[keycloak-user] EJB Invalid User + Log Out not working

Bill Burke bburke at redhat.com
Mon Mar 21 10:56:00 EDT 2016


Sorry for late response.  We were all traveling last week for face to 
face meetings.

Check out this:

http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jboss-adapter

Look for KeycloakLoginModule  You have to set this up in order to 
propagate between component layers.  I wish we didn't have to require 
this extra step, but its just a falacy of the current Wildfly security 
architecture.

On 3/18/2016 10:31 AM, Firdos Ali wrote:
>
> The EJB is called from the server-side web app.  This is a legacy app 
> using Struts, so after the user logs in from keycloak they are 
> redirected back to the webapp.  The web application has access to the 
> user, however the EJB does not find a user and throws back the error.
>
> I have the following in my jboss-web.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <jboss-web>
>
> <security-domain>java:/jaas/keycloak</security-domain>
>
> </jboss-web>
>
> I have the following in my jboss-ejb3.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <jboss:ejb-jar
>
> xmlns="http://java.sun.com/xml/ns/javaee"
>
> xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
> xmlns:s="urn:security:1.1"
>
> version="3.1" impl-version="2.0">
>
>     <assembly-descriptor>
>
> <s:security>
>
> <ejb-name>*</ejb-name>
>
> <s:security-domain>keycloak</s:security-domain>
>
> <s:run-as-principal></s:run-as-principal>
>
> <s:missing-method-permissions-deny-access>true</s:missing-method-permissions-deny-access>
>
> </s:security>
>
> </assembly-descriptor>
>
> </jboss:ejb-jar>
>
> *From:*Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Friday, March 18, 2016 7:05 AM
> *To:* Firdos Ali <ali at affordabletours.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>; Stian Thorgersen 
> <stian at redhat.com>
> *Subject:* RE: [keycloak-user] EJB Invalid User + Log Out not working
>
> How is the ejb being called? >From jax-rs service or server-side web 
> app? For there to be a user you need to be authenticated as a user so 
> either the server-side webapp has redirected to login page or there is 
> a bearer token included in the authorisation header of the http request.
>
> On 15 Mar 2016 17:58, "Firdos Ali" <ali at affordabletours.com 
> <mailto:ali at affordabletours.com>> wrote:
>
> Thank you for the prompt response.
>
> I moved to keycloak 1.9.1 both on the server and updated the adapter, 
> however it is still not working.  Let me clarify on a few other things 
> and hopefully that will provide some additional context
>
> We put our project in an ear file which contains one jar file 
> inclusive of the stateless ejbs, one war file, and a few other 
> supporting jar files.
>
> The war file has the keycloak.json with the following:
>
> {
>
> "realm": "affordabletours",
>
> "realm-public-key": "some key",
>
> "auth-server-url": "http://10.0.0.1:8080/auth",
>
> "ssl-required": "external",
>
> "resource": "keycloaktest",
>
> "credentials": {
>
> "secret": "some secret"
>
> }
>
> }
>
> Are you suggesting that I change the resource “keycloaktest” access 
> type from ‘confidential’ to ‘bearer-only’?  If so, I tried that and 
> unfortunately that did not work.  I guess my confusion is how would 
> the jar file with the ejbs is aware of the security context when it is 
> only at the war level? Thanks
>
> *From:*Stian Thorgersen [mailto:sthorger at redhat.com 
> <mailto:sthorger at redhat.com>]
> *Sent:* Friday, March 11, 2016 12:29 AM
> *To:* Firdos Ali <ali at affordabletours.com 
> <mailto:ali at affordabletours.com>>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org 
> <mailto:keycloak-user at lists.jboss.org>>
> *Subject:* Re: [keycloak-user] EJB Invalid User + Log Out not working
>
> On 10 March 2016 at 20:19, Firdos Ali <ali at affordabletours.com 
> <mailto:ali at affordabletours.com>> wrote:
>
>     Hello,
>
>     I am having a few problems with Keycloak.  Let me first start with
>     the environment information:
>
>     Keycloak version: 1.9.0
>
>     Keycloak wildfly version: 10.0.0
>
>     Application wildfly version: 8.0.0
>
>     *Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323:
>     Invalid User*
>
>     I have followed the documentation by adding the keycloak adapter
>     to the application wildfly 8.0 and by server.xml has the following:
>
>     <extensions>
>            ….
>             <extension module="org.keycloak.keycloak-adapter-subsystem"/>
>     </extensions>
>
>     <profile>
>             <subsystem xmlns="urn:jboss:domain:security:1.2">
>                     ….
>                 <security-domain name="keycloak">
>                         <authentication>
>                             <login-module
>     code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>     flag="required"/>
>                         </authentication>
>                     </security-domain>
>                 </security-domains>
>             </subsystem>
>>             <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
>     </profile>
>
>     MyEJB:
>     @Stateless
>
>     @Local(MyInt.*class*)
>
>     @SecurityDomain("keycloak")
>     *public**class*MyBean *implements*MyInt
>
>            ...
>
>     @PermitAll
>
>     @TransactionAttribute(TransactionAttributeType.*/REQUIRES_NEW/*)
>
>     *public*boolean myMethod(...) *throws*Exception {
>
>         }
>
>     At the moment I am not using jboss-ej3.xml as I reference the
>     security domain in my EJB class.  I added it and it did not help out
>
>     Stacktrace:
>
>     ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134:
>     EJB Invocation failed on component MyBean for method public
>     abstract boolean com.at.ejb.MyInt.myMethod(…) throws
>     java.lang.Exception: javax.ejb.EJBAccessException: JBAS013323:
>     Invalid User
>
>     at
>     org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66)
>     [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
>     at
>     org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46)
>     [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
>     at
>     org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92)
>     [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
>     at
>     org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
>     at
>     org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
>     [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
>     at
>     org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
>     at
>     org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
>     [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
>     at
>     org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
>     at
>     org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
>
>     at
>     org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
>     at
>     org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
>     [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
>     at
>     org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
>     at
>     org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
>
>     at
>     org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
>     at
>     org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
>
>     at
>     org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)
>
>     at
>     org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
>
>     at
>     org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
>     at
>     org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
>
>     at
>     org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
>
>     at
>     org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
>     at
>     org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
>
>     at
>     org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
>
>     at
>     org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
>
>     at
>     org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
>     Is there something I am missing from the documentation? Any
>     thoughts how to resolve this issue?
>
> Is there a bearer token sent with the request that invokes the EJB? If 
> so try with 1.9.1. Could be 
> https://issues.jboss.org/browse/KEYCLOAK-2518 fixes this.
>
>     *Problem 2: Unable to log out a user from keycloak administration
>     console:*
>
>     After I click “Logout” on the administration console in Keycloak,
>     I see the following error on the keycloak server:
>
>     ERROR [io.undertow.request] (default task-26) UT005023: Exception
>     handling request to
>     /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab:
>     org.jboss.resteasy.spi.UnhandledException:
>     java.lang.NoSuchMethodError:
>     org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder;
>             at
>     org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>
> Are you using the standalone Keycloak server? Looking at javadocs for 
> httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses 
> httpclient 4.5, so looks like for some reason you have an old version 
> of httpclient.
>
>
>     Best regards,
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/74c6d68e/attachment-0001.html 


More information about the keycloak-user mailing list