[keycloak-user] Authentication failed: org.jvnet.libpam.PAMException
mizuki
mizuki0621 at gmail.com
Thu Mar 14 20:37:55 EDT 2019
See pamtester went successful with both cases (whether both OTP and
password enabled or OTP only)
Case 1: Both Password and OTP are enabled:
*[root at mktst1 ~]# pamtester keycloak mmstestu authenticate*
First Factor:
Second Factor (optional):
pamtester: successfully authenticated
Case 2: Enabled OTP only:
*[root at mktst1 ~]# pamtester Keycloak mmstestu authenticate*
First Factor:
Second Factor:
pamtester: successfully authenticated
Note
Thanks.
On Thu, Mar 14, 2019 at 7:01 PM Bruno Oliveira <bruno at abstractj.org> wrote:
> What is the output from pamtester?
>
> On Thu, Mar 14, 2019, 5:42 PM mizuki <mizuki0621 at gmail.com> wrote:
>
>> Thanks for the response, Bruno.
>>
>> I certainly went through the documents and examed configurations
>> carefully. I attached KRB log from IPA server as well as /var/log/secure
>> from Keycloak server as supporting evidences (high lighted with blue for
>> important portions).
>>
>> In the case when both 'password' and 'otp' are enabled to the user in
>> IPA, Keycloak failed to authenticate user with either the password or otp.
>>
>> [root at idm01 ~]# ipa user-show mmstestu
>> User login: mmstestu
>> First name: Test
>> Last name: 55555
>> Home directory: /u0b/mmstestu
>> Login shell: /bin/bash
>> Principal name: mmstestu at SDCC.BNL.GOV
>> Principal alias: mmstestu at SDCC.BNL.GOV
>> Kerberos principal expiration: 20690301145828Z
>> Email address: smithj4 at example.com
>> UID: 7041
>> GID: 9965
>> SSH public key fingerprint:
>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
>> User authentication types: otp, password
>> Account disabled: False
>> Password: True
>> Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
>> Member of HBAC rule: mktst1
>> Kerberos keys available: True
>>
>> Krb log on IPA server shows following:
>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 etypes
>> {18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH:
>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Additional
>> pre-authentication required
>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 etypes
>> {18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED:
>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Incorrect
>> password in encrypted challenge
>>
>> /var/log/secure log on KeyCloak server:
>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>> authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
>> user=mmstestu
>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>> received for user mmstestu: 17 (Failure setting user credentials)
>>
>> In ../log/server.log on KeyCloak server:
>> 2019-03-14 16:24:36,844 ERROR
>> [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2)
>> Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
>> failed : Permission denied
>> at org.jvnet.libpam.PAM.check(PAM.java:113)
>> at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>> at
>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
>> at
>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
>> at
>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
>> at
>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
>> at
>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
>> at
>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
>> at
>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
>> at
>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
>> at
>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
>> at
>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
>> at
>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>> at
>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>> at
>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
>> at
>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
>> at
>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>> at java.lang.reflect.Method.invoke(Method.java:508)
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown
>> Source)
>> at
>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown
>> Source)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown
>> Source)
>> at
>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>> at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at
>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>> at
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>> at
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>> at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>> at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown
>> Source)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>> Source)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>> Source)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>> Source)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>> Source)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>> at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>> at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>> at
>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>> at
>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>> at
>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>> at
>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>> at java.lang.Thread.run(Thread.java:812)
>>
>> Then if I remove the 'password' option and leaves 'otp' only for the
>> user, KeyCloak does actually authenticate fine (password + QRCode combined
>> with no space): Following are logs when it successes:
>>
>> [root at idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp
>> ------------------------
>> Modified user "mmstestu"
>> ------------------------
>> User login: mmstestu
>> First name: Test
>> Last name: 55555
>> Home directory: /u0b/mmstestu
>> Login shell: /bin/bash
>> Principal name: mmstestu at SDCC.BNL.GOV
>> Principal alias: mmstestu at SDCC.BNL.GOV
>> Kerberos principal expiration: 20690301145828Z
>> Email address: smithj4 at example.com
>> UID: 7041
>> GID: 9965
>> SSH public key fingerprint:
>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
>> User authentication types: otp
>> Account disabled: False
>> Password: True
>> Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
>> Member of HBAC rule: mktst1
>> Kerberos keys available: True
>>
>> In KRB log on IPA server:
>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8 etypes
>> {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime 1552595337,
>> etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for krbtgt/
>> SDCC.BNL.GOV at SDCC.BNL.GOV
>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8
>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
>> host/mktst1.sdcc.bnl.gov at SDCC.BNL.GOV
>>
>> In /var/log/secure on KeyCloak server:
>> Mar 14 16:28:57 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>> authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=
>> user=mmstestu
>>
>> Please advice.
>> Thanks.
>> Mizuki
>>
>>
>> On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno at abstractj.org>
>> wrote:
>>
>>> Hi Mizuki,
>>>
>>> In the scenario you described Keycloak just relies on PAM to
>>> authenticate the user. What I'd do before configure Keycloak is to try
>>> dbus-send and pamtester, just to make sure that my setup works.
>>>
>>> So here's my suggestion, try to run pamtester -v keycloak youruser. If
>>> pamtester does not authenticate your user, there's a chance that
>>> something is wrong with your setup. Certainly worth to review our
>>> docs[1].
>>>
>>> [1] - https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
>>>
>>> On 2019-03-05, mizuki wrote:
>>> > Hi,
>>> >
>>> > We are currently evaluating keycloak as a possible authentication
>>> mechanism
>>> > deployed to our facility.
>>> > We use kerberos for user authentication with FreeIPA and configured
>>> sssd
>>> > for user federation in keycloak (follow the official document both from
>>> > keycloak and freeipa.org)
>>> > One of the requirement we desire is to enable kerboros password for SSH
>>> > login and enabled 'otp' for HTTP based applications.
>>> >
>>> > To do so,
>>> > 1. We enabled both user-auth-types for the user:
>>> > - password
>>> > - password + otp
>>> >
>>> > 2. Created HBAC rules in IPA, allowing keycloak server access for
>>> following
>>> > services: (I purposely did not enable 'otp' at this point as I want to
>>> > verify both 'password' and 'otp' shall work)
>>> > - keycloak
>>> > - sshd
>>> >
>>> > 3. Confimred sshd worked with both 'password' and 'otp' types via
>>> PAM/SSSD,
>>> > then I went ahead and accessed URL that is protected by keycloak,
>>> > 'password' works but 'otp' won't, the following ERRORs were seen in
>>> > keycloak's server.log:
>>> > -----------
>>> > 019-03-04 17:01:20,246 WARN [org.keycloak.events] (default task-22)
>>> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
>>> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120,
>>> > error=invalid_user_credentials, auth_method=openid-connect,
>>> auth_type=code,
>>> > redirect_uri=https://www.example.com/secure/
>>> > <https://vproxytest03.racf.bnl.gov/secure/>*,
>>> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
>>> > 2019-03-04 17:01:43,033 ERROR
>>> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22)
>>> > Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
>>> > failed : Permission denied
>>> > at org.jvnet.libpam.PAM.check(PAM.java:113)
>>> > at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>>> > at
>>> >
>>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
>>> >
>>> > at
>>> >
>>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
>>> >
>>> > at
>>> >
>>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
>>> >
>>> > at
>>> >
>>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
>>> >
>>> > at
>>> >
>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
>>> >
>>> > at
>>> >
>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
>>> >
>>> > at
>>> >
>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
>>> >
>>> > at
>>> >
>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
>>> >
>>> > at
>>> >
>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
>>> >
>>> > at
>>> >
>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
>>> >
>>> > at
>>> >
>>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>>> >
>>> > at
>>> >
>>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>>> >
>>> > at
>>> >
>>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
>>> >
>>> > at
>>> >
>>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
>>> >
>>> > at
>>> >
>>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
>>> >
>>> > at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
>>> > at
>>> >
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>>> >
>>> > at java.lang.reflect.Method.invoke(Method.java:508)
>>> > at
>>> >
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
>>> > Source)
>>> > at
>>> >
>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
>>> > Source)
>>> > at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
>>> > Source)
>>> > at
>>> >
>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>> >
>>> > at
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>> >
>>> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>>> > at
>>> >
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>> >
>>> > at
>>> >
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>> >
>>> > at
>>> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>> > at
>>> >
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>> >
>>> > at
>>> >
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> >
>>> > at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> >
>>> > at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >
>>> > at
>>> >
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>> >
>>> > at
>>> >
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> >
>>> > at
>>> >
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>> >
>>> > at
>>> >
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>> >
>>> > at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >
>>> > at
>>> >
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>> >
>>> > at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >
>>> > at
>>> >
>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>> >
>>> > at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>> >
>>> > at
>>> >
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>> >
>>> > at
>>> >
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
>>> > Source)
>>> > at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>> >
>>> > at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>> > Source)
>>> > at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>> >
>>> > at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>> > Source)
>>> > at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>> >
>>> > at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>> > Source)
>>> > at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>> >
>>> > at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>> > Source)
>>> > at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>> >
>>> > at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>> >
>>> > at
>>> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>>> > at
>>> >
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>>> > at
>>> >
>>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>>> >
>>> > at
>>> >
>>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>>> >
>>> > at
>>> >
>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>>> >
>>> > at
>>> >
>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>>> >
>>> > at java.lang.Thread.run(Thread.java:812)
>>> > ------------------
>>> >
>>> > Interesting thing is keycloak handles OTP just fine if I have
>>> > 'password+otp' only checked on, then we won't be able to log onto the
>>> > machines via SSH using password, that defeats our purposes.
>>> >
>>> > I tested different version of JAVA and the latest keycloak (4.8.3)
>>> version
>>> > (on REHL 7), all got the same results.
>>> > I'm wondering if this is more likely a bug or I missed something.
>>> > I'd appreciate if someone can advice what the approach is.
>>> >
>>> > Thank you very much.
>>> >
>>> > Mizuki
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>>
>>> abstractj
>>>
>>
More information about the keycloak-user
mailing list