[keycloak-user] Keycloak 3.4.0.Final - Can't secure an EAR (Nicolas DUMINIL)
Nicolas DUMINIL
nicolas.duminil at simplex-software.fr
Fri Dec 29 09:55:56 EST 2017
Hello,
This doesn't seem to work in an EAR. In my case, I have the following
structure:
customer-management.ear
|---
|-- lib
|-- META-INF
|-- customer-management-data.jar
|-- customer-management-façade.jar
|-- customer-management-repository.jar
|-- customer-management-rest.war
|----
|-- META-INF
|-- WEB-INF
|----
|-- classes
|-- lib
|-- beans.xml
|-- web.xml
...
...
Here in web.xml I have:
<module-name>customer-management-rest</module-name>
And in standalone.xml I have:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="customer-manager-rest.war">
<realm>demo-realm</realm>
<resource>customer-manager-client</resource>
<bearer-only>true</bearer-only>
<auth-server-url>http://localhost:18080/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>
This won't work as there is no such a customer-manager-rest.war deployed. It
is embedded in the customer-management.ear and this needs to be expressed
somehow. So:
· Either the EAR securization is not supported in keycloak subsystem
(would be very surprising)
· Or it is supported and, in this case, I need to know the right
notation. I tried customer-manager.ear. customer-manager-rest.war ‘cause
I’ve seen that somewhere on the net, but it doesn’t work.
Please advise.
Many thanks in advance,
Kind regards,
Nicolas
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org
[mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Darrell Wu
Sent: mardi 19 décembre 2017 22:03
To: keycloak-user
Subject: Re: [keycloak-user] Keycloak 3.4.0.Final - Can't secure an EAR
(Nicolas DUMINIL)
Hi Nicolas,
The secure deployment name attribute should match your module-name in the
web.xml in your WAR with .war appended
In your case it should be something like
customer-management-rest.war assuming you have the following in your
web.xml
<module-name>customer-management-rest</module-name>
Darrell
On 20 December 2017 at 07:34, <
<mailto:keycloak-user-request at lists.jboss.org>
keycloak-user-request at lists.jboss.org> wrote:
> Send keycloak-user mailing list submissions to
> <mailto:keycloak-user at lists.jboss.org>
keycloak-user at lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
> <mailto:keycloak-user-request at lists.jboss.org>
keycloak-user-request at lists.jboss.org
>
> You can reach the person managing the list at
> <mailto:keycloak-user-owner at lists.jboss.org>
keycloak-user-owner at lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
> 1. Re: Prevent federated users from setting a password (Rens Verhage)
> 2. Re: Failed to initialize in KC 3.4 (Bob McWhirter)
> 3. Keycloak 3.4.0.Final - Can't secure an EAR (Nicolas DUMINIL)
> 4. How to check permissions on lot of resources (Teddy CHAMBARD)
> 5. AdapterRsaTokenVerifier throws NullPointerException on
> getPublicKey after processing expired token (Dmitry Korchemkin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 19 Dec 2017 07:56:32 +0000
> From: Rens Verhage < <mailto:Rens.Verhage at topicus.nl>
Rens.Verhage at topicus.nl>
> Subject: Re: [keycloak-user] Prevent federated users from setting a
> password
> To: " <mailto:keycloak-user at lists.jboss.org>
keycloak-user at lists.jboss.org" < <mailto:keycloak-user at lists.jboss.org>
keycloak-user at lists.jboss.org>
> Message-ID: < <mailto:94BBDF41-9A45-4F30-B5C0-2AE3387BF63A at topicus.nl>
94BBDF41-9A45-4F30-B5C0-2AE3387BF63A at topicus.nl>
> Content-Type: text/plain; charset="utf-8"
>
> Sat down with a colleague and did some out of the box thinking. Came
> up with a solution that works best for us: set up 2 realms, A and B. A
> contains all users that log in with username and password and is an
> identity provider to realm B. This way we have levelled the playing
> field, in B all users log in through an IdP and we can treat them all the
same.
>
>
>
> Rens
>
>
>
> On 18 Dec 2017, at 12:19, Rens Verhage <Rens.Verhage at topicus.nl<mailto:
> <mailto:Rens.Verhage at topicus.nl> Rens.Verhage at topicus.nl>> wrote:
>
> Hi all,
>
> We?re implementing Keycloak in an existing multi-tenant application
> and have to make a choice: 1 realm for all our tenants or each tenant
> its own realm?
