[keycloak-user] Client specific enumerated roles

Ravi Kiran rkgunnam120 at gmail.com
Tue Feb 6 13:20:01 EST 2018 

I am sorry but I forgot to mention in my mail that client is running on
EAP7 environment.

Original Question:

Currently in our application we use LDAP and each LDAP role is mapped to
multiple CRUD permissions roles with in the application. For
example HUMAN_RESOURCE_DIRECTOR role in LDAP is mapped to CREATE_Employee,
Update_Employee, Read_Department and etc. We are adding these enumerated
roles by extending LdapExtLoginModule.

Now we are planning to switch to Keycloak (rh-sso), what is the best
approach to achieve this?

According to the issue https://issues.jboss.org/browse/KEYCLOAK-1382 ,
looks like extending LoginModule is not an option*.*

Also, so far I have tried to override wildfly request authenticator but ran
to class loading issues. Here are code snippets for overridden
implementations:

*public* *class* CustomWildflyKeycloakServletExtension*extends*
KeycloakServletExtension
{

    *protected* *static* Logger *log* = Logger.*getLogger*(
WildflyKeycloakServletExtension.*class*);



    @Override

    *protected* ServletKeycloakAuthMech createAuthenticationMechanism(
DeploymentInfodeploymentInfo,

           AdapterDeploymentContext deploymentContext,
UndertowUserSessionManagementuserSessionManagement,

           NodesRegistrationManagementnodesRegistrationManagement) {

       *log*.info("Creating CustomWildflyKeycloakServletExtension");

       *return* *new* CustomWildflyAuthenticationMachanism(deploymentContext
, userSessionManagement,

             nodesRegistrationManagement,
deploymentInfo.getConfidentialPortManager(),
getErrorPage(deploymentInfo));

    }

}



--------

*public* *class* CustomWildflyAuthenticationMachanism*extends*
WildflyAuthenticationMechanism
{



    *public* CustomWildflyAuthenticationMachanism(AdapterDeploymentContext
deploymentContext,

           UndertowUserSessionManagementuserSessionManagement,

           NodesRegistrationManagementnodesRegistrationManagement,
ConfidentialPortManagerportManager,

           String errorPage) {

       *super*(deploymentContext, userSessionManagement,
nodesRegistrationManagement, portManager, errorPage);

    }



    @Override

    *protected* ServletRequestAuthenticator createRequestAuthenticator(
KeycloakDeploymentdeployment,

           HttpServerExchange exchange, SecurityContextsecurityContext,
UndertowHttpFacade facade) {

       *int* confidentialPort = getConfidentilPort(exchange);

       AdapterTokenStore tokenStore = getTokenStore(exchange, facade,
deployment,securityContext);

       *return* *new* CustomWildflyRequestAuthenticator(facade,deployment,
confidentialPort, securityContext, exchange,

             tokenStore);

    }

}



--------

*public* *class* CustomWildflyRequestAuthenticator
*extends*WildflyRequestAuthenticator
{



    *public* CustomWildflyRequestAuthenticator(HttpFacadefacade,
KeycloakDeployment deployment, *int*sslRedirectPort,

           SecurityContext securityContext, HttpServerExchangeexchange,
AdapterTokenStore tokenStore) {

       *super*(facade, deployment, sslRedirectPort,securityContext, exchange
, tokenStore);

    }



    @Override

    *protected* Group[] getRoleSets(Collection<String> roleSet) {

       ArrayList<Group> groups = Lists.*newArrayList*(*super*.getRoleSets(
roleSet));

       // Planning to add client specific roles here.

       *return* groups.toArray(*new* Group[0]);

    }

}

But I ran into some class loading issues, [I have checked the modules that
were added as part of the adapter and see the all jars exists]. I am not
sure what could be the issue here:

10:33:05,230 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 67) MSC000001: Failed to start service jboss.undertow.deployment.
default-server.default-host./eligibility:
*org.jboss.msc.service.StartException* in service jboss.undertow.deployment.
default-server.default-host./eligibility: java.lang.NoClassDefFoundError:
org/keycloak/adapters/spi/HttpFacade

       at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService$1.run(*UndertowDeploymentService.java:85*)

       at java.util.concurrent.Executors$RunnableAdapter.call(
*Executors.java:511*) [rt.jar:1.8.0_131-1-redhat]

       at java.util.concurrent.FutureTask.run(*FutureTask.java:266*)
[rt.jar:1.8.0_131-1-redhat]

       at java.util.concurrent.ThreadPoolExecutor.runWorker(
*ThreadPoolExecutor.java:1142*) [rt.jar:1.8.0_131-1-redhat]

       at java.util.concurrent.ThreadPoolExecutor$Worker.run(
*ThreadPoolExecutor.java:617*) [rt.jar:1.8.0_131-1-redhat]

       at java.lang.Thread.run(*Thread.java:748*)
[rt.jar:1.8.0_131-1-redhat]

       at org.jboss.threads.JBossThread.run(*JBossThread.java:320*)
[jboss-threads-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]

Caused by: java.lang.NoClassDefFoundError: org/keycloak/adapters/spi/
HttpFacade

       at org.test.keycloak.adapters.CustomWildflyKeycloakServletExtension.
createAuthenticationMechanism(
*CustomWildflyKeycloakServletExtension.java:21*)

       at org.keycloak.adapters.undertow.KeycloakServletExtension.
handleDeployment(*KeycloakServletExtension.java:144*)

       at io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions(
*DeploymentManagerImpl.java:252*)

       at io.undertow.servlet.core.DeploymentManagerImpl.deploy(
*DeploymentManagerImpl.java:152*)

       at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService.startContext(*UndertowDeploymentService.java:100*)

       at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService$1.run(*UndertowDeploymentService.java:82*)

       ... 6 more

Caused by: *java.lang.ClassNotFoundException*:
org.keycloak.adapters.spi.HttpFacade
from [Module "deployment.eligibility.war:main" from Service Module Loader]

       at org.jboss.modules.ModuleClassLoader.findClass(
*ModuleClassLoader.java:196*) [jboss-modules.jar:1.5.3.Final-redhat-1]

       at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(
*ConcurrentClassLoader.java:363*) [jboss-modules.jar:1.5.3.Final-redhat-1]

       at org.jboss.modules.ConcurrentClassLoader.performLoadClass(
*ConcurrentClassLoader.java:351*) [jboss-modules.jar:1.5.3.Final-redhat-1]

       at org.jboss.modules.ConcurrentClassLoader.loadClass(
*ConcurrentClassLoader.java:93*) [jboss-modules.jar:1.5.3.Final-redhat-1]

       ... 12 more



The other option is to add custom SPI implementation. But I wanted to make
sure that I am on right path here.

Thank you very much and highly appreciate any help.

Thanks,

Ravi G.

On Feb 5, 2018 2:04 PM, "Ravi Kiran" <rkgunnam120 at gmail.com> wrote:

Currently in our application we use LDAP and each LDAP role is mapped to
multiple CRUD permissions roles with in the application. For example
 HUMAN_RESOURCE_DIRECTOR role in LDAP is mapped to CREATE_Employee,
Update_Employee, Read_Department and etc. We are adding these enumerated
roles by extending LdapExtLoginModule.

Now we are planning to switch to Keycloak (rh-sso), what is the best
approach to achieve this?

According to the issue, https://issues.jboss.org/browse/KEYCLOAK-1382,
looks like extending LoginModule is not an option.

Thank you and appreciate it.

More information about the keycloak-user mailing list