[keycloak-user] Authorization settings can't be exported more than once on 3.1.0.Final

Stephane Granger stephane.granger at gmail.com
Tue Jun 6 11:50:30 EDT 2017


Thanks Pedro Igor,

will the fix be available in 3.2.0.Final?  This is a pretty serious bug for
us, we do have a workaround but it's complicated.

Stephane

On Mon, Jun 5, 2017 at 8:17 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> This is a known issue. We have it fixed in upstream already as well tests
> to make sure we don't break anything when exporting settings.
>
> The problem is that during export your role policies are updated with the
> role names and not kept intact with role identifiers.
>
> Regards.
> Pedro Igor
>
> On Fri, Jun 2, 2017 at 6:22 PM, Stephane Granger <
> stephane.granger at gmail.com> wrote:
>
>> I am running into a weird issue.  After creating a client which uses the
>> Authorization settings, the settings can only be exported 1 time.
>> Rebooting the key cloak server doesn't clear the problem.
>>
>> Steps to reproduce.
>>
>> Create TEST realm
>>
>> Create TEST client, make sure the Authorization Enabled slider is set to
>> ON, click save.
>>
>> Create the following Roles for the client
>> role1
>> role2
>> role3
>>
>> Go on the Authorization tab
>> create 3 policies: policy1, policy2, policy3 with corresponding required
>>  role1...3 from the TEST client
>>
>> create Authorization Scopes: scope1, scope2, scope3
>>
>> create Resources: resource1 with scope2, resource2/scope2 and
>> resource3/scope3
>>
>> finally, create the permissions
>> resource based: permission1/resource1/policy1
>> resource based: permission2/resource2/policy2
>> scope based: permission3/scope3/policy3
>>
>> On the Authorization tab of the TEST client, click on the Export button.
>> This will work.
>> Navigate back to a different realm, and back again to the Authorization
>> tab
>> of the TEST client, try exporting again, this time it will fail.
>> Restarting the Keycloak server does not clear the problem.
>>
>>
>> Here are the logs:
>>
>> 2017-06-02 17:20:07,859 ERROR [io.undertow.request] (default task-37)
>> UT005023: Exception handling request to
>> /auth/admin/realms/TEST/clients/411eea34-dbc1-4227-ac4a-
>> 1c6afb22f7a5/authz/resource-server/settings:
>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
>> Error while exporting policy [policy1].
>> at
>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx
>> ception(ExceptionHandler.java:76)
>> at
>> org.jboss.resteasy.core.ExceptionHandler.handleException(Exc
>> eptionHandler.java:212)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.writeException
>> (SynchronousDispatcher.java:168)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:411)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:202)
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>> spatcher.service(ServletContainerDispatcher.java:221)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:56)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>> rvletHandler.java:85)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:129)
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.d
>> oFilter(KeycloakSessionServletFilter.java:90)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:131)
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>> terHandler.java:84)
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>> eRequest(ServletDispatchingHandler.java:36)
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssoc
>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociat
>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationC
>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentiality
>> ConstraintHandler.handleRequest(ServletConfident
>> ialityConstraintHandler.java:64)
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.ha
>> ndleRequest(NotificationReceiverHandler.java:50)
>> at
>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> Handler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>> ndler.handleRequest(JACCContextIdHandler.java:61)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>> stRequest(ServletInitialHandler.java:284)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletInitialHandler.java:263)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialHandler.java:81)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>> ge.java:793)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:748)
>> Caused by: java.lang.RuntimeException: Error while exporting policy
>> [policy1].
>> at
>> org.keycloak.exportimport.util.ExportUtils.createPolicyRepre
>> sentation(ExportUtils.java:386)
>> at
>> org.keycloak.exportimport.util.ExportUtils.lambda$exportAuth
>> orizationSettings$3(ExportUtils.java:313)
>> at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipel
>> ine.java:193)
>> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipel
>> ine.java:175)
>> at
>> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(
>> ArrayList.java:1374)
>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
>> at
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPi
>> peline.java:471)
>> at
>> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Reduc
>> eOps.java:708)
>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
>> at
>> org.keycloak.exportimport.util.ExportUtils.exportAuthorizati
>> onSettings(ExportUtils.java:313)
>> at
>> org.keycloak.authorization.admin.ResourceServerService.expor
>> tSettings(ResourceServerService.java:133)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>> ctorImpl.java:139)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>> (ResourceMethodInvoker.java:295)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>> eMethodInvoker.java:249)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:138)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:101)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:395)
>> ... 37 more
>> Caused by: java.lang.NullPointerException
>> at
>> org.keycloak.exportimport.util.ExportUtils.lambda$createPoli
>> cyRepresentation$7(ExportUtils.java:351)
>> at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipel
>> ine.java:193)
>> at
>> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(
>> ArrayList.java:1374)
>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
>> at
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPi
>> peline.java:471)
>> at
>> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Reduc
>> eOps.java:708)
>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
>> at
>> org.keycloak.exportimport.util.ExportUtils.createPolicyRepre
>> sentation(ExportUtils.java:353)
>> ... 68 more
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list