Merge pull request #1115 from mposolda/master

Fix clustering when auth-server-url-for-backend-requests is used
2015-04-02 13:13:56 +02:00 · 2015-04-02 13:13:56 +02:00 · 148b466ce4
commit 148b466ce4
parent 18e4be3cc9 6a34ad36f5
8 changed files with 18 additions and 20 deletions
--- a/core/src/main/java/org/keycloak/RSATokenVerifier.java
+++ b/core/src/main/java/org/keycloak/RSATokenVerifier.java
@ -39,7 +39,7 @@ public class RSATokenVerifier {
            throw new VerificationException("Realm URL is null. Make sure to add auth-server-url to the configuration of your adapter!");
        }
        if (!realmUrl.equals(token.getIssuer())) {
-            throw new VerificationException("Token audience doesn't match domain.");
+            throw new VerificationException("Token audience doesn't match domain. Token issuer is " + token.getIssuer() + ", but URL from configuration is " + realmUrl);

        }
        if (checkActive && !token.isActive()) {
--- a/examples/demo-template/testrealm.json
+++ b/examples/demo-template/testrealm.json
@ -146,16 +146,6 @@
            "adminUrl": "/database",
            "baseUrl": "/database",
            "bearerOnly": true
-        },
-        {
-            "name": "rest-resources",
-            "enabled": true,
-            "publicClient": true,
-            "adminUrl": "/rest-resources",
-            "baseUrl": "/rest-resources",
-            "redirectUris": [
-                "/rest-resources/*"
-            ]
        }
    ],
    "oauthClients": [
--- a/examples/fuse/camel/src/main/java/org/keycloak/example/CamelHelloProcessor.java
+++ b/examples/fuse/camel/src/main/java/org/keycloak/example/CamelHelloProcessor.java
@ -20,7 +20,6 @@ public class CamelHelloProcessor implements Processor {
        String username = accessToken.getPreferredUsername();
        String fullName = accessToken.getName();

-        // send a html response with fullName from LDAP
        exchange.getOut().setBody("Hello " + username + "! Your full name is " + fullName + ".");
    }
 }
--- a/examples/fuse/fuse-admin/README.md
+++ b/examples/fuse/fuse-admin/README.md
@ -29,10 +29,10 @@ This file contains configuration of the client application, which is used by JAA
 
 4) Start Fuse and install `keycloak` JAAS realm into Fuse. This could be done easily by installing `keycloak-jaas` feature, which has JAAS realm predefined 
 (you are able to override it by using your own `keycloak` JAAS realm with higher ranking). As long as you already installed `keycloak-fuse-example` feature as mentioned 
-in [examples readme](../README.md), you can skip this step as `keycloak-jaas` is installed already. Otherwise use those commands (replace Keycloak version with current one):
+in [examples readme](../README.md), you can skip this step as `keycloak-jaas` is installed already. Otherwise use those commands (replace Keycloak version in this command with the current version):

 ```
-features:addurl mvn:org.keycloak/keycloak-osgi-features/1.1.0.Final/xml/features
+features:addurl mvn:org.keycloak/keycloak-osgi-features/1.2.0.Beta1/xml/features
 features:install keycloak-jaas
 ```

--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
@ -90,7 +90,8 @@ public class KeycloakDeployment {

    public void setAuthServerBaseUrl(AdapterConfig config) {
        this.authServerBaseUrl = config.getAuthServerUrl();
-        if (authServerBaseUrl == null && config.getAuthServerUrlForBackendRequests() == null) return;
+        String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests();
+        if (authServerBaseUrl == null && authServerURLForBackendReqs == null) return;

        URI authServerUri = null;
        if (authServerBaseUrl != null) {
@ -98,7 +99,6 @@ public class KeycloakDeployment {
        }

        if (authServerUri == null || authServerUri.getHost() == null) {
-            String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests();
            if (authServerURLForBackendReqs != null) {
                relativeUrls = RelativeUrlsUsed.BROWSER_ONLY;

@ -116,7 +116,13 @@ public class KeycloakDeployment {
            relativeUrls = RelativeUrlsUsed.NEVER;
            KeycloakUriBuilder serverBuilder = KeycloakUriBuilder.fromUri(authServerBaseUrl);
            resolveBrowserUrls(serverBuilder);
+
+            if (authServerURLForBackendReqs == null) {
                resolveNonBrowserUrls(serverBuilder);
+            } else {
+                serverBuilder = KeycloakUriBuilder.fromUri(authServerURLForBackendReqs);
+                resolveNonBrowserUrls(serverBuilder);
+            }
        }
    }

@ -132,6 +138,7 @@ public class KeycloakDeployment {

        String login = authUrlBuilder.clone().path(ServiceUrlConstants.AUTH_PATH).build(getRealm()).toString();
        authUrl = KeycloakUriBuilder.fromUri(login);
+        realmInfoUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString();
    }

    /**
@ -145,7 +152,6 @@ public class KeycloakDeployment {
        tokenUrl = authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_PATH).build(getRealm()).toString();
        logoutUrl = KeycloakUriBuilder.fromUri(authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH).build(getRealm()).toString());
        accountUrl = authUrlBuilder.clone().path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH).build(getRealm()).toString();
-        realmInfoUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString();
        registerNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH).build(getRealm()).toString();
        unregisterNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH).build(getRealm()).toString();
    }
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
@ -322,7 +322,7 @@ public class OAuthRequestAuthenticator {
            }
            log.debug("Token Verification succeeded!");
        } catch (VerificationException e) {
-            log.error("failed verification of token");
+            log.error("failed verification of token: " + e.getMessage());
            return challenge(403);
        }
        if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {
--- a/integration/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java
+++ b/integration/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java
@ -33,7 +33,7 @@ public class KeycloakDeploymentBuilderTest {
        assertTrue(deployment.isExposeToken());
        assertEquals("234234-234234-234234", deployment.getResourceCredentials().get("secret"));
        assertEquals(20, ((ThreadSafeClientConnManager) deployment.getClient().getConnectionManager()).getMaxTotal());
-        assertEquals("https://localhost:8443/auth/realms/demo/protocol/openid-connect/token", deployment.getTokenUrl());
+        assertEquals("https://backend:8443/auth/realms/demo/protocol/openid-connect/token", deployment.getTokenUrl());
        assertTrue(deployment.isAlwaysRefreshToken());
        assertTrue(deployment.isRegisterNodeAtStartup());
        assertEquals(1000, deployment.getRegisterNodePeriod());
--- a/testsuite/docker-cluster/shared-files/deploy-examples.sh
+++ b/testsuite/docker-cluster/shared-files/deploy-examples.sh
@ -33,6 +33,9 @@ for I in *.war/WEB-INF/keycloak.json; do
  sed -i -e 's/\"bearer-only\" : true,/&\n    \"credentials\" : \{ \"secret\": \"password\" \},/' $I;
 done;

+# Configure database.war
+sed -i -e 's/\"auth-server-url\": \"\/auth\",/\"auth-server-url\": \"http:\/\/localhost:8000\/auth\",/' database.war/WEB-INF/keycloak.json;
+
 # Enable distributable for customer-portal
 sed -i -e 's/<\/module-name>/&\n    <distributable \/>/' customer-portal.war/WEB-INF/web.xml