I am trying to connect keycloak with external infinispan. When I run Infinspan I am able to start the server and able to connect to console. The cache required by Keycloak are also created. But when I am starting keycloak I am getting error **”SecurityException: ISPN000287: Unauthorized access: subject ‘null’ lacks ‘LIFECYCLE’ permission”
In Security under authorization I have specified the required subject and role but still getting the error.
Keyclaok version: 25.0.1
Infinispan version: 15.0.1
Attached are the cache-ispn.xml file which is passed as a config-file to Keycloak
And For Infinspan I am using infinispan-xsite.xml
Start Infinspan using the command : binserver.bat -c infinispan-xsite.xml
Start Keyclaok using command: binkc.bat start –https-certificate-file=C://Users//Nitiin-O//keycloak.crt –https-certificate-key-file=C://Users//Nitiin-O//keycloak.key –hostname=myapp.com –optimized –cache-config-file=cache-ispn.xml –verbose
Added authorization in Security tag for cache-ispn.xml.
Not sure why the subject is null since I have mentioned the subject and roles in Global security configuration
cache-ispn.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2019 Red Hat, Inc. and/or its affiliates
~ and other contributors as indicated by the @author tags.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<infinispan
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:config:15.0 http://www.infinispan.org/schemas/infinispan-config-15.0.xsd"
xmlns="urn:infinispan:config:15.0">
<cache-container name="keycloak">
<!--security>
<authorization enabled="true"/>
</security-->
<security>
<authorization>
<identity-role-mapper/>
<role name="user" permissions="LIFECYCLE"/>
<role name="admin" permissions="ALL BULK_READ WRITE"/>
<role name="reader" permissions="READ" />
<role name="writer" permissions="WRITE" />
<role name="supervisor" permissions="READ WRITE EXEC"/>
</authorization>
</security>
<transport lock-timeout="60000"/>
<local-cache name="realms" simple-cache="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<security>
<authorization/>
</security>
<memory max-count="10000"/>
</local-cache>
<local-cache name="users" simple-cache="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<security>
<authorization/>
</security>
<memory max-count="10000"/>
</local-cache>
<distributed-cache name="sessions" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:15.0"
cache="sessions"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="127.0.0.1" port="11222" />
<security>
<authentication server-name="infinispan">
<digest username="user" password="pass" realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="authenticationSessions" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:15.0"
cache="authenticationSessions"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="127.0.0.1" port="11222" />
<security>
<authentication server-name="infinispan">
<digest username="user" password="pass" realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="offlineSessions" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:15.0"
cache="offlineSessions"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="127.0.0.1" port="11222" />
<security>
<authentication server-name="infinispan">
<digest username="user" password="pass" realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="clientSessions" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:15.0"
cache="clientSessions"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="127.0.0.1" port="11222" />
<security>
<authentication server-name="infinispan">
<digest username="user" password="pass" realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="offlineClientSessions" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:15.0"
cache="offlineClientSessions"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="127.0.0.1" port="11222" />
<security>
<authentication server-name="infinispan">
<digest username="user" password="pass" realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<distributed-cache name="loginFailures" owners="2">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:15.0"
cache="loginFailures"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="127.0.0.1" port="11222" />
<security>
<authentication server-name="infinispan">
<digest username="user" password="pass" realm="default"/>
</authentication>
</security>
</remote-store>
</distributed-cache>
<local-cache name="authorization" simple-cache="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<security>
<authorization/>
</security>
<memory max-count="10000"/>
</local-cache>
<replicated-cache name="work">
<expiration lifespan="-1"/>
<remote-store xmlns="urn:infinispan:config:store:remote:15.0"
cache="work"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="127.0.0.1" port="11222" />
<security>
<authentication server-name="infinispan">
<digest username="user" password="pass" realm="default"/>
</authentication>
</security>
</remote-store>
</replicated-cache>
<local-cache name="keys" simple-cache="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<expiration max-idle="3600000"/>
<security>
<authorization/>
</security>
<memory max-count="1000"/>
</local-cache>
<distributed-cache name="actionTokens" owners="2">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<remote-store xmlns="urn:infinispan:config:store:remote:15.0"
cache="actionTokens"
purge="false"
preload="false"
segmented="false"
shared="true"
raw-values="true"
marshaller="org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory">
<remote-server host="127.0.0.1" port="11222" />
<security>
<authentication server-name="infinispan">
<digest username="user" password="pass" realm="default"/>
</authentication>
</security>
</remote-store>
<expiration max-idle="-1" lifespan="-1" interval="300000"/>
<memory max-count="-1"/>
</distributed-cache>
</cache-container>
</infinispan>
infinispan-xsite.xml
<infinispan
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:config:15.0 https://infinispan.org/schemas/infinispan-config-15.0.xsd
urn:infinispan:server:15.0 https://infinispan.org/schemas/infinispan-server-15.0.xsd
urn:org:jgroups http://www.jgroups.org/schema/jgroups-5.3.xsd"
xmlns="urn:infinispan:config:15.0"
xmlns:ispn="urn:infinispan:config:15.0"
xmlns:server="urn:infinispan:server:15.0">
<jgroups>
<!--
This configuration demonstrates cross-site replication on a single host and uses IP multicast for discovery.
To use this configuration, do the following:
* Open terminal in $ISPN_HOME.
* Copy the server/ directory to server2/.
* Open a terminal and run: ./bin/server.sh -c infinispan-xsite.xml
* Open another terminal and run: ./bin/server.sh -c infinispan-xsite.xml -s server2 -Dinfinispan.site.name=site2 -o 100 -Djgroups.mcast_port=46656
* Check server logs for the following message: "[org.infinispan.XSITE] ISPN000439: Received new x-site view: [site1, site2]"
-->
<stack name="bridge" extends="tcp">
<MPING mcast_port="${jgroups.bridge.mcast_port:47655}"
ispn:stack.combine="COMBINE"
xmlns="urn:org:jgroups"
/>
</stack>
<stack name="local" extends="udp">
<relay.RELAY2 site="${infinispan.site.name:site1}"
max_site_masters="${infinispan.site.max_relay_nodes:1}"
xmlns="urn:org:jgroups"/>
<remote-sites default-stack="bridge">
<remote-site name="${infinispan.site.name:site1}"/>
</remote-sites>
</stack>
</jgroups>
<cache-container name="keycloak" statistics="true">
<transport cluster="${infinispan.cluster.name:ISPN}" stack="${infinispan.cluster.stack:local}" node-name="${infinispan.node.name:}"/>
<security>
<authorization>
<role name="admin" permissions="ALL"/>
<role name="user" permissions="LIFECYCLE"/>
</authorization>
</security>
<replicated-cache name="work">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
</replicated-cache>
<distributed-cache name="sessions">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
</distributed-cache>
<distributed-cache name="authenticationSessions">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
</distributed-cache>
<distributed-cache name="clientSessions">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
</distributed-cache>
<distributed-cache name="offlineSessions">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
</distributed-cache>
<distributed-cache name="offlineClientSessions">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
</distributed-cache>
<distributed-cache name="actionTokens">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
</distributed-cache>
<distributed-cache name="loginFailures">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
</distributed-cache>
</cache-container>
<server xmlns="urn:infinispan:server:15.0">
<interfaces>
<interface name="public">
<inet-address value="${infinispan.bind.address:127.0.0.1}"/>
</interface>
</interfaces>
<socket-bindings default-interface="public" port-offset="${infinispan.socket.binding.port-offset:0}">
<socket-binding name="default" port="${infinispan.bind.port:11222}"/>
</socket-bindings>
<security>
<security-realms>
<security-realm name="default">
<!-- Uncomment to enable TLS on the realm -->
<!-- server-identities>
<ssl>
<keystore path="server.pfx"
password="password" alias="server"
generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities-->
<properties-realm/>
</security-realm>
</security-realms>
</security>
<!--endpoints socket-binding="default" security-realm="default" /-->
<endpoints socket-binding="default" security-realm="default">
<endpoint>
<hotrod-connector name="hotrod">
<authentication>
<sasl mechanisms="DIGEST DIGEST-SHA-256"
server-name="infinispan" />
</authentication>
</hotrod-connector>
<rest-connector name="rest"/>
</endpoint>
</endpoints>
</server>
</infinispan>