[keycloak-user] Authorization settings can't be exported more than once on 3.1.0.Final

Pedro Igor Silva psilva at redhat.com
Mon Jun 5 08:17:07 EDT 2017


This is a known issue. We have it fixed in upstream already as well tests
to make sure we don't break anything when exporting settings.

The problem is that during export your role policies are updated with the
role names and not kept intact with role identifiers.

Regards.
Pedro Igor

On Fri, Jun 2, 2017 at 6:22 PM, Stephane Granger <stephane.granger at gmail.com
> wrote:

> I am running into a weird issue.  After creating a client which uses the
> Authorization settings, the settings can only be exported 1 time.
> Rebooting the key cloak server doesn't clear the problem.
>
> Steps to reproduce.
>
> Create TEST realm
>
> Create TEST client, make sure the Authorization Enabled slider is set to
> ON, click save.
>
> Create the following Roles for the client
> role1
> role2
> role3
>
> Go on the Authorization tab
> create 3 policies: policy1, policy2, policy3 with corresponding required
>  role1...3 from the TEST client
>
> create Authorization Scopes: scope1, scope2, scope3
>
> create Resources: resource1 with scope2, resource2/scope2 and
> resource3/scope3
>
> finally, create the permissions
> resource based: permission1/resource1/policy1
> resource based: permission2/resource2/policy2
> scope based: permission3/scope3/policy3
>
> On the Authorization tab of the TEST client, click on the Export button.
> This will work.
> Navigate back to a different realm, and back again to the Authorization tab
> of the TEST client, try exporting again, this time it will fail.
> Restarting the Keycloak server does not clear the problem.
>
>
> Here are the logs:
>
> 2017-06-02 17:20:07,859 ERROR [io.undertow.request] (default task-37)
> UT005023: Exception handling request to
> /auth/admin/realms/TEST/clients/411eea34-dbc1-4227-
> ac4a-1c6afb22f7a5/authz/resource-server/settings:
> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
> Error while exporting policy [policy1].
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
> ExceptionHandler.java:76)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(
> ExceptionHandler.java:212)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(
> SynchronousDispatcher.java:168)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:411)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
> service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
> HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
> HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHand
> ler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
> er.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
> er.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
> ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(
> NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.RuntimeException: Error while exporting policy
> [policy1].
> at
> org.keycloak.exportimport.util.ExportUtils.createPolicyRepresentation(
> ExportUtils.java:386)
> at
> org.keycloak.exportimport.util.ExportUtils.lambda$
> exportAuthorizationSettings$3(ExportUtils.java:313)
> at java.util.stream.ReferencePipeline$3$1.accept(
> ReferencePipeline.java:193)
> at java.util.stream.ReferencePipeline$2$1.accept(
> ReferencePipeline.java:175)
> at
> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.
> java:1374)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(
> AbstractPipeline.java:471)
> at
> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
> at
> org.keycloak.exportimport.util.ExportUtils.exportAuthorizationSettings(
> ExportUtils.java:313)
> at
> org.keycloak.authorization.admin.ResourceServerService.exportSettings(
> ResourceServerService.java:133)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
> 62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
> ... 37 more
> Caused by: java.lang.NullPointerException
> at
> org.keycloak.exportimport.util.ExportUtils.lambda$
> createPolicyRepresentation$7(ExportUtils.java:351)
> at java.util.stream.ReferencePipeline$3$1.accept(
> ReferencePipeline.java:193)
> at
> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.
> java:1374)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(
> AbstractPipeline.java:471)
> at
> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
> at
> org.keycloak.exportimport.util.ExportUtils.createPolicyRepresentation(
> ExportUtils.java:353)
> ... 68 more
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list