Knox SSO integration with Keycloak error - Required Subject Missing - security

I am working on integrating Knox with Keycloak with OIDC, for the SSO and security functionalities in Hadoop Cluster.
I have congigured everthing, and now while accessing the Knox URL, it is redirecting to the Keycloak URL. After authenticating the user successfully in Keycloak, it redirects it to the Knox URL(which is configured).
But once it is redirecting, Getting the below error:
2020-11-11 08:13:48,098 ERROR knox.gateway (CommonIdentityAssertionFilter.java:doFilter(79)) - Required subject/identity not available. Check authentication/federation provider for proper configuration.
2020-11-11 08:13:48,100 ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: java.lang.IllegalStateException: Required Subject Missing
2020-11-11 08:13:48,100 ERROR knox.gateway (GatewayFilter.java:doFilter(169)) - Gateway processing failed: javax.servlet.ServletException: java.lang.IllegalStateException: Required Subject Missing
javax.servlet.ServletException: java.lang.IllegalStateException: Required Subject Missing
at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:64)
at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:167)
at org.apache.knox.gateway.GatewayServlet.doFilter(GatewayServlet.java:158)
..........
Caused by: java.lang.IllegalStateException: Required Subject Missing
at org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:80)
at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
... 48 more
Any suggestions will be very much helpful.
Thanks
Jithesh

Related

wildfly 25 JSF Security

I'm fully aware that wildfly 25 has dropped legacy security realms.
So I tried to move from wildfly 20.0.1 to wildfly 25.0.1.
According to the quickstart ee-security, I did
/subsystem=elytron/policy=jacc:add(jacc-policy={})
I also I had to remove in my jboss-web.xml the value :
<security-domain>jaspitest</security-domain>
Otherwise I do get :
{
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.jaspitest"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.deployment.unit.\"unite_compte.war\".component.SocieteGestionSIXDAOImpl.CREATE is missing [jboss.security.security-domain.jaspitest]",
I also have my own IdentityStore.
When I try to access the site, the login page appears as expected. When I submit the credentials my IdentityStore is called and the validate(Credential) method returns a valid CredentialValidationResult.
Unfortunately, I do get an Exception :
17:05:14,710 WARNING [javax.enterprise.resource.webcontainer.jsf.lifecycle] (default task-3) #{loginView.submit}: java.lang.IllegalStateException: java.io.IOException: java.io.IOException: ELY01177: Authorization failed.: javax.faces.FacesException: #{loginView.submit}: java.lang.IllegalStateException: java.io.IOException: java.io.IOException: ELY01177: Authorization failed.
Caused by: java.io.IOException: ELY01177: Authorization failed.
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.handleOne(JaspiAuthenticationContext.java:188)
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.lambda$handle$0(JaspiAuthenticationContext.java:100)
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.SecurityActions.doPrivileged(SecurityActions.java:39)
at org.wildfly.security.jakarta.authentication#1.17.1.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.handle(JaspiAuthenticationContext.java:99)
What shall I do to make it work ?
As the quickstart says, you have to update the Wildlfy configuration as well. Specifically, you have to run the configure-elytron.cli script of the quickstart
More info: https://github.com/wildfly/quickstart/tree/main/ee-security#configure-the-server

Liberty login error in trace log for wim model message - ClassCastException Entity and LoginAccount

I have configured Websphere Liberty to use LDAP to authenticate user. I have enabled security trace -
com.ibm.ws.security.=all:com.ibm.ws.webcontainer.security.=all:com.ibm.oauth.=all:com.ibm.wsspi.security.oauth20.=all:com.ibm.ws.transport.http.=all:org.apache.http.client.=all
I have following feature list enabled in WebSphere Liberty v17.0.0.3,
webProfile-7.0, javaMail-1.5, ldapRegistry-3.0 and localConnector-1.0.
However, secure content is failing with error HTTP 401 (Unauthenticated).
In trace file, I can see that LDAP is able to return logged in user data. But WebSphere Liberty is failing with error -
com.ibm.wsspi.security.wim.model.Entity incompatible with com.ibm.wsspi.security.wim.model.LoginAccount
java.lang.ClassCastException: com.ibm.wsspi.security.wim.model.Entity incompatible with com.ibm.wsspi.security.wim.model.LoginAccount
at com.ibm.ws.security.wim.registry.util.SecurityNameBridge.getUserSecurityName(SecurityNameBridge.java:203)
at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:316)
at com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule.getSecurityName(ServerCommonLoginModule.java:104)
Please help guide if this error is due to any configuration problem.
The problem was resolved after correcting configuration of registry used. I was using LDAP registry and had mentioned LDAP server type as Tivoli. This was causing the problem in Subject class being returned from LDAP not matching expected class in Liberty. Once I changed LDAP service type to Custom, this error got resolved. Below is the tag for LDAP registry I used in server.xml
<ldapRegistry baseDN="ou=xxxxxxxx,o=xxxxxx" host="xxxxxxxxxxxxxxx" id="xxxxxxxxxxx" ldapType="Custom" port="636" realm="xx" recursiveSearch="true" sslEnabled="true" sslRef="sslrepo1">
<customFilters userFilter="(&(mail=%v)(objectclass=ePerson))" userIdMap="*:mail"/>
</ldapRegistry>

datastax authorizer exception

I'm getting an exception while trying to grant permissions for a created role.
Command:
GRANT ALL PERMISSIONS on KEYSPACE test_ks to ks_admin;
Error:
ServerError: java.lang.UnsupportedOperationException: GRANT operation is not supported by the DseAuthorizer if it is not enabled
Actions Performed:
i have updated the cassandra.yaml file to change the authorizer from default to "com.datastax.bdp.cassandra.auth.CassandraAuthorizer" but got an exception when restarted the dse service.
Exception from system log:
An exception was caught and reported. Message: Unable to find authorizer class 'com.datastax.bdp.cassandra.auth.CassandraAuthorizer'
at com.datastax.bdp.DseModule.configure(Unknown Source)
Could someone please let me know what i'm missing here.
Try using the CassandraAuthorizer class from org.apache instead:
authorizer: org.apache.cassandra.auth.CassandraAuthorizer

org.apache.axis2.AxisFault: Transport error: 411 Error: Length Required (CloudConnect Salesforce sample ETL SOQL validation error)

SOQLvalidation threw validation error in CloudConnect Salesforce sample ETL.
org.apache.axis2.AxisFault: Transport error: 411 Error: Length Required
Data retrieve target Salesforce organization uses custom domain.
I would like to know what caused above error and how to resolve.
This is the known issue (bug) in CloudConnect. We are working hard to fix this.

WebSphere Commerce JAX-WS AxisFault

I am getting this exception in WebSphere Commerce. No idea why. This may or may not be related to Commerce. I could not find much info on the internet for this exception. Any insight/help would be much appreciated.
[8/31/11 9:40:39:545 EDT] 00000025 CommerceSrvr E com.ibm.commerce.command.ECCommandTarget executeCommand CMN0420E: The following command exception has occurred during processing: "
javax.xml.ws.WebServiceException: org.apache.axis2.AxisFault: Out request Policy Set for SSL is set to true for protocol: http
javax.xml.ws.WebServiceException: org.apache.axis2.AxisFault: Out request Policy Set for SSL is set to true for protocol: http
at org.apache.axis2.jaxws.ExceptionFactory.createWebServiceException(ExceptionFactory.java:175)
at org.apache.axis2.jaxws.ExceptionFactory.makeWebServiceException(ExceptionFactory.java:70)
at org.apache.axis2.jaxws.ExceptionFactory.makeWebServiceException(ExceptionFactory.java:128)
at org.apache.axis2.jaxws.core.controller.impl.AxisInvocationController.execute(AxisInvocationController.java:572)
...
Caused by: org.apache.axis2.AxisFault: Out request Policy Set for SSL is set to true for protocol: http
at com.ibm.ws.websvcs.transport.http.SOAPOverHTTPSender.setupTransportClientProperties(SOAPOverHTTPSender.java:1916)
at com.ibm.ws.websvcs.transport.http.SOAPOverHTTPSender.<init>(SOAPOverHTTPSender.java:404)
at com.ibm.ws.websvcs.transport.http.HTTPTransportSender.invoke(HTTPTransportSender.java:350)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:531)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:401)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
at org.apache.axis2.jaxws.core.controller.impl.AxisInvocationController.execute(AxisInvocationController.java:567)
We have a set of JAX-WS services. One of them needs WS-Security enabled. Others are just plain HTTP calls.
WS-Security was enabled using policy sets and client bindings on RAD. This was applied to in the environment configuration. Hence the exception.
Solution: Detach the policy set and client bindings from and attach it to the specific service that needs it.

Resources