Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NullPointerException using auth-require-role-extension #5

Closed
danifr opened this issue Apr 1, 2020 · 9 comments
Closed

NullPointerException using auth-require-role-extension #5

danifr opened this issue Apr 1, 2020 · 9 comments

Comments

@danifr
Copy link

danifr commented Apr 1, 2020

I installed and configured auth-require-role-extension to restrict logins against a SAML app but unfortunately it does not work.

The problem seems to be that the UserModel user is null therefore the NullPointerException.

I'm hitting the error even before the logging form is displayed (I don't type user nor password)

I am using Keycloak v9.0.0. Do you think it might be a bug of this specific version of Keycloak?

2020-04-01 15:05:25,236 WARN  [org.keycloak.services] (default task-15) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
	at com.github.thomasdarimont.keycloak.auth.requiregroup.RequireRoleAuthenticator.userHasRole(RequireRoleAuthenticator.java:49)
	at com.github.thomasdarimont.keycloak.auth.requiregroup.RequireRoleAuthenticator.authenticate(RequireRoleAuthenticator.java:31)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:496)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:306)
	at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:998)
	at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:860)
	at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:150)
	at org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:582)
	at org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:578)
	at org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:370)
	at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:263)
	at org.keycloak.protocol.saml.SamlService$BindingProtocol.execute(SamlService.java:516)
	at org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:591)
	at sun.reflect.GeneratedMethodAccessor758.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
	at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406)
	at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:370)
	at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:356)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:372)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:344)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
	at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:356)
	at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:91)
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at java.lang.Thread.run(Thread.java:748)

2020-04-01 15:05:25,238 WARN  [org.keycloak.events] (default task-15) type=LOGIN_ERROR, realmId=test, clientId=https://10.80.64.43/mellon/metadata, userId=null, ipAddress=10.80.64.22, error=invalid_user_credentials, auth_method=saml, redirect_uri=https://10.80.64.43/mellon/postResponse, code_id=e687718e-2552-4d6b-b88f-0b7e19415b67, authSessionParentId=e687718e-2552-4d6b-b88f-0b7e19415b67, authSessionTabId=nfB7ULaB4J4
@army1349
Copy link
Contributor

army1349 commented Apr 1, 2020

It looks like a bad flow. Example from auth-require-group-extension is bad.
This works for me:

  • Authentication - REQUIRED
    • Cookie - ALTERNATIVE
    • ...
    • Authentication Forms - ALTERNATIVE
      • ...
  • Authorization - REQUIRED
    • Require Group - REQUIRED

@danifr
Copy link
Author

danifr commented Apr 1, 2020

Hi @army1349thanks a lot for your help :)

I think my conf is correct but still hit that NullPointer error. I post a screenshot if it just in case.
image

@army1349
Copy link
Contributor

army1349 commented Apr 1, 2020
edited

I think your flow is not correct.
You have ALTERNATIVE and REQUIRED flow segments on same level.
Flow will just skip everything a try to verify role for user, which was not yet determined (NULL).

edited: typo

@danifr
Copy link
Author

danifr commented Apr 1, 2020

Can you paste a screenshot of your config? I am not sure I am understanding you.
Thanks!

@tomrutsaert
Copy link

as @army1349 indicates since keycloak version 8.0.x that is not a valid flow any more.
You can not combine REQUIRED with ALTERNATIVE. ALTERNATIVE will be ignored when there is REQUIRED in the same group.....
See for example the What description of this ticket : https://issues.redhat.com/browse/KEYCLOAK-12278

in your case Conditional OTP, I would put It on CONDITIONAL and OTP Form on REQUIRED

@army1349
Copy link
Contributor

army1349 commented Apr 1, 2020

Can you paste a screenshot of your config? I am not sure I am understanding you.
Thanks!

Sure:
image

@danifr
Copy link
Author

danifr commented Apr 1, 2020

Thanks a lot @army1349 and @tomrutsaert !! It is working and I understand this better now :)
Have a great day guys!

@danifr danifr closed this as completed Apr 1, 2020
@cljk
Copy link

cljk commented Apr 1, 2020

Can you paste a screenshot of your config? I am not sure I am understanding you.
Thanks!

Sure:
image

Has nothing to do with the opened issue ... but what type is your top level exection "Authentication"? Is it an execution flow?

Now that I see it how you configured it, I see that my flow definition is wrong ;-)
My top level executions are Cookie, Kerberos and so on and I added my custom required provider in the Browser-flow ... which means that when a user is authenticated by Cookie or Kerberos the authenticators are bypassed.

So... thank you for your screenshot! I´ll have to fix that before production...

@army1349
Copy link
Contributor

army1349 commented Apr 1, 2020

Has nothing to do with the opened issue ... but what type is your top level exection "Authentication"? Is it an execution flow?

It is generic flow.

Now that I see it how you configured it, I see that my flow definition is wrong ;-)
My top level executions are Cookie, Kerberos and so on and I added my custom required provider in the Browser-flow ... which means that when a user is authenticated by Cookie or Kerberos the authenticators are bypassed.

So... thank you for your screenshot! I´ll have to fix that before production...

I see. So, in your current state, if someone logs in to different client or to Account Management, flow will use the cookie and let him access limited client without group/role check.

Glad, I could help.

@army1349 army1349 mentioned this issue Nov 13, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cljk @danifr @tomrutsaert @army1349