[keycloak-user] EJB Invalid User + Log Out not working
Firdos Ali
ali at affordabletours.com
Mon Mar 21 11:14:48 EDT 2016
Thank you and I hope that your meetings went well. I already had that in
place when I read the documentation which is why it was really odd to see it
not work. Below is my server.xml file:
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:2.0">
<extensions>
. . .
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
</extensions>
<profile>
<subsystem
xmlns="urn:jboss:domain:ejb3:2.0">
. . .
<default-security-domain
value="keycloak"/> <!-- Added to ensure that the default security domain is
only keycloak, but this does not work either -->
. . .
</subsystem>
<subsystem xmlns="urn:jboss:domain:security:1.2">
. . .
<security-domains>
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
</security-domains>
</subsystem>
. . .
<subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="atweb.war">
<realm>affordabletours</realm>
<resource>atoms</resource>
<realm-public-key>...</realm-public-key>
<auth-server-url>http://10.0.0.2:8080/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
<credential name="secret">some secret</credential>
</secure-deployment>
</subsystem>
</server>
From: keycloak-user-bounces at lists.jboss.org
[mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Monday, March 21, 2016 9:56 AM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] EJB Invalid User + Log Out not working
Sorry for late response. We were all traveling last week for face to face
meetings.
Check out this:
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jbos
s-adapter
Look for KeycloakLoginModule You have to set this up in order to propagate
between component layers. I wish we didn't have to require this extra step,
but its just a falacy of the current Wildfly security architecture.
On 3/18/2016 10:31 AM, Firdos Ali wrote:
The EJB is called from the server-side web app. This is a legacy app using
Struts, so after the user logs in from keycloak they are redirected back to
the webapp. The web application has access to the user, however the EJB
does not find a user and throws back the error.
I have the following in my jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/keycloak</security-domain>
</jboss-web>
I have the following in my jboss-ejb3.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss:ejb-jar
xmlns= <http://java.sun.com/xml/ns/javaee>
"http://java.sun.com/xml/ns/javaee"
xmlns:jboss= <http://www.jboss.com/xml/ns/javaee>
"http://www.jboss.com/xml/ns/javaee"
xmlns:xsi= <http://www.w3.org/2001/XMLSchema-instance>
"http://www.w3.org/2001/XMLSchema-instance"
xmlns:s="urn:security:1.1"
version="3.1" impl-version="2.0">
<assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain>keycloak</s:security-domain>
<s:run-as-principal></s:run-as-principal>
<s:missing-method-permissions-deny-access>true</s:missing-method-permissions
-deny-access>
</s:security>
</assembly-descriptor>
</jboss:ejb-jar>
From: Stian Thorgersen [ <mailto:sthorger at redhat.com>
mailto:sthorger at redhat.com]
Sent: Friday, March 18, 2016 7:05 AM
To: Firdos Ali <mailto:ali at affordabletours.com> <ali at affordabletours.com>
Cc: keycloak-user <mailto:keycloak-user at lists.jboss.org>
<keycloak-user at lists.jboss.org>; Stian Thorgersen <mailto:stian at redhat.com>
<stian at redhat.com>
Subject: RE: [keycloak-user] EJB Invalid User + Log Out not working
How is the ejb being called? >From jax-rs service or server-side web app?
For there to be a user you need to be authenticated as a user so either the
server-side webapp has redirected to login page or there is a bearer token
included in the authorisation header of the http request.
On 15 Mar 2016 17:58, "Firdos Ali" <ali at affordabletours.com
<mailto:ali at affordabletours.com> > wrote:
Thank you for the prompt response.
I moved to keycloak 1.9.1 both on the server and updated the adapter,
however it is still not working. Let me clarify on a few other things and
hopefully that will provide some additional context
We put our project in an ear file which contains one jar file inclusive of
the stateless ejbs, one war file, and a few other supporting jar files.
The war file has the keycloak.json with the following:
{
"realm": "affordabletours",
"realm-public-key": "some key",
"auth-server-url": " <http://10.0.0.1:8080/auth>
http://10.0.0.1:8080/auth",
"ssl-required": "external",
"resource": "keycloaktest",
"credentials": {
"secret": "some secret"
}
}
Are you suggesting that I change the resource "keycloaktest" access type
from 'confidential' to 'bearer-only'? If so, I tried that and unfortunately
that did not work. I guess my confusion is how would the jar file with the
ejbs is aware of the security context when it is only at the war level?
Thanks
From: Stian Thorgersen [mailto: <mailto:sthorger at redhat.com>
sthorger at redhat.com]
Sent: Friday, March 11, 2016 12:29 AM
To: Firdos Ali < <mailto:ali at affordabletours.com> ali at affordabletours.com>
Cc: keycloak-user < <mailto:keycloak-user at lists.jboss.org>
keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] EJB Invalid User + Log Out not working
On 10 March 2016 at 20:19, Firdos Ali <ali at affordabletours.com
<mailto:ali at affordabletours.com> > wrote:
Hello,
I am having a few problems with Keycloak. Let me first start with the
environment information:
Keycloak version: 1.9.0
Keycloak wildfly version: 10.0.0
Application wildfly version: 8.0.0
Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid
User
I have followed the documentation by adding the keycloak adapter to the
application wildfly 8.0 and by server.xml has the following:
<extensions>
..
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:security:1.2">
..
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
</security-domains>
</subsystem>
.
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
</profile>
MyEJB:
@Stateless
@Local(MyInt.class)
@SecurityDomain("keycloak")
public class MyBean implements MyInt
...
@PermitAll
@TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
public boolean myMethod(...) throws Exception {
}
At the moment I am not using jboss-ej3.xml as I reference the security
domain in my EJB class. I added it and it did not help out
Stacktrace:
ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB
Invocation failed on component MyBean for method public abstract boolean
com.at.ejb.MyInt.myMethod(.) throws java.lang.Exception:
javax.ejb.EJBAccessException: JBAS013323: Invalid User
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextI
nterceptor.java:66) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextI
nterceptor.java:46) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(Secu
rityContextInterceptor.java:92) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.proces
sInvocation(ShutDownInterceptorFactory.java:64)
[wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocatio
n(LoggingInterceptor.java:59) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(Name
spaceContextInterceptor.java:50)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processI
nvocation(AdditionalSetupInterceptor.java:55)
[wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(Context
ClassLoaderInterceptor.java:64)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
at
org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurit
yManager.java:448)
at
org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheck
ingInterceptor.java:61)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
at
org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(Pri
vilegedWithCombinerInterceptor.java:80)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor
.java:61)
at
org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
at
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescriptio
n.java:182)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
Is there something I am missing from the documentation? Any thoughts how to
resolve this issue?
Is there a bearer token sent with the request that invokes the EJB? If so
try with 1.9.1. Could be https://issues.jboss.org/browse/KEYCLOAK-2518 fixes
this.
Problem 2: Unable to log out a user from keycloak administration console:
After I click "Logout" on the administration console in Keycloak, I see the
following error on the keycloak server:
ERROR [io.undertow.request] (default task-26) UT005023: Exception handling
request to
/auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c4
29ab: org.jboss.resteasy.spi.UnhandledException:
java.lang.NoSuchMethodError:
org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava
/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder;
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(Exceptio
nHandler.java:76)
Are you using the standalone Keycloak server? Looking at javadocs for
httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses
httpclient 4.5, so looks like for some reason you have an old version of
httpclient.
Best regards,
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/b4e6d22a/attachment-0001.html
More information about the keycloak-user
mailing list