I'm fully aware that wildfly 25 has dropped legacy security realms.
So I tried to move from wildfly 20.0.1 to wildfly 25.0.1.
According to the quickstart ee-security, I did
/subsystem=elytron/policy=jacc:add(jacc-policy={})
I also I had to remove in my jboss-web.xml the value :
<security-domain>jaspitest</security-domain>
Otherwise I do get :
{
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.jaspitest"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.deployment.unit.\"unite_compte.war\".component.SocieteGestionSIXDAOImpl.CREATE is missing [jboss.security.security-domain.jaspitest]",
I also have my own IdentityStore.
When I try to access the site, the login page appears as expected. When I submit the credentials my IdentityStore is called and the validate(Credential) method returns a valid CredentialValidationResult.
Unfortunately, I do get an Exception :
17:05:14,710 WARNING [javax.enterprise.resource.webcontainer.jsf.lifecycle] (default task-3) #{loginView.submit}: java.lang.IllegalStateException: java.io.IOException: java.io.IOException: ELY01177: Authorization failed.: javax.faces.FacesException: #{loginView.submit}: java.lang.IllegalStateException: java.io.IOException: java.io.IOException: ELY01177: Authorization failed.
Caused by: java.io.IOException: ELY01177: Authorization failed.
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.handleOne(JaspiAuthenticationContext.java:188)
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.lambda$handle$0(JaspiAuthenticationContext.java:100)
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.SecurityActions.doPrivileged(SecurityActions.java:39)
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.handle(JaspiAuthenticationContext.java:99)
What shall I do to make it work ?
As the quickstart says, you have to update the Wildlfy configuration as well. Specifically, you have to run the configure-elytron.cli script of the quickstart
More info: https://github.com/wildfly/quickstart/tree/main/ee-security#configure-the-server
Related
We have been trying to start the claimcenter server from tomcat. The server is getting started even though it throws exception with the message "ClaimCenter unable to start" in the logs. Please find the log details below.
gw.pl.exception.GWLifecycleException: An exception was thrown while starting a component. Setting runlevel to NODAEMONS
Caused by: gw.pl.exception.GWLifecycleException:Messaging plugin does not implement MessageTransport interface error
Possible causes -
The xyzMessageTransport class failed to instantiate due to invalid parameters.
A class which is not implementation of MessageTransport inteface configured under
MessageTransport plugin. check messaging-config.xml.
Also - specify plugin name or attach whole log if possible.
I am working on integrating Knox with Keycloak with OIDC, for the SSO and security functionalities in Hadoop Cluster.
I have congigured everthing, and now while accessing the Knox URL, it is redirecting to the Keycloak URL. After authenticating the user successfully in Keycloak, it redirects it to the Knox URL(which is configured).
But once it is redirecting, Getting the below error:
2020-11-11 08:13:48,098 ERROR knox.gateway (CommonIdentityAssertionFilter.java:doFilter(79)) - Required subject/identity not available. Check authentication/federation provider for proper configuration.
2020-11-11 08:13:48,100 ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: java.lang.IllegalStateException: Required Subject Missing
2020-11-11 08:13:48,100 ERROR knox.gateway (GatewayFilter.java:doFilter(169)) - Gateway processing failed: javax.servlet.ServletException: java.lang.IllegalStateException: Required Subject Missing
javax.servlet.ServletException: java.lang.IllegalStateException: Required Subject Missing
at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:64)
at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:167)
at org.apache.knox.gateway.GatewayServlet.doFilter(GatewayServlet.java:158)
..........
Caused by: java.lang.IllegalStateException: Required Subject Missing
at org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:80)
at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
... 48 more
Any suggestions will be very much helpful.
Thanks
Jithesh
I am trying to enable spring security to protect my backend services in SDK archetype project based on Spring according to the tutorial https://blogs.sap.com/2017/07/18/step-7-with-sap-s4hana-cloud-sdk-secure-your-application-on-sap-cloud-platform-cloudfoundry/.
After I start the application locally, an error message shows up - "Environment variable VCAP_SERVICES not set". Below is the stack trace of this error.
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration': Unsatisfied dependency expressed through field 'tokenServices'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/bosch/SecurityConfig.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.provider.token.ResourceServerTokenServices]: Factory method 'resourceServerTokenServices' threw exception; nested exception is java.lang.IllegalStateException: Environment variable VCAP_SERVICES not set
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:596)
at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:90)
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessProperties(AutowiredAnnotationBeanPostProcessor.java:374)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1378)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:575)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:498)
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:320)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:318)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:846)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:863)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546)
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:142)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:775)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:316)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1260)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1248)
at com.bosch.Application.main(Application.java:23)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/bosch/SecurityConfig.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.provider.token.ResourceServerTokenServices]: Factory method 'resourceServerTokenServices' threw exception; nested exception is java.lang.IllegalStateException: Environment variable VCAP_SERVICES not set
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:625)
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:455)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1288)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1127)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:538)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:498)
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:320)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:318)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:273)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.addCandidateEntry(DefaultListableBeanFactory.java:1455)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1419)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveMultipleBeans(DefaultListableBeanFactory.java:1338)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1197)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1166)
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:593)
... 19 common frames omitted
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.provider.token.ResourceServerTokenServices]: Factory method 'resourceServerTokenServices' threw exception; nested exception is java.lang.IllegalStateException: Environment variable VCAP_SERVICES not set
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:620)
... 35 common frames omitted
Caused by: java.lang.IllegalStateException: Environment variable VCAP_SERVICES not set
at com.sap.xs2.security.commons.SAPVcapServicesParser.parseVcapServices(SAPVcapServicesParser.java:42)
at com.sap.xs2.security.commons.SAPVcapServicesParser.<init>(SAPVcapServicesParser.java:30)
at com.sap.xs2.security.commons.SAPPropertyPlaceholderConfigurer.<init>(SAPPropertyPlaceholderConfigurer.java:35)
at com.sap.xs2.security.commons.SAPOfflineTokenServicesCloud.<init>(SAPOfflineTokenServicesCloud.java:27)
at com.bosch.SecurityConfig.resourceServerTokenServices(SecurityConfig.java:47)
at com.bosch.SecurityConfig$$EnhancerBySpringCGLIB$$5e72219b.CGLIB$resourceServerTokenServices$1(<generated>)
at com.bosch.SecurityConfig$$EnhancerBySpringCGLIB$$5e72219b$$FastClassBySpringCGLIB$$948b0fba.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244)
at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:363)
at com.bosch.SecurityConfig$$EnhancerBySpringCGLIB$$5e72219b.resourceServerTokenServices(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
... 36 common frames omitted
The steps to reproduce the issue:
Create a fresh sdk archetype project based on Spring
Uncomment out all the code in SecurityConfig.java
Import all the security libraries
Start the application locally
The application is running well on SCP Cloud Foundry.
