefFoundError: com/google/zxing/
> WriterException"

I have no idea what it means.


Regards,
Pavel Maslov, MS

On Thu, Dec 17, 2015 at 11:33 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> If you are using WildFly you should install the client adapter subsystem
> (see the docs for instructions). That way you don't have to add any
> dependencies into your WAR.
>
> On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff at gmail.com>
> wrote:
>
>> Hi Jonah,
>>
>> You don't get these error if you remove the 2 code lines?
>>>
>> Exactly. However, once I include these 2 lines, I cannot deploy the war
>> file to the Wildfly server.
>>
>> I have to point out that there are no errors during build/packaging.
>>
>> Regards,
>> Pavel Maslov, MS
>>
>> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu> wrote:
>>
>>> You don't get these error if you remove the 2 code lines?
>>> When deploying your apps, it is not enough to add the keycloak core
>>> dependency to access the keycloak principal, you also need to add all
>>> possible dependency the keycloak lib is relying onto.
>>>
>>> Basically on latest version of keycloak, I added almost everything that
>>> comes in the adapter zip to my project/api dependency for runtime.
>>> No idea how it was dealt with in previous version. Only dealt with
>>> keycloak 1.6 and 1.7.
>>>
>>> Since you had to provide some lib to your server (mine was tomcat 7) to
>>> dealt with the keycloak implantation to secure my app, as soon as I needed
>>> to acces keycloak token from my app code, I was required to add the libs
>>> the adapter for tomcat 7 is providing.
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 17/12/2015 10:39, Pavel Maslov a écrit :
>>>
>>> Guys, I am repeating my question here. Any ideas on this?
>>>
>>> I added the *org.keycloak.KeycloakPrincipal* definition in order to get
>>>> the token:
>>>>
>>>>
>>>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>>> srvl.getUserPrincipal();
>>>> String token =
>>>> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>>>
>>>> but cannot deploy the project to the Wildfly server:
>>>>
>>>> 10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>>>> si.liis.apitime.service.ApiTimeApplication
>>>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>>> 1-2) MSC000001: Failed to start service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>>> org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>> to start service
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>> [rt.jar:1.7.0_85]
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>>> Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException
>>>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>>> at
>>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>>> at
>>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>>> at
>>>> org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>>> at
>>>> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>>> at
>>>> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>>> at
>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>>> at
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>> at
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>> at
>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>> at
>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>>> at
>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>> at
>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>>> at
>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>>> at
>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>>> at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>>> at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> ... 3 more
>>>>
>>>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>>>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
>>>> address: ([("deployment" => "apitime-rest.war")]) - failure description:
>>>> {"JBAS014671: Failed services" =>
>>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>> "org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>> to start service
>>>>     Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException"}}
>>>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread -
>>>> 1) JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back
>>>> with the following failure message:
>>>> {"JBAS014671: Failed services" =>
>>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>> "org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>> to start service
>>>>     Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException"}}
>>>>
>>>>
>>>>
>>>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>>> Any solution?
>>>> Thanks.
>>>>
>>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu> wrote:
>>>
>>>> You answered it. I was not familiar with the whole setting list. My
>>>> question was: does something in the ui make the setting change or is it a
>>>> manual setup?
>>>> I think you are saying it is only manual and it is fine.
>>>> It would probably best for future version to have all these extra
>>>> adapter setting avail. From admin UI so people has the switch/checkbox or
>>>> input form to make direct application change to the json
>>>> Moreover since you have a download installation button and a json
>>>> setting viewer
>>>>
>>>> Le mercredi 16 décembre 2015, Johan Bos < <johan.bos at c6.eu>
>>>> johan.bos at c6.eu> a écrit :
>>>>
>>>>> oh when you said:
>>>>>
>>>>> use-resource-role-mappings
>>>>>
>>>>> it is only available through the keycloak.json
>>>>>
>>>>> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 16:33, Johan Bos a écrit :
>>>>>
>>>>> So it is one or the other.
>>>>> The switch is at realm level or per clients?
>>>>>
>>>>> As I tend to make realm role for securing the clients only and
>>>>> client/resource roles for internal client management, I should be fine
>>>>>
>>>>> Still It would help to have some merging/mapping so from client we
>>>>> don't have to so much rely on KeyCloak implementation to test roles...
>>>>> Issue is that realm role can have same name as client role. But once there
>>>>> is always some pitfall to avoid.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 15:45, Bill Burke a écrit :
>>>>>
>>>>> See use-resource-role-mappings switch:
>>>>>
>>>>> If set to true, the getResourceAccess("resource-name") roles will be
>>>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>>>> isUserInRole
>>>>>
>>>>> Not the best I know.  We've been meaning to add some sort of role
>>>>> mapping facility to the adapter.
>>>>>
>>>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>>
>>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true
>>>>> when
>>>>> the role is present in the AccessToken.getRealmAccess?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 15:09, Bill Burke a écrit :
>>>>>
>>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>>
>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>
>>>>> Its not clear to me how you get the assigned roles from the
>>>>> AccessToken.
>>>>> For instance, is the realm has configured the user to have roles
>>>>> "user"
>>>>> and "editor" how do I find these in the AccessToken?
>>>>>
>>>>> Tim
>>>>>
>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>
>>>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>
>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>
>>>>> Hi everyone,
>>>>>
>>>>>
>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>> they
>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>> Keycloak access token from the client. How can I validate the token
>>>>> (check user roles) in my code? I am interested in the Java
>>>>> (wildfly) and
>>>>> Javascript adapters.
>>>>>
>>>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>>>> <http://jwt.io> to check the token. I am
>>>>> just
>>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>>
>>>>> Thank you for your answers.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Pavel Maslov, MS
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/34ba9d16/attachment-0001.html 


More information about the keycloak-user mailing list