>
> >From an administrator?s point of view, one single realm for all user
> accounts seems a good choice. However, there is one important
> requirement that until now, we haven?t been able to fulfil this way:
>
> A tenant might choose to let their users log in through an external
> identity provider, ADFS will be fairly common. Users that will log in
> this way will be required to always do so and therefore are not
> allowed to set a password in Keycloak. Deleting a user will be as easy
> as removing the user from the Active Directory.
>
> However, not all tenants will have their own identity provider. For
> these tenants, users must be able to log in with a username and
> password. They also get a forgot password link, so they can reset
> their password once forgotten. Now that raises a problem. Users that
> log in through their identity provider can use this link to set a
> password and thus bypass their identity provider. Should such a user
> be removed from the AD, he or she can still log in using this password.
>
> Can we somehow prevent federated identities from ever setting a password?
> Or is this not possible and are we forced to setup multiple realms?
>
>
>
> Rens
>
>
> _______________________________________________
> keycloak-user mailing list
>
<mailto:keycloak-user at lists.jboss.org%3cmailto:keycloak-user at lists.jboss.org
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 19 Dec 2017 09:28:50 -0500
> From: Bob McWhirter < <mailto:bmcwhirt at redhat.com> bmcwhirt at redhat.com>
> Subject: Re: [keycloak-user] Failed to initialize in KC 3.4
> To: Abhishek Koserwal < <mailto:akoserwa at redhat.com> akoserwa at redhat.com>
> Cc: keycloak-user < <mailto:keycloak-user at lists.jboss.org>
keycloak-user at lists.jboss.org>
> Message-ID:
> <CA+45JvEmMJ_=3LBWHNrWqoC5Huy1Dv+9mK42a38TJHxTPmxk_Q at mail.
> gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> And you may wish to use a fully-qualified rooted path to
> keycloak.json, if you?re doing a single-page-app with browser-based
> routing, as it seems to look for the argument relative to the current
> window location, which may not be / when doing SPAs. Using an
> absolute path works in that case, such as ?/keycloak.json?
>
> -Bob
>
> On Mon, Dec 18, 2017 at 1:55 AM, Abhishek Koserwal
> < <mailto:akoserwa at redhat.com> akoserwa at redhat.com>
> wrote:
>
> > You need to instantiate like this, it will work.
> >
> > var keycloak = Keycloak('keycloak.json');
> >
> > I tested with KC 3.4.1.
> >
> > Thanks
> >
> >
> > On Thu, Dec 14, 2017 at 6:08 PM, Marek Posolda <
<mailto:mposolda at redhat.com> mposolda at redhat.com>
> > wrote:
> >
> > > The best is likely to look at Keycloak quickstart/examples for JS
> > > adapter and compare what is different.
> > >
> > > Marek
> > >
> > > On 12/12/17 10:45, Corentin Dupont wrote:
> > > > Hi guys,
> > > >
> > > > I use this code in my javascript application:
> > > >
> > > > var keycloak = Keycloak();
> > > > keycloak.init().success(function(authenticated) {
> > > > alert(authenticated ? 'authenticated' : 'not
> > > authenticated');
> > > > }).error(function() {
> > > > alert('failed to initialize');
> > > > });
> > > >
> > > > Since I updated Keycloak I get the message 'failed to initialize'.
> > > > It was working well with the previous version of KC 3.2.
> > > >
> > > > What could it be? How can I get a better error message?
> > > >
> > > >
> > > > Thanks!
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > <mailto:keycloak-user at lists.jboss.org>
keycloak-user at lists.jboss.org
> > > > <https://lists.jboss.org/mailman/listinfo/keycloak-user>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > <mailto:keycloak-user at lists.jboss.org> keycloak-user at lists.jboss.org
> > > <https://lists.jboss.org/mailman/listinfo/keycloak-user>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Regards,
> > Abhishek Koserwal
> > Software Application Engineer, ADS
> > Red Hat (Pune, India)
> > IRC: akoserwa
> >
> > The capacity to learn is a gift; The ability to learn is a skill;
> > The willingness to learn is a choice -- Brian Herbert
> > _______________________________________________
> > keycloak-user mailing list
> > <mailto:keycloak-user at lists.jboss.org> keycloak-user at lists.jboss.org
> > <https://lists.jboss.org/mailman/listinfo/keycloak-user>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 19 Dec 2017 17:26:22 +0100
> From: "Nicolas DUMINIL" < <mailto:nicolas.duminil at simplex-software.fr>
nicolas.duminil at simplex-software.fr>
> Subject: [keycloak-user] Keycloak 3.4.0.Final - Can't secure an EAR
> To: < <mailto:keycloak-user at lists.jboss.org>
keycloak-user at lists.jboss.org>
> Message-ID: < <mailto:00c001d378e6$1c40db20$54c29160$@simplex-software.fr>
00c001d378e6$1c40db20$54c29160$@simplex-software.fr>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello,
>
> I'm using Keycloak 3.4.0.Final.
