Problem :
When using Spring Oauth2 resource server, it checks the received token, to do so it must retrieve token validaty or get certificates to validate token. These two calls are usually made in HTTPS for obvious security reason.
When the certificate is not known by the Spring Oauth2 resource server JVM, it fails as SSL handshake can not complete. It fails. Without a single message :)
Solution :
Put the following log level on :
org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter: DEBUG
I see that the exception is propagate to authenticationFailureHandler I see that it should be handle by authenticationFailureHandler
but somewhere in the chain, it's not traced… Could search deeper next time.
It will activate this log :
try {
AuthenticationManager authenticationManager = this.authenticationManagerResolver.resolve(request);
Authentication authenticationResult = authenticationManager.authenticate(authenticationRequest);
...
} catch (AuthenticationException var11) {
SecurityContextHolder.clearContext();
if (debug) {// 134
this.logger.debug("Authentication request for failed!", var11);
}
this.authenticationFailureHandler.onAuthenticationFailure(request, response, var11);
}
Problem :
I use Keycloak 19.0.1 behind a proxy (nginx) and wasn't able to connect to the admin part of keycloak.
With a reverse proxy nginx and keycloak, login in admin console lead to be blocked on :
/realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console ....
With a 204
return code and no other errors.
Solution :
I had to explore keycloak source code to find the cause ; This test failed in keycloak.js : if ((event.origin !== loginIframe.iframeOrigin)
in keycloak.js
After a (lot of) time of search, it appears that it compares : https://mydomain/keycloak
and https://mydomain:443/keycloak
because I'd setup hostname-port
to 443
in keycloak.config.
My keycloak configuration :
hostname=mydomain
proxy=reencrypt
hostname-strict=false
hostname-port=443
hostname-path=keycloak
http-relative-path=keycloak
hostname-admin-url=https://mydomain/keycloak
So keycloak build his URL as follow : https://mydomain:443/
And the browser send : https://mydomain/
as 443 is a default port and not displayed in the URL.
By removing the port, it works perfectly :
#hostname-port=443
I open a discussion to improve documentation here
Problem :
I tried to connect Broadcom Introscope 10.7 and SAML given by Keycloak.
Based on these documents :
Well not enough to make it works.
Solution :
Thanks to remote debug mode, the key is that the callback URL is :
https://<webview url>/saml.jsp
Search for saml.jsp + introscope on google. Good luck.
Here are the steps (assuming that you already have a keycloak realm up and ready) :
Step 1 : IntroscopeEnteprise.properties
introscope.saml.enable=true
introscope.saml.request.binding=POST
introscope.saml.idpUrl=<URL_KEYCLOAK>/realms/<your realm>/protocol/saml
introscope.saml.issuer=com.ca.apm.webview.serviceprovider
introscope.saml.webstart.issuer=com.ca.apm.webstart.serviceprovider
introscope.saml.em.issuer=com.ca.apm.em.serviceprovider
introscope.saml.principalAttributeName=principalName
introscope.saml.groupsAttributeName=groups
introscope.saml.webstart.tokenTimeoutInSeconds=60
introscope.saml.internalIdp.enable=false
# introscope.saml.internalIdpUrl=http://localhost:8080/idp/profile/SAML2/POST/SSO
Step 2 : Keycloak configuration
- Create a client named as
introscope.saml.issuer
so in our case : com.ca.apm.webstart.serviceprovider
- Enter the callback URL in
Master SAML Processing URL
: https://<webview url>/saml.jsp
Step 3 : Certificates
You should secure you communication between Introscope and Keycloak :
- Provide HTTPS for Keycloak
- Provide HTTPS for Introscope
- Sign information in Keycloak client
- Import Keycloak key in a JKS truststore for Java (Webview part). Keycloak client certificate are in the client definition, tab “Keys”.
- Follow Official guide to create the JKS
- Point to this truststore (example : spprivatekey.jks) - next steps.
Step 4 : IntroscopeWebview.properties:
apm.webview.saml.sp.truststore=/path/to/spprivatekey.jks
Problem :
Launching a JVM with Introscope agent on a old JVM 1.7 result in :
A problem occurred while attempting to create the delegate agent
[IntroscopeAgent] Agent Unavailable
Well, as the agent is heavily customized, removing customization was the first step. It starts.
OK, a few lambda removing alter, I recompiled everything with Java 1.7 target.. And still the same message.
Solution :
After a hours ...
Step 1 :
- Decompile
- com.wily.introscope.agent.AgentShim
- Add more logs, it confirms this is a class loading problem with major/minor version. I finally get the class name
Step 2 :
- After checking X times my maven settings, I finally used : *
- javap -v | grep version
- to check if it was ok or not.
- and surprisingly, the generated class was OK !
- but I used also assembly plugin
Step 3 :
- The cause was that I recompile some classes of an old jar and rebuild it
- I tracked the faulty classes version in the different repositories The root cause was that I installed in a local repository the old jar without the modified classes with the command :
plaintext mvn install:install-file -DcreateChecksum=true -Dfile=./agent/wily/Agent.jar -DgroupId=com.ca.agent -DartifactId=javaagent -Dversion=10.0.7SP3 -Dpackaging=jar -DlocalRepositoryPath=local-maven-repo
which install it also after build in the global repository...
And assembly plugin use in priority the global repository.
Well I didn't take time to understand why maven do not use only my local repository for this jar.
I just add : rm -rf ~/.m2/repository/com/ca/agent/sqlagent in the beginning of my install script !
Well a few hours lost again here...
Problème :
J'utilise React pour développer une application frontend et j'utilise les méthodes de base Javascsript pour gérer les événements venant du serveur ou en interne Front.
J'ai trouvé sur internet quelques fonctions utiles pour gérer les événements (je n'ai pas retrouvé où !) :
- on : abonnement
- off : désabonnement
- trigger : déclencher un évenement
Pour mon usage, j'ai customisé ces fonctions en ajoutant une callback en paramètre. Résultat j'ai ce code :
function on(eventType:string, state:any, listener:(detail:MyEvent) => void) {
const resultFunction = function(event:any) {
listener(event.detail)
};
document.addEventListener(eventType, resultFunction);
Cela me permet de gérer des événements qui héritent de MyEvent.
Le problème est que, ce faisant, je crée une fonction anonyme à chaque souscription et que du coup il est impossible d'utiliser removeEventListener lorsque le composant se démonte.
Solution :
Indirectement c'est ce guide qui m'a aidé : https://dev.to/marcostreng/how-to-really-remove-eventlisteners-in-react-3och
L'idée était donc bien de garder la référence à la fonction anonyme créée (qui me permet de gérer des callbacks génériques), mais comment simplifier l'usage pour éviter de devoir faire stocker la référence à cette fonction anonyme par tous les composants ?
Eh bien en la stockant moi-même directement dans le state !
Sur le désabonnement, je vais chercher dans le state, la référence à la fonction anonyme stockée pour mon type d'événement.
function buildKey(eventType: string) {
return 'clientside-events.listener.' + eventType;
}
function on(eventType:string, state:any, listener:(detail:MyEvent) => void) {
const resultFunction = function(event:any) {
listener(event.detail)
};
document.addEventListener(eventType, resultFunction);
if (state !== null) {
if (!state.listeners) {
state.listeners = new Map();
}
state.listeners.set(buildKey(eventType), resultFunction);
}
return resultFunction;
}
function off(eventType:string, state:any) {
if (state !== null && state.listeners) {
document.removeEventListener(eventType, state.listeners.get(buildKey(eventType)));
} else {
console.warn('Trying to remove a listener but not found for ' + eventType)
}
}
function trigger(eventType:string, message:ShaanEvent) {
const event = new CustomEvent(eventType, { detail: message });
document.dispatchEvent(event);
}
export { on, off, trigger };
Fil RSS des articles