[keycloak-user] EJB Invalid User + Log Out not working
Bill Burke
bburke at redhat.com
Mon Mar 21 10:56:00 EDT 2016
Sorry for late response. We were all traveling last week for face to
face meetings.
Check out this:
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jboss-adapter
Look for KeycloakLoginModule You have to set this up in order to
propagate between component layers. I wish we didn't have to require
this extra step, but its just a falacy of the current Wildfly security
architecture.
On 3/18/2016 10:31 AM, Firdos Ali wrote:
>
> The EJB is called from the server-side web app. This is a legacy app
> using Struts, so after the user logs in from keycloak they are
> redirected back to the webapp. The web application has access to the
> user, however the EJB does not find a user and throws back the error.
>
> I have the following in my jboss-web.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <jboss-web>
>
> <security-domain>java:/jaas/keycloak</security-domain>
>
> </jboss-web>
>
> I have the following in my jboss-ejb3.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <jboss:ejb-jar
>
> xmlns="http://java.sun.com/xml/ns/javaee"
>
> xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
> xmlns:s="urn:security:1.1"
>
> version="3.1" impl-version="2.0">
>
> <assembly-descriptor>
>
> <s:security>
>
> <ejb-name>*</ejb-name>
>
> <s:security-domain>keycloak</s:security-domain>
>
> <s:run-as-principal></s:run-as-principal>
>
> <s:missing-method-permissions-deny-access>true</s:missing-method-permissions-deny-access>
>
> </s:security>
>
> </assembly-descriptor>
>
> </jboss:ejb-jar>
>
> *From:*Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Friday, March 18, 2016 7:05 AM
> *To:* Firdos Ali <ali at affordabletours.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>; Stian Thorgersen
> <stian at redhat.com>
> *Subject:* RE: [keycloak-user] EJB Invalid User + Log Out not working
>
> How is the ejb being called? >From jax-rs service or server-side web
> app? For there to be a user you need to be authenticated as a user so
> either the server-side webapp has redirected to login page or there is
> a bearer token included in the authorisation header of the http request.
>
> On 15 Mar 2016 17:58, "Firdos Ali" <ali at affordabletours.com
> <mailto:ali at affordabletours.com>> wrote:
>
> Thank you for the prompt response.
>
> I moved to keycloak 1.9.1 both on the server and updated the adapter,
> however it is still not working. Let me clarify on a few other things
> and hopefully that will provide some additional context
>
> We put our project in an ear file which contains one jar file
> inclusive of the stateless ejbs, one war file, and a few other
> supporting jar files.
>
> The war file has the keycloak.json with the following:
>
> {
>
> "realm": "affordabletours",
>
> "realm-public-key": "some key",
>
> "auth-server-url": "http://10.0.0.1:8080/auth",
>
> "ssl-required": "external",
>
> "resource": "keycloaktest",
>
> "credentials": {
>
> "secret": "some secret"
>
> }
>
> }
>
> Are you suggesting that I change the resource “keycloaktest” access
> type from ‘confidential’ to ‘bearer-only’? If so, I tried that and
> unfortunately that did not work. I guess my confusion is how would
> the jar file with the ejbs is aware of the security context when it is
> only at the war level? Thanks
>
> *From:*Stian Thorgersen [mailto:sthorger at redhat.com
> <mailto:sthorger at redhat.com>]
> *Sent:* Friday, March 11, 2016 12:29 AM
> *To:* Firdos Ali <ali at affordabletours.com
> <mailto:ali at affordabletours.com>>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> *Subject:* Re: [keycloak-user] EJB Invalid User + Log Out not working
>
> On 10 March 2016 at 20:19, Firdos Ali <ali at affordabletours.com
> <mailto:ali at affordabletours.com>> wrote:
>
> Hello,
>
> I am having a few problems with Keycloak. Let me first start with
> the environment information:
>
> Keycloak version: 1.9.0
>
> Keycloak wildfly version: 10.0.0
>
> Application wildfly version: 8.0.0
>
> *Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323:
> Invalid User*
>
> I have followed the documentation by adding the keycloak adapter
> to the application wildfly 8.0 and by server.xml has the following:
>
> <extensions>
> ….
> <extension module="org.keycloak.keycloak-adapter-subsystem"/>
> </extensions>
>
> <profile>
> <subsystem xmlns="urn:jboss:domain:security:1.2">
> ….
> <security-domain name="keycloak">
> <authentication>
> <login-module
> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
> flag="required"/>
> </authentication>
> </security-domain>
> </security-domains>
> </subsystem>
> …
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
> </profile>
>
> MyEJB:
> @Stateless
>
> @Local(MyInt.*class*)
>
> @SecurityDomain("keycloak")
> *public**class*MyBean *implements*MyInt
>
> ...
>
> @PermitAll
>
> @TransactionAttribute(TransactionAttributeType.*/REQUIRES_NEW/*)
>
> *public*boolean myMethod(...) *throws*Exception {
>
> }
>
> At the moment I am not using jboss-ej3.xml as I reference the
> security domain in my EJB class. I added it and it did not help out
>
> Stacktrace:
>
> ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134:
> EJB Invocation failed on component MyBean for method public
> abstract boolean com.at.ejb.MyInt.myMethod(…) throws
> java.lang.Exception: javax.ejb.EJBAccessException: JBAS013323:
> Invalid User
>
> at
> org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
>
> at
> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)
>
> at
> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
>
> at
> org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
>
> at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
>
> at
> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> Is there something I am missing from the documentation? Any
> thoughts how to resolve this issue?
>
> Is there a bearer token sent with the request that invokes the EJB? If
> so try with 1.9.1. Could be
> https://issues.jboss.org/browse/KEYCLOAK-2518 fixes this.
>
> *Problem 2: Unable to log out a user from keycloak administration
> console:*
>
> After I click “Logout” on the administration console in Keycloak,
> I see the following error on the keycloak server:
>
> ERROR [io.undertow.request] (default task-26) UT005023: Exception
> handling request to
> /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab:
> org.jboss.resteasy.spi.UnhandledException:
> java.lang.NoSuchMethodError:
> org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder;
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>
> Are you using the standalone Keycloak server? Looking at javadocs for
> httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses
> httpclient 4.5, so looks like for some reason you have an old version
> of httpclient.
>
>
> Best regards,
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/74c6d68e/attachment-0001.html
More information about the keycloak-user
mailing list