Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-7834

pax-keycloak doesn't work with BearerTokenLoginModule

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • fuse-7.0
    • None
    • Hawtio, Karaf, Security
    • None
    • % %
    • Pax-keycloak 0.2.0 has been released and pax-web upgraded to it.
    • Fuse 7.0 Sprint 26

    Description

      Due to this issue hawtio v2 Keycloak integration doesn't work well on Karaf yet. It's possible that there are just some missing configurations on Karaf side though.

      Basically you should be able to observe this issue when you try to enable Keycloak on a Fuse Karaf kit.

      > repo-add pax-keycloak
> feature:install pax-keycloak

      Then replace the etc/keycloak-hawtio.json with this:

      {
  "realm" : "demo",
  "clientId" : "hawtio-client",
  "url" : "http://localhost:8080/auth"
}

      and restart the server. (Currently the generated keycloak-hawtio.json isn't up-to-date with what hawtio v2 expects, but it's a trivial issue here.)

      Now you should be able to login with root:password (admin) or john:password (viewer) if you set up the demo realm using the demorealm.json.[1] However, the issue is that even after login hawtio keeps getting 403 (forbidden) for Jolokia access and thus most functionalities are not available.

      If you turn on debug logging for io.hawt.system:

      > log:set DEBUG io.hawt.system

      then you'll see this error stacktrace in the log:

      13:48:31.912 WARN [XNIO-3 task-20] Login failed due to: java.lang.RuntimeException: Couldn't find ClientCredentialsProvider implementation class with id: secret. Loaded authentication providers: []
	at org.keycloak.adapters.authentication.ClientCredentialsProviderUtils.bootstrapClientAuthenticator(ClientCredentialsProviderUtils.java:67)
	at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:94)
	at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
	at org.keycloak.adapters.jaas.AbstractKeycloakLoginModule.resolveDeployment(AbstractKeycloakLoginModule.java:103)
	at org.keycloak.adapters.jaas.AbstractKeycloakLoginModule.initialize(AbstractKeycloakLoginModule.java:83)
	at org.apache.karaf.jaas.boot.ProxyLoginModule.initialize(ProxyLoginModule.java:76)
	at sun.reflect.GeneratedMethodAccessor16.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:736)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
	at io.hawt.system.Authenticator.doAuthenticate(Authenticator.java:149)
	at io.hawt.system.Authenticator.authenticate(Authenticator.java:102)
	at io.hawt.system.Authenticator.authenticate(Authenticator.java:93)
	at io.hawt.web.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:59)
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64)
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at org.ops4j.pax.web.service.undertow.internal.Context$1.lambda$wrap$0(Context.java:595)
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:336)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

      It is because hawtio (server-side) expects the demo realm to be connected with BearerTokenLoginModule via LoginContext in its Authenticator, but somehow it isn't.

      [1] UPDATE: You also need to turn Full Scope Allowed ON for hawtio-client in the demo realm to make Keycloak integration work. Open the Keycloak admin console and select demo realm. Then go to Clients and select hawtio-client, and click Scope tab and turn ON Full Scope Allowed.

      Attachments

        Issue Links

          relates to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) ENTESB-7736 Integrate hawtio-oauth plugin into Fuse 7 standalone

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Done

          Activity

            People

              g_nodet Guillaume Nodet (Inactive)
              rhn-support-tasato Tadayoshi Sato
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: