CODEWITHSUNDEEP
spring-bootvaadinkeycloak
Jonas Kreusch
Jonas Kreusch

Reputation: 354

How to make Keycloak policy enforcer in spring boot adapter work with vaadin

So I have an application which uses vaadin (14) and the keycloak spring boot adapter (11). I looked at keycloaks authorization example for spring boot called "app-authz-springboot" available here: https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot When i execute the example everything works fine but when i wire up my vaadin application to the keycloak instance from the example and copy the application.properties file from the spring half of the same example it fails to set up the policy enforcement configuration. it gives me the error message:

Could not lazy load resource with path[/VAADIN/build/webcomponentsjs/webcomponents-loader.js] from server

with the stacktrace:

    java.lang.RuntimeException: Could not find resource
    at org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:91) ~[keycloak-authz-client-11.0.2.jar:11.0.2]
    at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:232) ~[keycloak-authz-client-11.0.2.jar:11.0.2]
    at org.keycloak.authorization.client.resource.ProtectedResource.findByMatchingUri(ProtectedResource.java:291) ~[keycloak-authz-client-11.0.2.jar:11.0.2]
    at org.keycloak.adapters.authorization.PolicyEnforcer$PathConfigMatcher.matches(PolicyEnforcer.java:268) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
    at org.keycloak.adapters.authorization.AbstractPolicyEnforcer.getPathConfig(AbstractPolicyEnforcer.java:351) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
    at org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:72) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
    at org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:95) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
    at org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:158) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
    at org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
    at org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:62) ~[spring-boot-container-bundle-11.0.2.jar:11.0.2]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:667) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181) ~[spring-boot-container-bundle-11.0.2.jar:11.0.2]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1597) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]
Caused by: java.lang.RuntimeException: org.keycloak.jose.jws.JWSInputException: java.lang.NullPointerException
    at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:75) ~[keycloak-authz-client-11.0.2.jar:11.0.2]
    at org.keycloak.authorization.client.resource.ProtectedResource.createFindRequest(ProtectedResource.java:296) ~[keycloak-authz-client-11.0.2.jar:11.0.2]
    at org.keycloak.authorization.client.resource.ProtectedResource.access$300(ProtectedResource.java:38) ~[keycloak-authz-client-11.0.2.jar:11.0.2]
    at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:225) ~[keycloak-authz-client-11.0.2.jar:11.0.2]
    at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:222) ~[keycloak-authz-client-11.0.2.jar:11.0.2]
    at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:230) ~[keycloak-authz-client-11.0.2.jar:11.0.2]
    ... 23 common frames omitted
Caused by: org.keycloak.jose.jws.JWSInputException: java.lang.NullPointerException
    at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:58) ~[keycloak-core-11.0.2.jar:11.0.2]
    at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:64) ~[keycloak-authz-client-11.0.2.jar:11.0.2]
    ... 28 common frames omitted
Caused by: java.lang.NullPointerException: null
    at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:44) ~[keycloak-core-11.0.2.jar:11.0.2]
    ... 29 common frames omitted
2021-05-21 18:44:18.843 DEBUG 7662 --- [nio-8080-exec-7] o.k.a.a.AbstractPolicyEnforcer           : Checking permissions for path [http://localhost:8080/VAADIN/build/webcomponentsjs/webcomponents-loader.js] with config [null].

The keycloak configuration features a wildcard grant for all paths /* so the keycloak side should be fine. Actually soon after it manages to create the config and grants acces

2021-05-21 18:44:18.880 DEBUG 7662 --- [nio-8080-exec-4] o.k.a.a.AbstractPolicyEnforcer           : Checking permissions for path [http://localhost:8080/VAADIN/build/vaadin-bundle-57fa80d1d948b96b39df.cache.js] with config [PathConfig{name='Default Resource', type='null', path='/*', scopes=[], id='c050c28d-091b-404c-b683-45ee88743439', enforcerMode='ENFORCING'}].
2021-05-21 18:44:18.880 DEBUG 7662 --- [nio-8080-exec-4] o.k.a.a.AbstractPolicyEnforcer           : Authorization GRANTED for path [PathConfig{name='Default Resource', type='null', path='/*', scopes=[], id='c050c28d-091b-404c-b683-45ee88743439', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=fb71929b-fe28-4a4c-8879-a77793a6c49b, name=VAADIN, scopes=[]}, Permission {id=c45caaa3-cde6-4ac7-9224-33412368f006, name=Protected Resource, scopes=[]}, Permission {id=c050c28d-091b-404c-b683-45ee88743439, name=Default Resource, scopes=[]}]].

So the erros must be somewhere in the creation of the policy enforcer config. Can you please help me figure out where the error is? Here is my application.properties

server.port=${PORT:8080}
vaadin.productionMode=false

logging.level.org.springframework.security=DEBUG
logging.level.org.keycloak.adapters.authorization=DEBUG

keycloak.enabled = true
keycloak.realm=spring-boot-quickstart
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.ssl-required=external
keycloak.resource=app-authz-springboot
keycloak.public-client=false
keycloak.credentials.secret=secret
keycloak.security-constraints[0].authRoles[0]=user
keycloak.securityConstraints[0].securityCollections[0].name = protected
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*
keycloak.policy-enforcer-config.lazy-load-paths=true
keycloak.policy-enforcer-config.on-deny-redirect-to=/accessDenied

Upvotes: 0

Views: 877

Answers (1)

Jonas Kreusch
Jonas Kreusch

Reputation: 354

So turns out i was using the keycloakd adapter in version 11 instead of latest version 13 which caused the error.

Upvotes: 1

Related Questions