-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Special characters in --db-password
option
#19831
Comments
I have identified the root cause. If the password contains some special char like ! $ @ and we pass it to the command then it's fails to start. kc.bat start --https-key-store-file=E:\keystore.ks --https-key-store-password=password --https-trust-store-file=E:\truststore.ks --https-trust-store-password=password --db=mssql --transaction-xa-enabled=false --db-url="jdbc:sqlserver://localhost:1433;databaseName=Keycloak;encrypt=false" --db-username=keycloak-user --db-password=CTdemo123! --http-enabled=true --http-port=7777 --https-port=7778--hostname-strict=false --http-relative-path=/auth --log-le Could you please confirm it and let me know the quick fix as it's a blocker? |
@ajaiswal595 I guess the quick fix is to set the password as an environment variable. It is the better way anyways as otherwise your password is visible in the process list. |
@sschu You are right but this is also a vulnerability if we store passwords in Envrionment Variable. Did you come up with any vault yet for the Keyclaok Quarkus ? |
@ajaiswal595 It is still way more secure using environment variables than passing a secret vie commandline args as they are just readable by everybody. The best way for now would be to pass secrets in a file. |
I choose to put the password into keycloak/conf/keycloak.conf file. It works for the password CTdemo123! as we can see in an earlier discussion. But it is failing for the password Akjtl$$5421 Can you suggest how to resolve this issue or if any fix is available please let me know ASAP It's a blocker for me. |
@ajaiswal595 So this issue is mainly about the server failing to parse option values (in this case the database password) depending on the characters they have? |
Yes TRUE Server is not able to parse the password also we may need to check for keystore and truststore password. |
I can confirm this happens if the password contains two |
Removing storage and putting to quarkus area since the issue is in passing the correct password from the commandline / properties. |
Hello, @ajaiswal595 , We are investigating the aforementioned problem that happens when the password contains a double The Good News are: The Thanks. |
Hello, @ajaiswal595 , Sorry for the inconvenience, but due to the need to work on other issues with higher priority in order to release version 22, we're gonna moving this issue to Thanks for the comprehension. |
--db-password
option
@andre-nascimento6791 @sschu the cli issue should have been resolved with #22585. The remaining issue with double dollar sign is more of smallrye problem. $ is an expression character, and $$ is used internally to escape it - in this case $$ is being mistaken for that escaping. So insead of the value Akjtl$$5421, some additional escaping is needed Akjtl\$\$5421. A case could be made that the handling of $$ here is incorrect - that's due to the logic in smallrye's ExpressionConfigSourceInterceptor, which doesn't account for the possibility of $$ natually appearing in the value. I think this issue could be resolved on the keycloak side with additional documentation and a smallrye issue (smallrye/smallrye-config#1056) to clarify $$ handling. |
fix: keycloak#19831 Signed-off-by: Steve Hawkins <shawkins@redhat.com> Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Closes: #19831 Signed-off-by: Steve Hawkins <shawkins@redhat.com> Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Closes: keycloak#19831 Signed-off-by: Steve Hawkins <shawkins@redhat.com> Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com>
My password does not have $$ but has
|
Before reporting an issue
Area
core
Describe the bug
If i'm trying with some other application to same database i'm able to connect to SQL server , infact if i use the Driver to test connection i'm able to do that.
But when I'm using running Keycloak it fails to connect and throws the error.
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Login failed for user 'keycloak-user'. ClientConnectionId:b3662e81-673b-4b0e-a2fc-906f8548e325
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option.
Version
20.0.3
Expected behavior
It should be able to connect
Actual behavior
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Login failed for user 'keycloak-user'. ClientConnectionId:b3662e81-673b-4b0e-a2fc-906f8548e325
2023-04-19 14:59:37,713 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option.
How to Reproduce?
Try to connect sql server with named instance which is running in remote machine.
Anything else?
Please fix asap , I'm blocked with it.
The text was updated successfully, but these errors were encountered: