Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32389

Fix HTTP 500 when running an unauthenticated request against REST API with Keycloak auth

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2023.0, 2021.42
    • Fix Version/s: 2021.52, 2023.10
    • Component/s: Authentication
    • Release Notes Summary:
      Fix HTTP 500 when running an unauthenticated request against REST API with Keycloak authentication.
    • Tags:
    • Backlog priority:
      700
    • Sprint:
      nxplatform #109, nxplatform #110, nxplatform #111, nxplatform #112, nxplatform #113
    • Story Points:
      3

      Description

      Steps to reproduce:

      1. Start keycloak 
        docker run --name test-keycloak19.0.3 -d -p 8087:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:19.0.3 start-dev
      2. import the attached realm nuxeo-realm.json (not really required)
      3. Install nuxeo-keycloak addon and configure the nuxeo.conf properties 
        nuxeo.keycloak.realm=nuxeorealm
nuxeo.keycloak.resource=nuxeo
nuxeo.keycloak.sslRequired=none
nuxeo.keycloak.publicClient=false
nuxeo.keycloak.confidentialPort=0
nuxeo.keycloak.authServerUrl=http://localhost:8087
nuxeo.keycloak.credentials.secret=eGEPEQNIH5AYUn5DflXoPMaNj4v1lotl
      4. Start Nuxeo
      5. Run this command 
        curl -v -s -X POST "http://localhost:8080/nuxeo/site/automation/Auth.LoginAs" -d '{"params":{},"context":{}}' -H 'Content-Type: application/json'--compressed --insecure
      6. Observe the response with HTTP 500
      7. Observe also the error in the logs 
        ERROR [WebEngineExceptionMapper] java.lang.IllegalStateException: Not authenticated user is trying to get a core session
java.lang.IllegalStateException: Not authenticated user is trying to get a core session
	at org.nuxeo.ecm.webengine.jaxrs.session.CoreSessionProvider.createSession(CoreSessionProvider.java:66) ~[nuxeo-webengine-jaxrs-2023.1.20.jar:?]
	at org.nuxeo.ecm.webengine.jaxrs.session.CoreSessionProvider.getSessionRef(CoreSessionProvider.java:54) ~[nuxeo-webengine-jaxrs-2023.1.20.jar:?]
	at org.nuxeo.ecm.webengine.jaxrs.session.CoreSessionProvider.getSession(CoreSessionProvider.java:61) ~[nuxeo-webengine-jaxrs-2023.1.20.jar:?]
	at org.nuxeo.ecm.webengine.jaxrs.session.SessionFactory.getSession(SessionFactory.java:109) ~[nuxeo-webengine-jaxrs-2023.1.20.jar:?]
	at org.nuxeo.ecm.webengine.jaxrs.session.SessionFactory.getSession(SessionFactory.java:105) ~[nuxeo-webengine-jaxrs-2023.1.20.jar:?]
	at org.nuxeo.ecm.webengine.jaxrs.session.SessionFactory.getSession(SessionFactory.java:92) ~[nuxeo-webengine-jaxrs-2023.1.20.jar:?]
	at org.nuxeo.ecm.automation.server.jaxrs.CoreSessionProvider.getValue(CoreSessionProvider.java:39) ~[nuxeo-automation-server-2023.0.159.jar:?]
	at org.nuxeo.ecm.automation.server.jaxrs.CoreSessionProvider.getValue(CoreSessionProvider.java:35) ~[nuxeo-automation-server-2023.0.159.jar:?]
	at com.sun.jersey.server.impl.inject.AbstractHttpContextInjectable$1.getValue(AbstractHttpContextInjectable.java:104) ~[jersey-server-1.19.4.jar:1.19.4]
	at com.sun.jersey.server.spi.component.ResourceComponentInjector.inject(ResourceComponentInjector.java:222) ~[jersey-server-1.19.4.jar:1.19.4]
	at com.sun.jersey.server.spi.component.ResourceComponentConstructor.construct(ResourceComponentConstructor.java:234) ~[jersey-server-1.19.4.jar:1.19.4]
	at org.nuxeo.ecm.webengine.model.impl.AbstractResourceType.newInstance(AbstractResourceType.java:132) ~[nuxeo-webengine-core-2023.1.20.jar:?]
	at org.nuxeo.ecm.webengine.model.impl.AbstractWebContext.newObject(AbstractWebContext.java:332) ~[nuxeo-webengine-core-2023.1.20.jar:?]
	at org.nuxeo.ecm.webengine.model.impl.AbstractWebContext.newObject(AbstractWebContext.java:327) ~[nuxeo-webengine-core-2023.1.20.jar:?]
	at org.nuxeo.ecm.webengine.model.impl.AbstractResource.newObject(AbstractResource.java:262) ~[nuxeo-webengine-core-2023.1.20.jar:?]
	at org.nuxeo.ecm.automation.server.jaxrs.AutomationResource.getExecutable(AutomationResource.java:144) ~[nuxeo-automation-server-2023.0.159.jar:?]

         

      Expected behavior: the unauthenticated request should request a HTTP 401

        Attachments

          Issue Links

          causes

          Task - A task that needs to be done. NXDOC-2663 Document nuxeo/Keycloak status code specs, auth chain order impact and provide sample.

          • Major - Major loss of function.
          • Resolved
          depends on

          Task - A task that needs to be done. NXP-32514 use Keycloak auth after Automation basic auth in specific auth chains

          • Major - Major loss of function.
          • Resolved
          is caused by

          Question - A question that requires an answer NXP-30507 Skip handleLogin when HTTP response has already been commited

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: