I want to enable REST service for CAS Apereo version cas-overlay-template-6.0 (on Ubuntu 16.04)
I have done following this step:
Step 1: Add compile for REST API to build.gradle file
root#ubuntu16:~/cas-overlay-template-6.0# nano build.gradle
And add two line below under dependencies clock
compile "org.apereo.cas:cas-server-support-rest:6.0.0"
compile "org.apereo.cas:cas-server-support-rest-services:6.0.0"
Step 2: clean build
root#ubuntu16:~/cas-overlay-template-6.0# ./build.sh clean
Step 3: Build source code again
root#ubuntu16:~/cas-overlay-template-6.0# ./build.sh run
But in step 3, I got error like this.
CAS is configured to accept a static list of credentials for authentication. While this is generally useful for demo purposes, it is STRONGLY recommended that you DISABLE this authentication method (by setting 'cas.authn.accept.users' to a blank value) and switch to a mode that is more suitable for production.>
2019-12-30 01:17:55,465 WARN [org.apereo.cas.config.support.authentication.AcceptUsersAuthenticationEventExecutionPlanConfiguration] - <>
2019-12-30 01:17:55,806 INFO [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Found and added static attributes [[email]] to the list of candidate attribute repositories>
2019-12-30 01:17:59,004 WARN [org.apereo.cas.web.CasWebApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'registeredServiceResourceRestController' defined in class path resource [org/apereo/cas/support/rest/config/RestServicesConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.support.rest.RegisteredServiceResource]: Factory method 'registeredServiceResourceRestController' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: No attribute name is defined to enforce authorization when adding services via CAS REST APIs. This is likely due to misconfiguration in CAS settings where the attribute name definition is absent>
Where have I gone wrong?
Remove this:
compile "org.apereo.cas:cas-server-support-rest-services:6.0.0"
This module does this:
Invoke CAS to register applications into its own service registry. The REST call must be authenticated using basic authentication where credentials are authenticated and accepted by the existing CAS authentication strategy, and furthermore the authenticated principal must be authorized with a pre-configured role/attribute name and value that is designated in the CAS configuration via the CAS properties. The body of the request must be the service definition that shall be registered in JSON format and of course, CAS must be configured to accept the particular service type defined in the body. The accepted media type for this request is application/json.
So you can remove it, if you don't need the functionality.
If you do need it, you will need to define attribute names/values that can enforce authorization as the error message is telling you.
No attribute name is defined to enforce authorization when adding services via CAS REST APIs. This is likely due to misconfiguration in CAS settings where the attribute name definition is absent.
So, define:
# cas.rest.attributeName=
# cas.rest.attributeValue=
PS Don't add things you do not need.
Related
Injecting AuthzClient in quarkus 1.13 an error occured.
#Inject
AuthzClient authzClient;
Caused by: javax.enterprise.inject.spi.DeploymentException: javax.enterprise.inject.UnsatisfiedResolutionException: Unsatisfied dependency for type org.keycloak.authorization.client.AuthzClient and qualifiers [#Default]
- java member: io.github.jithset.services.KeycloakServices#authzClient
- declared on CLASS bean [types=[io.github.jithset.services.KeycloakServices, java.lang.Object], qualifiers=[#Default, #Any], target=io.github.jithset.services.KeycloakServices]
at io.quarkus.arc.processor.BeanDeployment.processErrors(BeanDeployment.java:1081)
at io.quarkus.arc.processor.BeanDeployment.init(BeanDeployment.java:255)
at io.quarkus.arc.processor.BeanProcessor.initialize(BeanProcessor.java:129)
at io.quarkus.arc.deployment.ArcProcessor.validate(ArcProcessor.java:419)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at io.quarkus.deployment.ExtensionLoader$2.execute(ExtensionLoader.java:920)
at io.quarkus.builder.BuildContext.run(BuildContext.java:277)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2415)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1452)
at java.base/java.lang.Thread.run(Thread.java:829)
at org.jboss.threads.JBossThread.run(JBossThread.java:501)
Caused by: javax.enterprise.inject.UnsatisfiedResolutionException: Unsatisfied dependency for type org.keycloak.authorization.client.AuthzClient and qualifiers [#Default]
- java member: io.github.jithset.services.KeycloakServices#authzClient
- declared on CLASS bean [types=[io.github.jithset.services.KeycloakServices, java.lang.Object], qualifiers=[#Default, #Any], target=io.github.jithset.services.KeycloakServices]
at io.quarkus.arc.processor.Beans.resolveInjectionPoint(Beans.java:484)
at io.quarkus.arc.processor.BeanInfo.init(BeanInfo.java:378)
at io.quarkus.arc.processor.BeanDeployment.init(BeanDeployment.java:247)
If that is not possible how can i check if user has certain permission with access token.
Thanks
I do not agree with #loicmathieu and #Ladicek. If you want to manage protected resources you NEED to be able to inject the AuthzClient.
This a common usecase when you want to implement user managed authorization. A good example is in the keycloak quickstart repo : https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz.
There is an IT test where the AuthzClient is injected in the official quarkus repository : https://github.com/quarkusio/quarkus/blob/9b09229b86b775a9452d09fca42f18e32f81e924/integration-tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java
And the use of the AuthzClient is documented here : https://quarkus.io/guides/security-keycloak-authorization#injecting-the-authorization-client
After some experimentation I found that the AuthzClient bean will only exist when quarkus.keycloak.policy-enforcer.enable=true is added to the configuration.
The easiest way to check for permissions is to use the security annotations as explained in the USING OAUTH2 RBAC guide or injext the security context via #Context SecurityContext ctx.
If you want to have access to the token, assuming you're using the authorization code flow, you can inject the JWT token via #Inject JwtToken jwtToken, more details in the USING OPENID CONNECT TO PROTECT WEB APPLICATIONS USING AUTHORIZATION CODE FLOW guide.
If you"re using Keycloack, you can also inject a io.quarkus.security.identity.SecurityIdentity but as #Ladicek said you're not supposed to directly used internal Keycloack classes, see the USING OPENID CONNECT AND KEYCLOAK TO CENTRALIZE AUTHORIZATION guide.
I wrote my own custom token mapper to map all roles assigned per group to a user, to the access token as a single claim that is a mapping (object) from group name to roles-list.
However I can't seem to get it deployed. This is my custom mapper:
public class HierarchicalAttributesMapper extends AbstractOIDCProtocolMapper
implements OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper {...}
It is based on the GroupMembershipMapper. I added the following file in the top-level of the compiled jar:
META-INF/services/org.keycloak.broker.provider.IdentityProviderMapper
With the FQN of my HierarchicalAttributesMapper. When running my docker container for keycloak, mounting to the /opt/jboss/standalone/deployments folder it gets recognized, but then throws this warning:
[org.jboss.modules] (ServerService Thread Pool -- 58) Failed to define class
technology.idlab.cot.keycloak.oidc.HierarchicalAttributesMapper in Module
"deployment.keycloak-oidc-hierarchical-attributes-mapper-1.0-SNAPSHOT.jar"
from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link
technology/idlab/cot/keycloak/oidc/HierarchicalAttributesMapper (Module
"deployment.keycloak-oidc-hierarchical-attributes-mapper-1.0-SNAPSHOT.jar"
from Service Module Loader):
org/keycloak/protocol/oidc/mappers/OIDCAccessTokenMapper
(stack-trace omitted)
Does anyone have any idea how I can get this to work?
I have migrated my EJB application from jboss 5.0.1 to JBOSS EAP 7.
I want to pass user data from EJB client to my EJB.
I'm using this code to pass custom attribute to ejb server but it does not work anymore.
Client:
public class CustomData extends SimplePrincipal{
String userData1;
public CustomData(String userData1){
this.userData1 = userData1;
}
SecurityClient client = SecurityClientFactory.getSecurityClient();
client.setSimple(new CustomData("MyData"), credentials.getPass());
client.login();
Server:
#Resource
SessionContext ejbCtx;
Principal data= ejbCtx.getCallerPrincipal();
data.getName() --- anonymous
How to fix it on new JBOSS ?
1.Create the client side interceptor
This interceptor must implement the org.jboss.ejb.client.EJBClientInterceptor. The interceptor is expected to pass the additional security token through the context data map, which can be obtained via a call to EJBClientInvocationContext.getContextData().
2.Create and configure the server side container interceptor
Container interceptor classes are simple Plain Old Java Objects (POJOs). They use the #javax.annotation.AroundInvoke to mark the method that is invoked during the invocation on the bean.
a.Create the container interceptor
This interceptor retrieves the security authentication token from the context and passes it to the JAAS (Java Authentication and Authorization Service) domain for verification
b. Configure the container interceptor
3.Create the JAAS LoginModule
This custom module performs the authentication using the existing authenticated connection information plus any additional security token.
Add the Custom LoginModule to the Chain
You must add the new custom LoginModule to the correct location the chain so that it is invoked in the correct order. In this example, the SaslPlusLoginModule must be chained before the LoginModule that loads the roles with the password-stacking option set.
a.Configure the LoginModule Order using the Management CLI
The following is an example of Management CLI commands that chain the custom SaslPlusLoginModule before the RealmDirect LoginModule that sets the password-stacking option.
b. Configure the LoginModule Order Manually
The following is an example of XML that configures the LoginModule order in the security subsystem of the server configuration file. The custom SaslPlusLoginModule must precede the RealmDirect LoginModule so that it can verify the remote user before the user roles are loaded and the password-stacking option is set.
Create the Remote Client
In the following code example, assume the additional-secret.properties file accessed by the JAAS LoginModule
See the link:
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Development_Guide/Pass_Additional_Security_For_EJB_Authentication.html
I have done with this way:
Client:
Properties properties = new Properties();
properties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
properties.put("org.jboss.ejb.client.scoped.context", "true");
properties.put("remote.connection.default.username", "MyData");
Server:
public class MyContainerInterceptor{
#AroundInvoke
public Object intercept(InvocationContext ctx) throws Exception {
Connection connection = RemotingContext.getConnection();
if (connection != null) {
for (Principal p : connection.getPrincipals()) {
if (p instanceof UserPrincipal) {
if (p.getName() != null && !p.getName().startsWith("$"))
System.out.println(p.getName()); //MyData will be printed
}
}
}
return ctx.proceed();
}
}
Don't forget to configure container interceptor in jboss-ejb3.xml (not in ejb-jar.xml)
<?xml version="1.0" encoding="UTF-8"?>
<jee:assembly-descriptor>
<ci:container-interceptors>
<jee:interceptor-binding>
<ejb-name>*</ejb-name>
<interceptor-class>package...MyContainerInterceptor</interceptor-class>
</jee:interceptor-binding>
</ci:container-interceptors>
</jee:assembly-descriptor>
I have a problem similar to the one described here.
I am using RESTEasy within a standalone Jetty application. When I start the application locally and call a service (e.g. localhost:16880/rest/user/login) bean validation works fine, i.e. I get validation errors like this:
[PARAMETER]
[UserService#login(arg0).appKey]
[app_key may not be null or empty]
[]
However, when I deploy my application to a remote host and call the same service (e.g. remotehost:16880/rest/user/login) bean validation is not invoked at all.
I am using the #ValidateRequest annotation for the service and #Valid annotation for the bean parameter.
My Resteasy version is 3.0.13.Final, though I have tried earlier versions as well. I have tried to write my custom validator, but that didn't work either.
I am puzzled why the validation works locally, but not on remote server. Any suggestions would be highly appreciated.
Since you are using Jetty as standalone server, you have to define RESTEasy validation providers where you define ServletContextHandler. Note that in standalone server there is no container to scan for #Provider classes and to activate them, so you must do it manually.
I expect that you create and start your server app something like:
//create a server listening at some port
Server server= new Server(port);
//add server handlers
HandlerList handlers= new HandlerList();
initHandlers(handlers);
server.setHandler(handlers);
//start the server
server.start();
In initHandlers you must have defined your RESTEasy support:
public void initHandlers(List<HandlerList> handlers) {
//define root context handler
ServletContextHandler servletContextHandler= new ServletContextHandler(ServletContextHandler.SESSIONS);
servletContextHandler.setContextPath("/");
handlers.addHandler(servletContextHandler);
//define RESTEasy handler
ServletHolder restServlet= new ServletHolder(new HttpServlet30Dispatcher());
//since this is a standalone server, somewhere you have to define RESTful services and Singletons
restServlet.setInitParameter("javax.ws.rs.Application", "com.exampleapp.MyRestApplication");
restServlet.setInitParameter("resteasy.servlet.mapping.prefix", "rest");
servletContextHandler.addServlet(restServlet, "rest/*");
}
So what is left to do now is to add Validation provider as init parameter:
restServlet.setInitParameter("resteasy.providers", "org.jboss.resteasy.plugins.validation.ValidatorContextResolver,org.jboss.resteasy.api.validation.ResteasyViolationExceptionMapper");
On this link I tried to find the name of the validator providers: https://docs.jboss.org/resteasy/docs/3.0.4.Final/userguide/html/Validation.html
RESTEasy obtains a bean validation implemenation by looking in the available META-INF/services/javax.ws.rs.Providers files for an implementation of ContextResolver
So it does not say what, but says where. Now open the "resteasy-hibernatevalidator-provider-3...*.jar (from Eclipse -> Maven dependencies or manually unzip) and look into META-INF/services/javax.ws.rs.ext.Providers It says:
org.jboss.resteasy.plugins.validation.hibernate.ValidatorContextResolver
org.jboss.resteasy.api.validation.ResteasyViolationExceptionMapper
If you don't have this dependency, then add it to your pom file:
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-hibernatevalidator-provider</artifactId>
<version>${resteasy.version}</version>
</dependency>
One more note: that at the same place where you described validation providers, you also add other providers, if you happen to need them (such as JacksonJaxbJson, etc).
In order to create JCR nodes, We are trying to programmatically connect to a remote AEM instance using the JcrUtils.getRepository(...) method to acquire the handle to the repository instance.
This instance is secured and checks for a cookie in the request to let the user in.
Is there a way to pass the cookie to JcrUtils (or other methods of connecting to an AEM repository)?
Right now, when running the code JcrUtils.getRepository("http://host:port/crx/server"); it just throws the following exception:
javax.jcr.RepositoryException: Unable to access a repository with the following settings:
org.apache.jackrabbit.repository.uri: https://<host>:<port>/crx/server
The following RepositoryFactory classes were consulted:
org.apache.jackrabbit.jcr2dav.Jcr2davRepositoryFactory: declined
org.apache.jackrabbit.jcr2spi.Jcr2spiRepositoryFactory: declined
org.apache.jackrabbit.commons.JndiRepositoryFactory: declined
org.apache.jackrabbit.core.RepositoryFactoryImpl: declined
org.apache.jackrabbit.rmi.repository.RmiRepositoryFactory: failed
because of RemoteRuntimeException: java.rmi.RemoteException: Failed to read the resource at URL https://<host>:<port>/crx/server; nested exception is:
java.io.StreamCorruptedException: invalid stream header: 3C21444F
because of RemoteException: Failed to read the resource at URL https://<host>:<port>/crx/server; nested exception is:
java.io.StreamCorruptedException: invalid stream header: 3C21444F
because of StreamCorruptedException: invalid stream header: 3C21444F
Perhaps the repository you are trying to access is not available at the moment.
at org.apache.jackrabbit.commons.JcrUtils.getRepository(JcrUtils.java:223)
at org.apache.jackrabbit.commons.JcrUtils.getRepository(JcrUtils.java:263)
...
There is no way to pass cookie via JcrUtils.getRepository(...) it accepts URI as a string.
In your logs looks like org.apache.jackrabbit.jcr2dav.Jcr2davRepositoryFactory doesn't exist in application classpath.
Make sure you added to dependencies following libs
jackrabbit-jcr-commons
jackrabbit-jcr2dav
in case you are using Maven:
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>jackrabbit-jcr-commons</artifactId>
<version>2.10.1</version>
</dependency>
<dependency>
<groupId>org.apache.jackrabbit</groupId>
<artifactId>jackrabbit-jcr2dav</artifactId>
<version>2.10.1</version>
</dependency>
I am getting similar issue as #user3239244 but only in case of https.
I am trying to access repository from standalone java application
repository = JcrUtils.getRepository(url)
Works for http and fails for https
From logs:
javax.jcr.RepositoryException: Unable to access a repository with the
following settings:
org.apache.jackrabbit.repository.uri: https://localhost:5433/crx/server The following RepositoryFactory
classes were consulted:
org.apache.jackrabbit.jcr2dav.Jcr2davRepositoryFactory: declined
org.apache.jackrabbit.jcr2spi.Jcr2spiRepositoryFactory: declined
org.apache.jackrabbit.commons.JndiRepositoryFactory: declined
org.apache.jackrabbit.core.RepositoryFactoryImpl: declined
org.apache.jackrabbit.rmi.repository.RmiRepositoryFactory: failed
because of RepositoryException: Failed to read the resource at URL https://localhost:5433/crx/server
because of SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
because of ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
because of SunCertPathBuilderException: unable to find valid certification path to requested target