将 Keycloak 用于 Wildfly 应用程序 - 身份验证错误
[英]Using Keycloak for Wildfly Applications - Authentication Error
问题描述
I'm writing a plugin for Keycloak which basically a Wildfly application itself.
我正在为 Keycloak 编写一个插件,它基本上是一个 Wildfly 应用程序本身。 When I try to deploy the application to running Keycloak, I'm getting the following error:当我尝试将应用程序部署到运行 Keycloak 时,出现以下错误:
[ERROR] JBOSS-LOCAL-USER: javax.security.sasl.SaslException: ELY05128: Failed to read challenge file [Caused by java.io.FileNotFoundException: /opt/jboss/keycloak/standalone/tmp/auth/local6441877703083959873.challenge (No such file or directory)]
[ERROR] DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication
I tried to add new user with roles but didn't work.我尝试添加具有角色的新用户,但没有奏效。 Can someone explain me why this is happening and how to fix it?有人可以解释一下为什么会发生这种情况以及如何解决吗?
Thank you,谢谢,
UPDATE: Here is some part of my massive standalone.xml更新:这是我庞大的standalone.xml的一部分
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
<audit-log>
<formatters>
<json-formatter name="json-formatter"/>
</formatters>
<handlers>
<file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
</handlers>
<logger log-boot="true" log-read-only="false" enabled="false">
<handlers>
<handler name="file"/>
</handlers>
</logger>
</audit-log>
<management-interfaces>
<http-interface security-realm="ManagementRealm">
<http-upgrade enabled="true"/>
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
<access-control provider="simple">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<provider>
module:car.hey.keycloak.actuator
</provider>
<provider>
module:car.hey.keycloak.insideman
</provider>
<provider>
classpath:${jboss.home.dir}/providers/
</provider>
</providers>
<master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval>
<theme>
<staticMaxAge>2592000</staticMaxAge>
<cacheThemes>true</cacheThemes>
<cacheTemplates>true</cacheTemplates>
<dir>${jboss.home.dir}/themes</dir>
</theme>
<spi name="eventsStore">
<provider name="jpa" enabled="true">
<properties>
<property name="exclude-events" value="["REFRESH_TOKEN"]"/>
</properties>
</provider>
</spi>
<spi name="userCache">
<provider name="default" enabled="true"/>
</spi>
<spi name="userSessionPersister">
<default-provider>jpa</default-provider>
</spi>
<spi name="timer">
<default-provider>basic</default-provider>
</spi>
<spi name="connectionsHttpClient">
<provider name="default" enabled="true"/>
</spi>
<spi name="connectionsJpa">
<provider name="default" enabled="true">
<properties>
<property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
<property name="initializeEmpty" value="true"/>
<property name="migrationStrategy" value="update"/>
<property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
</properties>
</provider>
</spi>
<spi name="realmCache">
<provider name="default" enabled="true"/>
</spi>
<spi name="connectionsInfinispan">
<default-provider>default</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
</properties>
</provider>
</spi>
<spi name="jta-lookup">
<default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
<provider name="jboss" enabled="true"/>
</spi>
<spi name="publicKeyStorage">
<provider name="infinispan" enabled="true">
<properties>
<property name="minTimeBetweenRequests" value="10"/>
</properties>
</provider>
</spi>
<spi name="x509cert-lookup">
<default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
<provider name="default" enabled="true"/>
</spi>
<spi name="hostname">
<default-provider>request</default-provider>
<provider name="fixed" enabled="true">
<properties>
<property name="hostname" value="localhost"/>
<property name="httpPort" value="-1"/>
<property name="httpsPort" value="-1"/>
</properties>
</provider>
</spi>
</subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
<subsystem xmlns="urn:jboss:domain:datasources:5.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
<subsystem xmlns="urn:wildfly:microprofile-health-smallrye:1.0" security-enabled="false"/>
<subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
1 个解决方案
解决方案1
0 2019-10-03 03:59:15
I suspect your problem may be due to using EJB and trying to make a remote call in your application.我怀疑您的问题可能是由于使用 EJB 并尝试在您的应用程序中进行远程调用。 When you use remote EJBs, they will be connected by the remote connector defined in your xml:当您使用远程 EJB 时,它们将通过 xml 中定义的远程连接器进行连接:
<subsystem xmlns = "urn: jboss: domain: remoting: 4.0">
<http-connector name = "http-remoting-connector" connector-ref = "default" security-realm = "ApplicationRealm" />
</subsystem>
In this case, verify the configuration of your ejb client.在这种情况下,请验证您的 ejb 客户端的配置。 You should have a file named jboss-ejb-client.properties (It should be located in the src/main/resources folder).你应该有一个名为jboss-ejb-client.properties的文件(它应该位于src/main/resources文件夹中)。 Take in account to disable some configurations:考虑禁用一些配置:
- SASL_POLICY_NOPLAINTEXT SASL_POLICY_NOPLAINTEXT
- SASL_POLICY_NOANONYMOUS SASL_POLICY_NOANONYMOUS
Jboss-ejb-client.properties example: Jboss-ejb-client.properties示例:
endpoint.name = client-endpoint
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED = false
remote.connections = default
remote.connection.default.host = 127.0.0.1
remote.connection.default.port = 8080
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT = false
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS = false
remote.connection.default.username = username
remote.connection.default.password = password
Replace in the above example the connection host, port and the user credentials.替换上述示例中的连接主机、端口和用户凭据。
In this example, the connection is not encrypted but it can have SSL enabled too.
Take into account that if the connection requires authentication, you need to add a user to your WildFly via the add-user.sh (or add-user.bat) script.考虑到如果连接需要身份验证,您需要通过 add-user.sh(或 add-user.bat)脚本将用户添加到 WildFly。
You can also try to replace your ejb remote access with a local one (@Local instead of @Remote).您还可以尝试将您的 ejb 远程访问替换为本地访问(@Local 而不是 @Remote)。
I hope this helps, otherwise try to share a sample reproducer (eg github) and I will try to help you.我希望这会有所帮助,否则请尝试分享一个示例复制器(例如 github),我会尽力帮助您。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
Wildfly 中仅承载身份验证,不使用 Keycloak - Bearer only authentication in Wildfly without using Keycloak
使用 Keycloak SSO 在 2 个应用程序之间保持身份验证 - Keep authentication between 2 applications with Keycloak SSO
在 Java 应用程序中使用 NTLM 身份验证 - Using NTLM authentication in Java applications
在WildFly 8.2上使用SAAJ时出错 - Error using SAAJ on WildFly 8.2
Keycloak Quickstarts 在部署 Wildfly 中不起作用 - Keycloak Quickstarts is not working in the deploy Wildfly
KeyCloak WildFly 独立模块 MySQL - KeyCloak WildFly Standlone module MySQL
使用docker和java spring时Keycloak认证问题 - Keycloak authentication problems when using docker and java spring
Wildfly 中带有 RolesAllowed 的 Websocket 身份验证 - Websocket authentication in Wildfly with RolesAllowed
WildFly Swarm中的JAAS身份验证 - JAAS Authentication in WildFly Swarm
Wildfly表单认证 - Wildfly Form Authentication
相关标签