Closed zambrovski closed 2 years ago
I actually wondering why this comes up only with this application. Keycloak itself is doing the exact same thing when looking at jpa-changelog-master.xml
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.2.xsd">
<include file="META-INF/jpa-changelog-1.0.0.Final.xml"/>
<include file="META-INF/jpa-changelog-1.0.0.Final-db2.xml"/>
<include file="META-INF/jpa-changelog-1.1.0.Beta1.xml"/>
...
So I wonder why is it considered a problem here when it does not on keycloak?
I can agree to that. However for some reason it seems that when keycloak itself does not call out to the actual server for the XSD. It might be that they use a different resource resolver.
What is evident is that scom-for-keycloak uses does fetch the xsd from the server. A simple test is to block outbound traffic from the keycloak server and start up.
To reproduce:
Unpack clean Keycloak 15.0.2 (maybe later)
Setup iptables to reject traffic to www.liquibase.org (right now it resolves to 35.224.204.50)
sudo iptables -A OUTPUT -d 35.224.204.50 -j REJECT
Start keycoak verify that it starts correctly. This validates that "vanilla" keycloak does not call out to www.liquibase.org
Shutdown keycloak
Do a file deploy of scim-for-keycloak-kc-15-b1.ear
Start keycloak It now fail to start due to not being able to "Connection refused"
Remove the block of www.liquibase.org
sudo iptables -D OUTPUT -d 35.224.204.50 -j REJECT
Start keycloak, it now starts correctly since scim-for-keycloak can get the xsd file
just fixed it. XML schema was added in order to prevent the outgoing call.
Thanks for the quick resolution :heart: I agree with you that it is strange that the http://... schema location works in vanilla keycloak
Currently, liquibase tries to resolve the schema from the db-changes XML file. In general it is ok, that this is performed, but I believe for a security system like Keycloak, it is better to provide a local copy of the XSD schema instead of letting the component to access a resource from the Internet.
You already got this problem reported in https://github.com/Captain-P-Goldfish/scim-for-keycloak/issues/40, but I believe it is more stable to have the version offline.
For example, liquibase changed some addresses as described here: https://github.com/liquibase/liquibase/issues/2448 or https://github.com/liquibase/liquibase/issues/1153.
To make your code independent from liquibase server setup, see the hint posted here: https://github.com/liquibase/liquibase/issues/1153#issuecomment-629219232