[keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user

Stian Thorgersen sthorger at redhat.com
Wed Sep 14 07:16:25 EDT 2016 

I changed that to an enhancement request as it's not a bug. It was intended
to use view/manage-users role, but that can be questioned.

On 14 September 2016 at 12:24, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:

> Ok, thanks! I created https://issues.jboss.org/browse/KEYCLOAK-3576
>
> > On 14 Sep 2016, at 10:20, Marek Posolda <mposolda at redhat.com> wrote:
> >
> > It seems that for view/update UserFederation, we currently require
> permissions to "view-users" or "manage-users" . This looks like a bug as
> admin, who is able just to manage users, shouldn't be allowed to manage
> user federation providers. It seems this should either be "view-realm" or
> "manage-realm" or separate dedicated roles for user federation providers.
> >
> > Could you please create JIRA?
> >
> > Thanks,
> > Marek
> >
> > On 14/09/16 09:41, Edgar Vonk - Info.nl wrote:
> >> Hi Marek,
> >>
> >> Very sorry, this was our fault. We were using an outdated and
> customized version of the users.js file from Keycloak in our theme and this
> was causing the issue.
> >>
> >> We do now see a somewhat related issue in that our user admin accounts
> (with the manage-users realm-management role) now also see the ‘Configure -
> User Federation’ menu item and are actually able to change some (but not
> all) settings in our user federation (and can even delete them I think).
> Maybe any ideas on how to make sure these users no longer get access to
> Configure - User Federation?
> >>
> >> cheers
> >>
> >> Edgar
> >>
> >>
> >>> On 08 Sep 2016, at 14:04, Marek Posolda <mposolda at redhat.com> wrote:
> >>>
> >>> Hi Edgar,
> >>>
> >>> I was trying to reproduce, but wasn't able. The expected format to
> invoke this endpoint should be /auth/admin/realms/our-custom-
> realm/attack-detection/brute-force/users /{userId} so I understand why it
> fails. But I am not seeing anything in admin console UI, which invokes it
> from this format.
> >>>
> >>> Feel free to create JIRA if you find steps to reproduce it from clean
> KC.
> >>>
> >>> Marek
> >>>
> >>> On 07/09/16 13:33, Edgar Vonk - Info.nl wrote:
> >>>> Hi Marek,
> >>>>
> >>>> It’s the brute force detection REST endpoint that is causing the
> issue.
> >>>>
> >>>> /auth/admin/realms/our-custom-realm/attack-detection/brute-
> force/users?username=edgar at info.nl
> >>>>
> >>>> gives a: “Failed to load resource: the server responded with a status
> of 405 (Method Not Allowed)"
> >>>>
> >>>>
> >>>>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl <Edgar at info.nl>
> wrote:
> >>>>>
> >>>>> Hi Marek,
> >>>>>
> >>>>> Thanks for the quick reply. Sorry, forgot to mention that: I did
> also add the view-users role. However the issue remains unfortunately.
> >>>>>
> >>>>> Will try to find the endpoint in question and report back!
> >>>>>
> >>>>> cheers
> >>>>>
> >>>>>> On 07 Sep 2016, at 11:24, Marek Posolda <mposolda at redhat.com>
> wrote:
> >>>>>>
> >>>>>> I guess you need to add "view-users" role as well?
> >>>>>>
> >>>>>> For tracking, you can try to enable FF plugin like Firebug (or
> similar in Chrome) and see what REST endpoint exactly returns 405 and what
> role it requires.
> >>>>>>
> >>>>>> Marek
> >>>>>>
> >>>>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote:
> >>>>>>> Using a specific user admin account that is part of our Keycloak
> customers realm (not the master realm) with permissions to edit users only
> (manage-users realm-management role) whenever I click on a user in the
> Keycloak admin interface (Manage - Users) I get a "Error! An unexpected
> server error has occurred” with the stacktrace below in the logs. All
> actions do seem to work properly however. It also happens when I create a
> user, but also there the user is created just fine it seems.
> >>>>>>>
> >>>>>>> I am guessing it is a permission issue on some REST endpoint in
> the admin interface or something?
> >>>>>>>
> >>>>>>>
> >>>>>>> [0m [31m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException:
> RESTEASY003650: No resource method found for GET, return 405 with Allow
> header
> >>>>>>>         at org.jboss.resteasy.core.registry.SegmentNode.match(
> SegmentNode.java:377)
> >>>>>>>         at org.jboss.resteasy.core.registry.SegmentNode.match(
> SegmentNode.java:116)
> >>>>>>>         at org.jboss.resteasy.core.registry.RootNode.match(
> RootNode.java:43)
> >>>>>>>         at org.jboss.resteasy.core.LocatorRegistry.
> getResourceInvoker(LocatorRegistry.java:79)
> >>>>>>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:129)
> >>>>>>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> >>>>>>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> >>>>>>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> >>>>>>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> >>>>>>>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
> >>>>>>>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
> >>>>>>>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
> >>>>>>>         at org.jboss.resteasy.plugins.server.servlet.
> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> >>>>>>>         at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >>>>>>>         at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >>>>>>>         at javax.servlet.http.HttpServlet.service(
> HttpServlet.java:790)
> >>>>>>>         at io.undertow.servlet.handlers.
> ServletHandler.handleRequest(ServletHandler.java:85)
> >>>>>>>         at io.undertow.servlet.handlers.
> FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> >>>>>>>         at org.keycloak.services.filters.
> KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
> java:90)
> >>>>>>>         at io.undertow.servlet.core.ManagedFilter.doFilter(
> ManagedFilter.java:60)
> >>>>>>>         at io.undertow.servlet.handlers.
> FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> >>>>>>>         at io.undertow.servlet.handlers.
> FilterHandler.handleRequest(FilterHandler.java:84)
> >>>>>>>         at io.undertow.servlet.handlers.security.
> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
> java:62)
> >>>>>>>         at io.undertow.servlet.handlers.ServletDispatchingHandler.
> handleRequest(ServletDispatchingHandler.java:36)
> >>>>>>>         at org.wildfly.extension.undertow.security.
> SecurityContextAssociationHandler.handleRequest(
> SecurityContextAssociationHandler.java:78)
> >>>>>>>         at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
> >>>>>>>         at io.undertow.servlet.handlers.security.
> SSLInformationAssociationHandler.handleRequest(
> SSLInformationAssociationHandler.java:131)
> >>>>>>>         at io.undertow.servlet.handlers.security.
> ServletAuthenticationCallHandler.handleRequest(
> ServletAuthenticationCallHandler.java:57)
> >>>>>>>         at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
> >>>>>>>         at io.undertow.security.handlers.
> AbstractConfidentialityHandler.handleRequest(
> AbstractConfidentialityHandler.java:46)
> >>>>>>>         at io.undertow.servlet.handlers.security.
> ServletConfidentialityConstraintHandler.handleRequest(
> ServletConfidentialityConstraintHandler.java:64)
> >>>>>>>         at io.undertow.security.handlers.
> AuthenticationMechanismsHandler.handleRequest(
> AuthenticationMechanismsHandler.java:60)
> >>>>>>>         at io.undertow.servlet.handlers.security.
> CachedAuthenticatedSessionHandler.handleRequest(
> CachedAuthenticatedSessionHandler.java:77)
> >>>>>>>         at io.undertow.security.handlers.
> NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
> java:50)
> >>>>>>>         at io.undertow.security.handlers.
> AbstractSecurityContextAssociationHandler.handleRequest(
> AbstractSecurityContextAssociationHandler.java:43)
> >>>>>>>         at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
> >>>>>>>         at org.wildfly.extension.undertow.security.jacc.
> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >>>>>>>         at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
> >>>>>>>         at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
> >>>>>>>         at io.undertow.servlet.handlers.ServletInitialHandler.
> handleFirstRequest(ServletInitialHandler.java:284)
> >>>>>>>         at io.undertow.servlet.handlers.ServletInitialHandler.
> dispatchRequest(ServletInitialHandler.java:263)
> >>>>>>>         at io.undertow.servlet.handlers.
> ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >>>>>>>         at io.undertow.servlet.handlers.ServletInitialHandler$1.
> handleRequest(ServletInitialHandler.java:174)
> >>>>>>>         at io.undertow.server.Connectors.
> executeRootHandler(Connectors.java:202)
> >>>>>>>         at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:793)
> >>>>>>>         at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> >>>>>>>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> >>>>>>>         at java.lang.Thread.run(Thread.java:745)
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> keycloak-user mailing list
> >>>>>>> keycloak-user at lists.jboss.org
> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/76d11f0a/attachment-0001.html

More information about the keycloak-user mailing list