Integration Error

[srinathganesh1]

Updated with latest status (removed some irreverent things):

modules/flowable-ui-modeler/flowable-ui-modeler-conf/src/main/java/org/flowable/ui/modeler/conf/SecurityConfiguration.java
(I was not able to directly replace the class name, since new class name had one extra parameter)

modules/flowable-ui-modeler/flowable-ui-modeler-app/src/main/resources/flowable-default.properties

User Permission

Service Account

I had to add view-users from the auto generated master-realm to do away with token error

Error after signin (there are no logs generated for this in flowable and keycloak)

[ajcamilo]

Your client setup in keycloak needs to have:

• Service Accounts enabled
• The view-users and view-groups scopes in both client scopes and service account scopes.

I can detail more what to do if you want.

[srinathganesh1]

I tried setting the scope and service account, and a few more configs. It still didn't work. Updated original post (since 403 stopped coming somehow)

Do you have a sample demo project? or a sample configuration for keycloak

[srinathganesh1]

Update: I made this change

and I am getting error

[ajcamilo]

Can you show me the logs from keycloak?

[srinathganesh1]

Can you show me the logs from keycloak?

sure will post them.

[srinathganesh1]

I will shortly update the original post will all my configuration again (instead of two comments)

---

Flowable Logs

2020-03-31 16:46:20.360  INFO 19732 --- [nio-8080-exec-5] o.a.c.c.C.[.[.[/flowable-modeler]        : Initializing Spring FrameworkServlet 'dispatcherServlet'
2020-03-31 16:46:20.360  INFO 19732 --- [nio-8080-exec-5] o.s.w.s.DispatcherServlet                : FrameworkServlet 'dispatcherServlet': initialization started
2020-03-31 16:46:20.408  INFO 19732 --- [nio-8080-exec-5] o.s.w.s.DispatcherServlet                : FrameworkServlet 'dispatcherServlet': initialization completed in 43 ms

Keycloak Logs: Nothing getting logged.

[srinathganesh1]

I have updated original post with the latest configs #1 (comment)

[ajcamilo]

I'll make a sample project from https://github.com/flowable/flowable-engine/tree/master/modules/flowable-ui-modeler.

But it will take some time. Maybe next week. Sorry.

[srinathganesh1]

I'll make a sample project from https://github.com/flowable/flowable-engine/tree/master/modules/flowable-ui-modeler.

But it will take some time. Maybe next week. Sorry.

Ok thank you. does my current configs looks fine?

[ajcamilo]

Yes, it looks fine. Maybe there's something missing in the SecurityConfiguration. But I need some time to test this.

[srinathganesh1]

Yes, it looks fine. Maybe there's something missing in the SecurityConfiguration. But I need some time to test this.

Ok thanks

[ajcamilo]

@srinathganesh1 can you checkout this commit: premium-minds/flowable-keycloak-example@69dda8c

This example is working for flowable-ui-modeler.

[srinathganesh1]

Thanks a lot. I will try it out.

…

On Mon, 6 Apr, 2020, 20:21 André Camilo, ***@***.***> wrote: @srinathganesh1 <https://github.com/srinathganesh1> can you checkout this commit: ***@***.*** <premium-minds/flowable-keycloak-example@69dda8c> This example is working for flowable-ui-modeler

[krishnakumar-ls]

@ajcamilo @srinathganesh1 Is this issue fixed?
I got the same issue - RESTEASY003210: Could not find resource for full path: http://localhost:8080/flowable-task

[ajcamilo]

@krishnakumar-ls I've only did the modifications in the project flowable-ui-modeler, but if you need for the other projects, just do the same changes from this commit: premium-minds/flowable-keycloak-example@69dda8c?

[krishnakumar-ls]

@ajcamilo I did the changes in flowable-task project as per this commit premium-minds/flowable-keycloak-example@69dda8c
But still I got the same issue(RESTEASY003210: Could not find resource for full path).

[ajcamilo]

I'll try to get some time in the weekend to check that out, ok?

[krishnakumar-ls]

@ajcamilo Sure.

[ajcamilo]

@krishnakumar-ls what is the version of flowable you are using?

[krishnakumar-ls]

@ajcamilo I'm using Flowable 6.5.0

[krishnakumar-ls]

@ajcamilo Got 404 error for the URL 'http://localhost:8080/flowable-task/' after redirect from keycloak auth server.

[ajcamilo]

Sorry for the delay @krishnakumar-ls

Checkout the new version of premium-minds/flowable-keycloak-example@9d1314a

Now flowable-task uses keycloak authentication.

[krishnakumar-ls]

@ajcamilo Thank you! I will try this checkout premium-minds/flowable-keycloak-example@9d1314a
Can you you share me the configuration changes in flowable-ui-*-app>src>main>docker>docker-compose.yml to build a flowable docker image.

[ajcamilo]

add the following to the environment part of the flowable app:

      - KEYCLOAK_URL=<url to keycloak>
      - KEYCLOAK_REALM=<keycloak realm>
      - KEYCLOAK_ISSUER-URL=<issuer url>
      - KEYCLOAK_CLIENT_CLIENT-ID=<client id>
      - KEYCLOAK_CLIENT_CLIENT-SECRET=<client secret>

[Sanlisi]

@srinathganesh1 hi, have you solved your problem?

[Sanlisi]

@ajcamilo hi, I have a problem , when I run flowable-ui-modeler project there is an error in the program,can you tell me the reason？ thank you .

Caused by: java.lang.ClassNotFoundException: com.premiumminds.flowable.conf.KeycloakProperties
at java.net.URLClassLoader.findClass(URLClassLoader.java:381) ~[?:1.8.0_161]
at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[?:1.8.0_161]
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:338) ~[?:1.8.0_161]
at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[?:1.8.0_161]
at org.springframework.boot.devtools.restart.classloader.RestartClassLoader.loadClass(RestartClassLoader.java:144) ~[spring-boot-devtools-2.2.2.RELEASE.jar:2.2.2.RELEASE]
at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[?:1.8.0_161]
at java.lang.Class.getDeclaredMethods0(Native Method) ~[?:1.8.0_161]
at java.lang.Class.privateGetDeclaredMethods(Class.java:2701) ~[?:1.8.0_161]
at java.lang.Class.getDeclaredMethods(Class.java:1975) ~[?:1.8.0_161]
at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:463) ~[spring-core-5.2.2.RELEASE.jar:5.2.2.RELEASE]
... 26 more

Process finished with exit code 0

[ajcamilo]

@Sanlisi, did you check this out? https://github.com/premium-minds/flowable-keycloak-example

You can see this commit premium-minds/flowable-keycloak-example@69dda8c
It has all the changes needed to the flowable project for the modeler to work with keycloak.

[Sanlisi]

@ajcamilo hi, yesterday’s problem has been solved, but when I access: "localhost:8888/flowable-modeler"，the following error occurred，

Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Sat Oct 10 09:42:06 CST 2020
There was an unexpected error (type=Internal Server Error, status=500).
javax.ws.rs.ForbiddenException: HTTP 403 Forbidden
com.google.common.util.concurrent.UncheckedExecutionException: javax.ws.rs.ForbiddenException: HTTP 403 Forbidden
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2051)
at com.google.common.cache.LocalCache.get(LocalCache.java:3951)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974)
at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4958)
at com.premiumminds.flowable.service.KeycloakServiceImpl.getUser(KeycloakServiceImpl.java:154)
at com.premiumminds.flowable.filter.AuthenticationHandler.authenticationCallbackHandler(AuthenticationHandler.java:115)
at com.premiumminds.flowable.filter.KeycloakCookieFilter.doFilterInternal(KeycloakCookieFilter.java:108)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1591)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.ws.rs.ForbiddenException: HTTP 403 Forbidden
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:223)
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:195)
at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:62)
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:151)
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112)
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy154.toRepresentation(Unknown Source)
at com.premiumminds.flowable.service.KeycloakServiceImpl$1.load(KeycloakServiceImpl.java:90)
at com.premiumminds.flowable.service.KeycloakServiceImpl$1.load(KeycloakServiceImpl.java:86)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3529)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2278)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2155)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2045)
... 57 more

so , I have some questions:

1. can you give me some images of keycloak ui ?
2. What does mean of “The view-users and view-groups scopes in both client scopes and service account scopes.” ? and where to set up it ? ------
3. keycloak.client.scope = openid roles ------ Where to set up openid roles?

thank you.

[krishnakumar-ls]

@Sanlisi This exception is raised due to user permission issue. You have to add client service account roles by click client -> select 'Service Account Roles' tab -> Add client roles
& have to add client role mapping by click user -> select 'Role Mapping' -> add client roles

[Sanlisi]

@krishnakumar-ls @ajcamilo Sorry, I tried your method, but it still doesn’t work，so can you give me a complete images of
keycloak ui ?
Currently my configuration is like this

Can you give me your email? thank you very much

[ajcamilo]

@Sanlisi the view-users and view-groups roles are from the client realm-management

[Sanlisi]

@ajcamilo @srinathganesh1 hi , according to your prompt, yesterday’s problem has been solved, but I encountered a new problem，when I visit the page：http://localhost:8888/flowable-modeler, as if the page has been refreshing，Why is that？
Where does Kaycloak UI need to be configured? thank you very much。

[srinathganesh1]

Sorry to jump the topic in a different direction (still related to keycloak SSO)

I have not personally tried it, but based on release notes it seems latest flowable has built in keycloak support

• Ref: https://blog.flowable.org/2020/10/12/flowable-6-6-0-release/
• Quote: "Support for OAuth2 authentication is added to the Flowable UI App, with Keycloak as an example implementation."

[Sanlisi]

@srinathganesh1 @ajcamilo the problem has been solved，I use the 6.6 version，Ref: https://blog.flowable.org/2020/10/12/flowable-6-6-0-release/ ，thank you very much