I know the root cause is the application is going to read Environment variable VCAP_SERVICES when initializing bean in SecurityConfig.java. But it cannot find it in local environment.
Is there any workaround if I want to run application locally?
Update:
I just found out that we had a comparable question with an helpful answer before: How to run downloaded App Router via Service Marketplace
As the security features heavily rely on the bound XSUAA service, as well as the fact that you need to access your application via an AppRouter, there is no easy/recommended way to start a secured application locally.
One option, we've used extensively is to use a script locally which sets the VCAP_SERVICES environment variable similar like on Cloud Foundry (cf env ). I assume, this will satisfy the SAPOfflineTokenServicesCloud bean creation.
With that you can start the application locally, but NOT test your web application when the application is secured. Because in this case you need to call the endpoints of your web application with an Authorization header, which needs to contain a "valid" access token. A token is considered to be valid if it is not expired and if it is signed with a private RSA key, which matches the public RSA key, which is provided by the jwks token endpoint of the uaa as documented here: https://docs.cloudfoundry.org/api/uaa/version/74.4.0/index.html#token-keys
You have these options:
For integration testing, you can fetch a fresh access token for your (test) user from the xsuaa service using this endpoint: https://docs.cloudfoundry.org/api/uaa/version/74.4.0/index.html#password-grant. You can use also the java token-client lib.
For local testing (w/o) Xsuaa interaction:
you need to generate a Jwt token using for example this JwtGenerator and
change as part of your VCAP_SERVICES environment your verificationkey, which matches to the private key, the token is signed with (e.g. the JwtGenerator's public key), e.g. "verificationkey":"-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BA...".
For unit testing
you need to generate a Jwt token using for example this JwtGenerator and
you need to overwrite your SAPOfflineTokenServicesCloud as done here
This should work (I've never tested that setup in combination with SAP Cloud SDK).
I'm getting an exception while trying to grant permissions for a created role.
Command:
GRANT ALL PERMISSIONS on KEYSPACE test_ks to ks_admin;
Error:
ServerError: java.lang.UnsupportedOperationException: GRANT operation is not supported by the DseAuthorizer if it is not enabled
Actions Performed:
i have updated the cassandra.yaml file to change the authorizer from default to "com.datastax.bdp.cassandra.auth.CassandraAuthorizer" but got an exception when restarted the dse service.
Exception from system log:
An exception was caught and reported. Message: Unable to find authorizer class 'com.datastax.bdp.cassandra.auth.CassandraAuthorizer'
at com.datastax.bdp.DseModule.configure(Unknown Source)
Could someone please let me know what i'm missing here.
Try using the CassandraAuthorizer class from org.apache instead:
authorizer: org.apache.cassandra.auth.CassandraAuthorizer
I am using hybris version 5.5.1, I have done modulegen and done all the configuration in localextention.xml, now when I started the hybris server (. ./hybrisserver.sh) and getting the below error.
ERROR [localhost-startStop-1] [DeploymentMigrationUtil] Error while migrating deployments of extension core
java.lang.IllegalStateException: The queryCacheRegion Cache is not alive (STATUS_SHUTDOWN)
at net.sf.ehcache.Cache$CacheStatus.checkAlive(Cache.java:4075)
at net.sf.ehcache.Cache.checkStatus(Cache.java:2766)
Have a look at the snippet below, this is taken from the stacktrace that you shared.
**Caused by: org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [my.bookstore.cockpits.setup.CockpitSystemSetup] for bean with name 'yAcceleratorCockpitsSystemSetup' defined in org.springframework.integration.security.config.SecurityIntegrationConfigurationInitializer#4091564b; nested exception is java.lang.ClassNotFoundException: my.bookstore.cockpits.setup.CockpitSystemSetup**
at org.springframework.integration.security.config.SecurityIntegrationConfigurationInitializer.initialize(SecurityIntegrationConfigurationInitializer.java:63)
at org.springframework.integration.config.IntegrationConfigurationBeanFactoryPostProcessor.postProcessBeanFactory(IntegrationConfigurationBeanFactoryPostProcessor.java:48)
... 29 more
Caused by: java.lang.ClassNotFoundException: my.bookstore.cockpits.setup.CockpitSystemSetup
Now, please check for this bean initialization in your spring context, due to java.lang.ClassNotFoundException: my.bookstore.cockpits.setup.CockpitSystemSetup
Look for the bean initialization where the bean injection of this class is declared, and make sure that the qualified name of the class is correct.
Let me know if the issue still persists.