[keycloak-user] Authorization settings can't be exported more than once on 3.1.0.Final
Pedro Igor Silva
psilva at redhat.com
Tue Jun 6 14:39:48 EDT 2017
Yes, it would be. It is already in upstream.
Indeed, it is a very nasty issue .... We have added more tests to make sure
we don't break anything else in the future.
On Tue, Jun 6, 2017 at 12:50 PM, Stephane Granger <
stephane.granger at gmail.com> wrote:
> Thanks Pedro Igor,
>
> will the fix be available in 3.2.0.Final? This is a pretty serious bug
> for us, we do have a workaround but it's complicated.
>
> Stephane
>
> On Mon, Jun 5, 2017 at 8:17 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> This is a known issue. We have it fixed in upstream already as well tests
>> to make sure we don't break anything when exporting settings.
>>
>> The problem is that during export your role policies are updated with the
>> role names and not kept intact with role identifiers.
>>
>> Regards.
>> Pedro Igor
>>
>> On Fri, Jun 2, 2017 at 6:22 PM, Stephane Granger <
>> stephane.granger at gmail.com> wrote:
>>
>>> I am running into a weird issue. After creating a client which uses the
>>> Authorization settings, the settings can only be exported 1 time.
>>> Rebooting the key cloak server doesn't clear the problem.
>>>
>>> Steps to reproduce.
>>>
>>> Create TEST realm
>>>
>>> Create TEST client, make sure the Authorization Enabled slider is set to
>>> ON, click save.
>>>
>>> Create the following Roles for the client
>>> role1
>>> role2
>>> role3
>>>
>>> Go on the Authorization tab
>>> create 3 policies: policy1, policy2, policy3 with corresponding required
>>> role1...3 from the TEST client
>>>
>>> create Authorization Scopes: scope1, scope2, scope3
>>>
>>> create Resources: resource1 with scope2, resource2/scope2 and
>>> resource3/scope3
>>>
>>> finally, create the permissions
>>> resource based: permission1/resource1/policy1
>>> resource based: permission2/resource2/policy2
>>> scope based: permission3/scope3/policy3
>>>
>>> On the Authorization tab of the TEST client, click on the Export button.
>>> This will work.
>>> Navigate back to a different realm, and back again to the Authorization
>>> tab
>>> of the TEST client, try exporting again, this time it will fail.
>>> Restarting the Keycloak server does not clear the problem.
>>>
>>>
>>> Here are the logs:
>>>
>>> 2017-06-02 17:20:07,859 ERROR [io.undertow.request] (default task-37)
>>> UT005023: Exception handling request to
>>> /auth/admin/realms/TEST/clients/411eea34-dbc1-4227-ac4a-1c6a
>>> fb22f7a5/authz/resource-server/settings:
>>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
>>> Error while exporting policy [policy1].
>>> at
>>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx
>>> ception(ExceptionHandler.java:76)
>>> at
>>> org.jboss.resteasy.core.ExceptionHandler.handleException(Exc
>>> eptionHandler.java:212)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.writeException
>>> (SynchronousDispatcher.java:168)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:411)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:202)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>>> spatcher.service(ServletContainerDispatcher.java:221)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>> her.service(HttpServletDispatcher.java:56)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>> her.service(HttpServletDispatcher.java:51)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> at
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>>> rvletHandler.java:85)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>> oFilter(FilterHandler.java:129)
>>> at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.d
>>> oFilter(KeycloakSessionServletFilter.java:90)
>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
>>> r.java:60)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>> oFilter(FilterHandler.java:131)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>>> terHandler.java:84)
>>> at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>>> eRequest(ServletDispatchingHandler.java:36)
>>> at
>>> org.wildfly.extension.undertow.security.SecurityContextAssoc
>>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociat
>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>> at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationC
>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>> at
>>> io.undertow.servlet.handlers.security.ServletConfidentiality
>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>> aintHandler.java:64)
>>> at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> at
>>> io.undertow.security.handlers.NotificationReceiverHandler.ha
>>> ndleRequest(NotificationReceiverHandler.java:50)
>>> at
>>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> Handler.java:43)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>> stRequest(ServletInitialHandler.java:284)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletInitialHandler.java:263)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialHandler.java:81)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletInitialHandler.java:174)
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>> ge.java:793)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: java.lang.RuntimeException: Error while exporting policy
>>> [policy1].
>>> at
>>> org.keycloak.exportimport.util.ExportUtils.createPolicyRepre
>>> sentation(ExportUtils.java:386)
>>> at
>>> org.keycloak.exportimport.util.ExportUtils.lambda$exportAuth
>>> orizationSettings$3(ExportUtils.java:313)
>>> at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipel
>>> ine.java:193)
>>> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipel
>>> ine.java:175)
>>> at
>>> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Ar
>>> rayList.java:1374)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
>>> at
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPi
>>> peline.java:471)
>>> at
>>> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Reduc
>>> eOps.java:708)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at java.util.stream.ReferencePipeline.collect(ReferencePipeline
>>> .java:499)
>>> at
>>> org.keycloak.exportimport.util.ExportUtils.exportAuthorizati
>>> onSettings(ExportUtils.java:313)
>>> at
>>> org.keycloak.authorization.admin.ResourceServerService.expor
>>> tSettings(ResourceServerService.java:133)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>>> ctorImpl.java:139)
>>> at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>>> (ResourceMethodInvoker.java:295)
>>> at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>>> eMethodInvoker.java:249)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:138)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:101)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:395)
>>> ... 37 more
>>> Caused by: java.lang.NullPointerException
>>> at
>>> org.keycloak.exportimport.util.ExportUtils.lambda$createPoli
>>> cyRepresentation$7(ExportUtils.java:351)
>>> at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipel
>>> ine.java:193)
>>> at
>>> java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Ar
>>> rayList.java:1374)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
>>> at
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPi
>>> peline.java:471)
>>> at
>>> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Reduc
>>> eOps.java:708)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at java.util.stream.ReferencePipeline.collect(ReferencePipeline
>>> .java:499)
>>> at
>>> org.keycloak.exportimport.util.ExportUtils.createPolicyRepre
>>> sentation(ExportUtils.java:353)
>>> ... 68 more
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
More information about the keycloak-user
mailing list