[keycloak-user] EJB Invalid User + Log Out not working
Stian Thorgersen
sthorger at redhat.com
Fri Mar 18 08:05:15 EDT 2016
How is the ejb being called? From jax-rs service or server-side web app?
For there to be a user you need to be authenticated as a user so either the
server-side webapp has redirected to login page or there is a bearer token
included in the authorisation header of the http request.
On 15 Mar 2016 17:58, "Firdos Ali" <ali at affordabletours.com> wrote:
> Thank you for the prompt response.
>
>
>
> I moved to keycloak 1.9.1 both on the server and updated the adapter,
> however it is still not working. Let me clarify on a few other things and
> hopefully that will provide some additional context
>
>
>
> We put our project in an ear file which contains one jar file inclusive of
> the stateless ejbs, one war file, and a few other supporting jar files.
>
>
>
> The war file has the keycloak.json with the following:
>
> {
>
> "realm": "affordabletours",
>
> "realm-public-key": "some key",
>
> "auth-server-url": "http://10.0.0.1:8080/auth",
>
> "ssl-required": "external",
>
> "resource": "keycloaktest",
>
> "credentials": {
>
> "secret": "some secret"
>
> }
>
> }
>
>
>
> Are you suggesting that I change the resource “keycloaktest” access type
> from ‘confidential’ to ‘bearer-only’? If so, I tried that and
> unfortunately that did not work. I guess my confusion is how would the jar
> file with the ejbs is aware of the security context when it is only at the
> war level? Thanks
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Friday, March 11, 2016 12:29 AM
> *To:* Firdos Ali <ali at affordabletours.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] EJB Invalid User + Log Out not working
>
>
>
>
>
>
>
> On 10 March 2016 at 20:19, Firdos Ali <ali at affordabletours.com> wrote:
>
> Hello,
>
>
>
> I am having a few problems with Keycloak. Let me first start with the
> environment information:
>
>
>
> Keycloak version: 1.9.0
>
> Keycloak wildfly version: 10.0.0
>
>
>
> Application wildfly version: 8.0.0
>
>
>
> *Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid
> User*
>
> I have followed the documentation by adding the keycloak adapter to the
> application wildfly 8.0 and by server.xml has the following:
>
>
>
> <extensions>
> ….
> <extension module="org.keycloak.keycloak-adapter-subsystem"/>
> </extensions>
>
> <profile>
> <subsystem xmlns="urn:jboss:domain:security:1.2">
> ….
> <security-domain name="keycloak">
> <authentication>
> <login-module
> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
> </authentication>
> </security-domain>
> </security-domains>
> </subsystem>
> …
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
> </profile>
>
> MyEJB:
> @Stateless
>
> @Local(MyInt.*class*)
>
> @SecurityDomain("keycloak")
> *public* *class* MyBean *implements* MyInt
>
> ...
>
> @PermitAll
>
> @TransactionAttribute(TransactionAttributeType.*REQUIRES_NEW*)
>
> *public* boolean myMethod(...) *throws* Exception {
>
> }
>
>
>
> At the moment I am not using jboss-ej3.xml as I reference the security
> domain in my EJB class. I added it and it did not help out
>
>
>
> Stacktrace:
>
> ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB
> Invocation failed on component MyBean for method public abstract boolean
> com.at.ejb.MyInt.myMethod(…) throws java.lang.Exception:
> javax.ejb.EJBAccessException: JBAS013323: Invalid User
>
> at
> org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
>
> at
> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)
>
> at
> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
>
> at
> org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
>
> at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
>
> at
> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> Is there something I am missing from the documentation? Any thoughts how
> to resolve this issue?
>
>
>
> Is there a bearer token sent with the request that invokes the EJB? If so
> try with 1.9.1. Could be https://issues.jboss.org/browse/KEYCLOAK-2518
> fixes this.
>
>
>
> *Problem 2: Unable to log out a user from keycloak administration console:*
>
> After I click “Logout” on the administration console in Keycloak, I see
> the following error on the keycloak server:
>
> ERROR [io.undertow.request] (default task-26) UT005023: Exception handling
> request to
> /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab:
> org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError:
> org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder;
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>
>
>
> Are you using the standalone Keycloak server? Looking at javadocs for
> httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses
> httpclient 4.5, so looks like for some reason you have an old version of
> httpclient.
>
>
>
>
> Best regards,
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/66d04b61/attachment-0001.html
More information about the keycloak-user
mailing list