>
> I have an EAR containing a WAR. The WAR contains REST services that I
> need to secure. The Wildfly config is as follows:
>
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
> <secure-deployment
> name="customer-management.ear.customer-management-rest.war">
> <realm>demo</realm>
> <auth-server-url> < <http://localhost:18080/auth>
http://localhost:18080/auth>
> <http://localhost:18080/auth%3c/auth-server-url>
http://localhost:18080/auth</auth-server-url>
> <public-client>true</public-client>
> <ssl-required>EXTERNAL</ssl-required>
> <resource>customer-client</resource>
> </secure-deployment>
> </subsystem>
> The notation I used for the <secure-deployment> element is
> ear-name.ear.war-name.war. But it doesn't seem to work. It raises the
> following exception:
>
> Caused by:
> org.jboss.as.server.deployment.DeploymentUnitProcessingExcept
> ion:
> WarMetaData not found for customer-management.ear. Make sure you have
> specified a WAR as your secure-deployment in the Keycloak
> subsystem."},
>
> I found this syntax by googling for solutions but it's probably wrong.
> Please notice that I cannot used the JSON syntax.
>
> Kind regards,
>
> Nicolas DUMINIL
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 19 Dec 2017 17:50:33 +0000
> From: Teddy CHAMBARD < <mailto:t.chambard at bee-buzziness.com>
t.chambard at bee-buzziness.com>
> Subject: [keycloak-user] How to check permissions on lot of resources
> To: " <mailto:keycloak-user at lists.jboss.org>
keycloak-user at lists.jboss.org" < <mailto:keycloak-user at lists.jboss.org>
keycloak-user at lists.jboss.org>
> Cc: TeamScalabilite < <mailto:TeamScalabilite at bee-buzziness.com>
TeamScalabilite at bee-buzziness.com>
> Message-ID: <
<mailto:1a4a5599db2c4bf69934aa23bf53e77c at BBUZ-EXCH01.bbuzg.net>
1a4a5599db2c4bf69934aa23bf53e77c at BBUZ-EXCH01.bbuzg.net>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello,
>
>
> I'm trying to protect resources with keycloak, but I wonder how to
> protect millions...
>
> I created successfully resources with the Protection API (UMA 2.0),
> and also created necessary permsions and policies with the Admin REST API.
>
>
> What I would like to do is simply get the list of resources I should
> be able to access.
>
>
> To simplify my needs, here is a simple example :
>
>
> Bob asks for resource1 and resource2 throught entitlement API
>
> Regarding my policies and permissions Bob only have rights on resource
> 1 but not on resource2.
>
>
> I was thinking making a POST request with the following payload :
>
>
> {
> "permissions" : [
> {
> "resource_set_name" : "resource1"
> }, {
> "resource_set_name" : "resource2"
> }
> ]
> }
>
>
> would return a RPT with the list of permitted resources (resource1),
> but I got 403 forbidden without the list of granted resources.
>
>
>
> So, I know I could run two separated requests to get my
> authorizations, but when I have thousands of resources to check, I
> can't run thousands http requests on entitlement API.
>
>
> The question is how can I filter the data I retrieved from my database
> with keycloak in order to get only granted data ?
>
>
>
> Keycloak is wonderful, and I would really continue to use it despite
> this trouble that I encounter.
>
>
> Thank you very much by advance for your help.
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 19 Dec 2017 21:34:15 +0300
> From: Dmitry Korchemkin < <mailto:moon3854 at gmail.com> moon3854 at gmail.com>
> Subject: [keycloak-user] AdapterRsaTokenVerifier throws
> NullPointerException on getPublicKey after processing expired
> token
> To: keycloak-user < <mailto:keycloak-user at lists.jboss.org>
keycloak-user at lists.jboss.org>
> Message-ID:
> <CAHpfDHM4=8fZu0niEhg2f4+MNjTDc2HEwixF-fNMnid3C-iF5A@
> mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello,
>
> Just upgraded to 3.4.1.Final to check if my issues with
> NullPointerException (and resulting 500 status) when using keycloak
> spring-security-adapter and expired tokens would be gone. There's no
> more an unexpected NullPointer from an empty kid value (fixed in
> KEYCLOAK-5636 < <https://issues.jboss.org/browse/KEYCLOAK-5636>
https://issues.jboss.org/browse/KEYCLOAK-5636>), but a
> problem still remains.
> This time it's publicKeyLocator being null in
> AdapterRSATokenVerifier::getPublicKey. Somehow, after token was
> already deemed inactive and TokenNotActiveException was already
> printed, there's a second call to this method, this time with an empty
> deployment, and i'm pretty sure it's not my code calling it. Since
> there's no null check on locator field, it produces NullPointer upon
> trying to call pkLocator.getPublicKey, even if kid is being checked for
null.
>
> Here's the first exception, the one i'm expecting:
>
> 2017-12-19 14:55:54,341 DEBUG XNIO-2 task-24 no_request_id
> c.n.c.m.s.i.d.IdpConfigResolver - Error to validate token with public
> key
> org.keycloak.exceptions.TokenNotActiveException: Token is not active
> at org.keycloak.TokenVerifier$2.test(TokenVerifier.java:84)
> at org.keycloak.TokenVerifier.verify(TokenVerifier.java:370)
> at org.keycloak.RSATokenVerifier.verify(RSATokenVerifier.java:89)
> at
> org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
> AdapterRSATokenVerifier.java:56)
> at
> security.idp.deployment.IdpConfigResolver.checkPublicKey(
> IdpConfigResolver.java:149)
> at
> security.idp.deployment.IdpConfigResolver.generateKeycloakDeploymentFr
> om
> AuthorizationHeader(IdpConfigResolver.java:80)
> at
> security.idp.deployment.IdpConfigResolver.resolve(
> IdpConfigResolver.java:57)
> at
> org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(
> AdapterDeploymentContext.java:88)
> at
> org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProc
> essi ngFilter.attemptAuthentication(KeycloakAuthenticationProcessi
> ngFilter.java:138)
> at
> org.springframework.security.web.authentication.
> AbstractAuthenticationProcessingFilter.doFilter(
> AbstractAuthenticationProcessingFilter.java:212)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.authentication.logout.
> LogoutFilter.doFilter(LogoutFilter.java:116)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.
> doFilter(KeycloakPreAuthActionsFilter.java:84)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFil
> t
> er.doFilter(SecurityContextPersistenceFilter.java:105)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(
> FilterChainProxy.java:214)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(
> FilterChainProxy.java:177)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
> DelegatingFilterProxy.java:347)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(
> DelegatingFilterProxy.java:263)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.RequestContextFilter.doFilterInternal(
> RequestContextFilter.java:99)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:107)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(
> ServletChain.java:64)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:274)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
> ServletInitialHandler.java:209)
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
> RequestDispatcherImpl.java:221)
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(
> RequestDispatcherImpl.java:147)
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.forward(
> RequestDispatcherImpl.java:111)
> at
> org.springframework.web.servlet.view.InternalResourceView.
> renderMergedOutputModel(InternalResourceView.java:168)
> at
> org.springframework.web.servlet.view.AbstractView.
> render(AbstractView.java:303)
> at
> org.springframework.web.servlet.DispatcherServlet.
> render(DispatcherServlet.java:1286)
> at
> org.springframework.web.servlet.DispatcherServlet.processDispatchResul
> t(
> DispatcherServlet.java:1041)
> at
> org.springframework.web.servlet.DispatcherServlet.
> doDispatch(DispatcherServlet.java:984)
> at
> org.springframework.web.servlet.DispatcherServlet.
> doService(DispatcherServlet.java:901)
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:970)
> at
> org.springframework.web.servlet.FrameworkServlet.
> doGet(FrameworkServlet.java:861)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
> at
> org.springframework.web.servlet.FrameworkServlet.
> service(FrameworkServlet.java:846)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:81)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(
> ServletChain.java:64)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:274)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
> ServletInitialHandler.java:209)
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.error(
> RequestDispatcherImpl.java:479)
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.error(
> RequestDispatcherImpl.java:412)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:319)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 100(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:138)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:135)
> at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call
> (
> ServletRequestContextThreadSetupAction.java:48)
> at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
> ContextClassLoaderSetupAction.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:272)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.
> java:332)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
>
> However, it is immediately followed by this:
>
> 2017-12-19 14:55:54,343 ERROR XNIO-2 task-24 no_request_id i.u.request
> -
> UT005022: Exception generating error page /error
> org.springframework.web.util.NestedServletException: Request
> processing failed; nested exception is java.lang.RuntimeException:
> java.lang.NullPointerException
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:982)
> at
> org.springframework.web.servlet.FrameworkServlet.
> doGet(FrameworkServlet.java:861)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
> at
> org.springframework.web.servlet.FrameworkServlet.
> service(FrameworkServlet.java:846)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:81)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(
> ServletChain.java:64)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:274)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
> ServletInitialHandler.java:209)
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.error(
> RequestDispatcherImpl.java:479)
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.error(
> RequestDispatcherImpl.java:412)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:319)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 100(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:138)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:135)
> at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call
> (
> ServletRequestContextThreadSetupAction.java:48)
> at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
> ContextClassLoaderSetupAction.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:272)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.
> java:332)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.RuntimeException: java.lang.NullPointerException
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
> RequestDispatcherImpl.java:245)
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(
> RequestDispatcherImpl.java:147)
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.forward(
> RequestDispatcherImpl.java:111)
> at
> org.springframework.web.servlet.view.InternalResourceView.
> renderMergedOutputModel(InternalResourceView.java:168)
> at
> org.springframework.web.servlet.view.AbstractView.
> render(AbstractView.java:303)
> at
> org.springframework.web.servlet.DispatcherServlet.
> render(DispatcherServlet.java:1286)
> at
> org.springframework.web.servlet.DispatcherServlet.processDispatchResul
> t(
> DispatcherServlet.java:1041)
> at
> org.springframework.web.servlet.DispatcherServlet.
> doDispatch(DispatcherServlet.java:984)
> at
> org.springframework.web.servlet.DispatcherServlet.
> doService(DispatcherServlet.java:901)
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:970)
> ... 29 common frames omitted
> Caused by: java.lang.NullPointerException: null
> at
> org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(
> AdapterRSATokenVerifier.java:44)
> at
> org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
> AdapterRSATokenVerifier.java:55)
> at
> org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
> AdapterRSATokenVerifier.java:37)
> at
> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToke
> n(
> BearerTokenRequestAuthenticator.java:87)
> at
> org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
> BearerTokenRequestAuthenticator.java:82)
> at
> org.keycloak.adapters.RequestAuthenticator.authenticate(
> RequestAuthenticator.java:68)
> at
> org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProc
> essi ngFilter.attemptAuthentication(KeycloakAuthenticationProcessi
> ngFilter.java:147)
> at
> org.springframework.security.web.authentication.
> AbstractAuthenticationProcessingFilter.doFilter(
> AbstractAuthenticationProcessingFilter.java:212)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.authentication.logout.
> LogoutFilter.doFilter(LogoutFilter.java:116)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.
> doFilter(KeycloakPreAuthActionsFilter.java:84)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFil
> t
> er.doFilter(SecurityContextPersistenceFilter.java:105)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> org.springframework.security.web.FilterChainProxy$
> VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(
> FilterChainProxy.java:214)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(
> FilterChainProxy.java:177)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
> DelegatingFilterProxy.java:347)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(
> DelegatingFilterProxy.java:263)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.RequestContextFilter.doFilterInternal(
> RequestContextFilter.java:99)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:107)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.
> doFilter(OncePerRequestFilter.java:101)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(
> ServletChain.java:64)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:274)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(
> ServletInitialHandler.java:209)
> at
> io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(
> RequestDispatcherImpl.java:221)
> ... 38 common frames omitted
>
> Needless to say, i'm not expecting any error pages to be shown and i
> have no idea where would keycloak get such a deployment that does not
> even have keyLocator.
> One place where i call AdapterRSATokenVerifier.verifyToken has a
> deployment with explicitly set HardcodedPublicKeyLocator, which workes
> in every other instance of token validation i've encountered so far.
>
> I'd report this as a bug right away and make a request with a null
> check on pkLocator, but somehow it seems the issue is not that simple,
> empty deployment shouldn't be there in the first place. In the mean
> tiime, any idea how can i get around this second verify() call or
> maybe disable the /error page behaviour?
>
> Best regards,
> Dmitry
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> <mailto:keycloak-user at lists.jboss.org> keycloak-user at lists.jboss.org
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 48, Issue 29
> *********************************************
>
_______________________________________________
keycloak-user mailing list
<mailto:keycloak-user at lists.jboss.org> keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list