Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-7834

pax-keycloak doesn't work with BearerTokenLoginModule

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • fuse-7.0
    • None
    • Hawtio, Karaf, Security
    • None
    • % %
    • Pax-keycloak 0.2.0 has been released and pax-web upgraded to it.
    • Fuse 7.0 Sprint 26

      Due to this issue hawtio v2 Keycloak integration doesn't work well on Karaf yet. It's possible that there are just some missing configurations on Karaf side though.

      Basically you should be able to observe this issue when you try to enable Keycloak on a Fuse Karaf kit.

      > repo-add pax-keycloak
      > feature:install pax-keycloak
      

      Then replace the etc/keycloak-hawtio.json with this:

      {
        "realm" : "demo",
        "clientId" : "hawtio-client",
        "url" : "http://localhost:8080/auth"
      }
      

      and restart the server. (Currently the generated keycloak-hawtio.json isn't up-to-date with what hawtio v2 expects, but it's a trivial issue here.)

      Now you should be able to login with root:password (admin) or john:password (viewer) if you set up the demo realm using the demorealm.json.[1] However, the issue is that even after login hawtio keeps getting 403 (forbidden) for Jolokia access and thus most functionalities are not available.

      If you turn on debug logging for io.hawt.system:

      > log:set DEBUG io.hawt.system
      

      then you'll see this error stacktrace in the log:

      13:48:31.912 WARN [XNIO-3 task-20] Login failed due to: java.lang.RuntimeException: Couldn't find ClientCredentialsProvider implementation class with id: secret. Loaded authentication providers: []
      	at org.keycloak.adapters.authentication.ClientCredentialsProviderUtils.bootstrapClientAuthenticator(ClientCredentialsProviderUtils.java:67)
      	at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:94)
      	at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
      	at org.keycloak.adapters.jaas.AbstractKeycloakLoginModule.resolveDeployment(AbstractKeycloakLoginModule.java:103)
      	at org.keycloak.adapters.jaas.AbstractKeycloakLoginModule.initialize(AbstractKeycloakLoginModule.java:83)
      	at org.apache.karaf.jaas.boot.ProxyLoginModule.initialize(ProxyLoginModule.java:76)
      	at sun.reflect.GeneratedMethodAccessor16.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:736)
      	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
      	at io.hawt.system.Authenticator.doAuthenticate(Authenticator.java:149)
      	at io.hawt.system.Authenticator.authenticate(Authenticator.java:102)
      	at io.hawt.system.Authenticator.authenticate(Authenticator.java:93)
      	at io.hawt.web.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:59)
      	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
      	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
      	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
      	at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64)
      	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      	at org.ops4j.pax.web.service.undertow.internal.Context$1.lambda$wrap$0(Context.java:595)
      	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
      	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
      	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
      	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
      	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
      	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:336)
      	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at java.lang.Thread.run(Thread.java:748)
      

      It is because hawtio (server-side) expects the demo realm to be connected with BearerTokenLoginModule via LoginContext in its Authenticator, but somehow it isn't.

      [1] UPDATE: You also need to turn Full Scope Allowed ON for hawtio-client in the demo realm to make Keycloak integration work. Open the Keycloak admin console and select demo realm. Then go to Clients and select hawtio-client, and click Scope tab and turn ON Full Scope Allowed.

              g_nodet Guillaume Nodet (Inactive)
              rhn-support-tasato Tadayoshi Sato
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: