I have a Keycloak
extension (Custom Endpoints, SPI). Now I want to add sending of AdminEvents
, which I implemented as follows:
private void logAdminEvent(ClientConnection clientConnection, UserRepresentation rep, OperationType operation, ResourceType resource) {
RealmModel realm = session.getContext().getRealm();
// beware: clientConnection must not be null because of missing check for NullPointer in Keycloak
ClientModel client = realm.getClientByClientId(ROLE_ATTRIBUTE_CLIENT);
AdminAuth adminAuth = new AdminAuth(realm, authResult.getToken(), authResult.getUser(), client);
AdminEventBuilder adminEvent = new AdminEventBuilder(realm, adminAuth, session, clientConnection);
adminEvent
.operation(operation)
.resource(resource)
.authIpAddress(authResult.getSession().getIpAddress())
.authClient(client)
.resourcePath(session.getContext().getUri())
.representation(rep);
adminEvent
.success();
}
I am aware that the admin event
logging must be activated in Keycloak admin console, which I did.
Maybe it is relevant that the logged in user has no administration privileges, but it also did not work when I gave admin privileges.
I need Ideas or Hints to what I am doing wrong here . Documentation and web research unfortunately did not help.
Take a look at Keycloak sources , especially something like RootAdminResource
. As far as i remember all admin resources (eg controllers
) create events
via builder
that cloned from builder
that was injected via constructor by parent resource. You may be missing some initialization tricks.
Ok, we found that. First, for update
/ delete
, we had to add the realm to the adminEvent
. Second, for create, we had the event
logging after the
session.getTransactionManager().commit();
took place. Setting commit after the adminEvent.success()
fixed the Issue.
Maybe this can help anyone.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.