[keycloak-user] EJB Invalid User + Log Out not working
Firdos Ali
ali at affordabletours.com
Thu Mar 31 13:43:24 EDT 2016
Hi Bill,
I'm not sure if you've had a chance to review my previous message, so I
thought I ping you again. Would you let me know what else I can do as I
have followed the documentation and still can't seem to get this working
inside of an ear file which contains both the war and jars (contains the
EJB files).
On Mon, Mar 21, 2016 at 10:14 AM, Firdos Ali <ali at affordabletours.com>
wrote:
> Thank you and I hope that your meetings went well. I already had that in
> place when I read the documentation which is why it was really odd to see
> it not work. Below is my server.xml file:
>
>
>
> <?xml version='1.0' encoding='UTF-8'?>
>
>
>
> <server xmlns="urn:jboss:domain:2.0">
>
>
>
> <extensions>
>
> . . .
>
> <extension module="org.keycloak.keycloak-adapter-subsystem"/>
>
> </extensions>
>
>
>
> <profile>
>
> <subsystem
> xmlns="urn:jboss:domain:ejb3:2.0">
>
> . . .
>
> <default-security-domain
> value="keycloak"/> <!-- Added to ensure that the default security domain is
> only keycloak, but this does not work either -->
>
> . . .
>
> </subsystem>
>
>
>
> <subsystem xmlns="urn:jboss:domain:security:1.2">
>
> . . .
>
> <security-domains>
>
>
> <security-domain name="keycloak">
>
> <authentication>
>
> <login-module
> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
>
> </authentication>
>
> </security-domain>
>
> </security-domains>
>
> </subsystem>
>
> . . .
>
> <subsystem
> xmlns="urn:jboss:domain:keycloak:1.1">
>
> <secure-deployment name="atweb.war">
>
> <realm>affordabletours</realm>
>
> <resource>atoms</resource>
>
> <realm-public-key>...</realm-public-key>
>
> <auth-server-url>http://10.0.0.2:8080/auth
> </auth-server-url>
>
> <ssl-required>EXTERNAL</ssl-required>
>
> <credential name="secret">some secret</credential>
>
> </secure-deployment>
>
> </subsystem>
>
> </server>
>
>
>
> *From:* keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Bill Burke
> *Sent:* Monday, March 21, 2016 9:56 AM
> *To:* keycloak-user at lists.jboss.org
>
> *Subject:* Re: [keycloak-user] EJB Invalid User + Log Out not working
>
>
>
> Sorry for late response. We were all traveling last week for face to face
> meetings.
>
> Check out this:
>
>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jboss-adapter
>
> Look for KeycloakLoginModule You have to set this up in order to
> propagate between component layers. I wish we didn't have to require this
> extra step, but its just a falacy of the current Wildfly security
> architecture.
>
> On 3/18/2016 10:31 AM, Firdos Ali wrote:
>
> The EJB is called from the server-side web app. This is a legacy app
> using Struts, so after the user logs in from keycloak they are redirected
> back to the webapp. The web application has access to the user, however
> the EJB does not find a user and throws back the error.
>
>
>
> I have the following in my jboss-web.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <jboss-web>
>
> <security-domain>java:/jaas/keycloak</security-domain>
>
> </jboss-web>
>
>
>
> I have the following in my jboss-ejb3.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <jboss:ejb-jar
>
> xmlns="http://java.sun.com/xml/ns/javaee"
> <http://java.sun.com/xml/ns/javaee>
>
> xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
> <http://www.jboss.com/xml/ns/javaee>
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance>
>
> xmlns:s="urn:security:1.1"
>
> version="3.1" impl-version="2.0">
>
> <assembly-descriptor>
>
> <s:security>
>
> <ejb-name>*</ejb-name>
>
> <s:security-domain>keycloak</s:security-domain>
>
> <s:run-as-principal></s:run-as-principal>
>
>
> <s:missing-method-permissions-deny-access>true</s:missing-method-permissions-deny-access>
>
> </s:security>
>
> </assembly-descriptor>
>
> </jboss:ejb-jar>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com <sthorger at redhat.com>]
>
> *Sent:* Friday, March 18, 2016 7:05 AM
> *To:* Firdos Ali <ali at affordabletours.com> <ali at affordabletours.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> <keycloak-user at lists.jboss.org>; Stian Thorgersen <stian at redhat.com>
> <stian at redhat.com>
> *Subject:* RE: [keycloak-user] EJB Invalid User + Log Out not working
>
>
>
> How is the ejb being called? >From jax-rs service or server-side web app?
> For there to be a user you need to be authenticated as a user so either the
> server-side webapp has redirected to login page or there is a bearer token
> included in the authorisation header of the http request.
>
> On 15 Mar 2016 17:58, "Firdos Ali" <ali at affordabletours.com> wrote:
>
> Thank you for the prompt response.
>
>
>
> I moved to keycloak 1.9.1 both on the server and updated the adapter,
> however it is still not working. Let me clarify on a few other things and
> hopefully that will provide some additional context
>
>
>
> We put our project in an ear file which contains one jar file inclusive of
> the stateless ejbs, one war file, and a few other supporting jar files.
>
>
>
> The war file has the keycloak.json with the following:
>
> {
>
> "realm": "affordabletours",
>
> "realm-public-key": "some key",
>
> "auth-server-url": "http://10.0.0.1:8080/auth",
>
> "ssl-required": "external",
>
> "resource": "keycloaktest",
>
> "credentials": {
>
> "secret": "some secret"
>
> }
>
> }
>
>
>
> Are you suggesting that I change the resource “keycloaktest” access type
> from ‘confidential’ to ‘bearer-only’? If so, I tried that and
> unfortunately that did not work. I guess my confusion is how would the jar
> file with the ejbs is aware of the security context when it is only at the
> war level? Thanks
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Friday, March 11, 2016 12:29 AM
> *To:* Firdos Ali <ali at affordabletours.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] EJB Invalid User + Log Out not working
>
>
>
>
>
>
>
> On 10 March 2016 at 20:19, Firdos Ali <ali at affordabletours.com> wrote:
>
> Hello,
>
>
>
> I am having a few problems with Keycloak. Let me first start with the
> environment information:
>
>
>
> Keycloak version: 1.9.0
>
> Keycloak wildfly version: 10.0.0
>
>
>
> Application wildfly version: 8.0.0
>
>
>
> *Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid
> User*
>
> I have followed the documentation by adding the keycloak adapter to the
> application wildfly 8.0 and by server.xml has the following:
>
>
>
> <extensions>
> ….
> <extension module="org.keycloak.keycloak-adapter-subsystem"/>
> </extensions>
>
> <profile>
> <subsystem xmlns="urn:jboss:domain:security:1.2">
> ….
> <security-domain name="keycloak">
> <authentication>
> <login-module
> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
> </authentication>
> </security-domain>
> </security-domains>
> </subsystem>
> …
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
> </profile>
>
> MyEJB:
> @Stateless
>
> @Local(MyInt.*class*)
>
> @SecurityDomain("keycloak")
> *public* *class* MyBean *implements* MyInt
>
> ...
>
> @PermitAll
>
> @TransactionAttribute(TransactionAttributeType.*REQUIRES_NEW*)
>
> *public* boolean myMethod(...) *throws* Exception {
>
> }
>
>
>
> At the moment I am not using jboss-ej3.xml as I reference the security
> domain in my EJB class. I added it and it did not help out
>
>
>
> Stacktrace:
>
> ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB
> Invocation failed on component MyBean for method public abstract boolean
> com.at.ejb.MyInt.myMethod(…) throws java.lang.Exception:
> javax.ejb.EJBAccessException: JBAS013323: Invalid User
>
> at
> org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
> [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
>
> at
> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)
>
> at
> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
>
> at
> org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
>
> at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
>
> at
> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
>
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
>
> Is there something I am missing from the documentation? Any thoughts how
> to resolve this issue?
>
>
>
> Is there a bearer token sent with the request that invokes the EJB? If so
> try with 1.9.1. Could be https://issues.jboss.org/browse/KEYCLOAK-2518
> fixes this.
>
>
>
> *Problem 2: Unable to log out a user from keycloak administration console:*
>
> After I click “Logout” on the administration console in Keycloak, I see
> the following error on the keycloak server:
>
> ERROR [io.undertow.request] (default task-26) UT005023: Exception handling
> request to
> /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab:
> org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError:
> org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder;
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>
>
>
> Are you using the standalone Keycloak server? Looking at javadocs for
> httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses
> httpclient 4.5, so looks like for some reason you have an old version of
> httpclient.
>
>
>
>
> Best regards,
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> Bill Burke
>
> JBoss, a division of Red Hat
>
> http://bill.burkecentral.com
>
>
--
Best regards,
*AffordableTours.com* <http://www.affordabletours.com/>
Firdos Ali
Senior Project Manager
11150 Cash Road
Stafford, TX 77477
Toll Free (800) 935-2620 X181
Direct (281) 269-2681
Fax (281) 269-2691
E-mail: ali at affordabletours.com
My Working Hours: Mon - Fri: 09:00AM - 05:00PM CST
*NOTICE: This e-mail message, including any attachments, is for the use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the recipient, please contact the sender by
reply e-mail and destroy all copies of the original message*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/0ee0d68a/attachment-0001.html
More information about the keycloak-user
mailing list