Merge pull request #4544 from ssilvert/kc4952-header-info-disclosure

KEYCLOAK-4952: Header information disclosure
2017-10-10 12:33:13 -04:00 · 2017-10-10 12:33:13 -04:00 · 1ec2647b25
commit 1ec2647b25
parent d336667972 6082e49252
8 changed files with 98 additions and 14 deletions
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml
@ -37,7 +37,7 @@
        <subsystem>security.xml</subsystem>
        <subsystem>security-manager.xml</subsystem>
        <subsystem>transactions.xml</subsystem>
-        <subsystem>undertow.xml</subsystem>
+        <subsystem>keycloak-undertow.xml</subsystem>
        <subsystem>keycloak-server.xml</subsystem>
    </subsystems>
    <subsystems name="auth-server-clustered">
@ -64,7 +64,7 @@
        <subsystem>security.xml</subsystem>
        <subsystem>security-manager.xml</subsystem>
        <subsystem>transactions.xml</subsystem>
-        <subsystem supplement="ha">undertow.xml</subsystem>
+        <subsystem supplement="ha">keycloak-undertow.xml</subsystem>
        <subsystem>keycloak-server.xml</subsystem>
    </subsystems>
    <subsystems name="load-balancer">
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml
@ -41,7 +41,7 @@
        <subsystem supplement="standalone-wildfly">elytron.xml</subsystem>
        <subsystem>security.xml</subsystem>
        <subsystem>transactions.xml</subsystem>
-        <subsystem supplement="ha">undertow.xml</subsystem>
+        <subsystem supplement="ha">keycloak-undertow.xml</subsystem>
        <subsystem>keycloak-server.xml</subsystem>
    </subsystems>
 </config>
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml
@ -39,7 +39,7 @@
       <subsystem supplement="standalone-wildfly">elytron.xml</subsystem>
       <subsystem>security.xml</subsystem>
       <subsystem>transactions.xml</subsystem>
-       <subsystem>undertow.xml</subsystem>
+       <subsystem>keycloak-undertow.xml</subsystem>
       <subsystem>keycloak-server.xml</subsystem>
   </subsystems>
 </config>
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli
@ -54,11 +54,12 @@ end-if
 set persistenceProvider=jpa

 # Migrate from 2.1.0 to 2.2.0
-if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
-  echo Additing distributed-cache=authorization
-  /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
-  echo
-end-if
+# Do not add distributed-cache=authorization.  This is now removed.
+#if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
+#  echo Additing distributed-cache=authorization
+#  /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
+#  echo
+#end-if
 if (result == update) of /profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema)
  echo Updating connectionsJpa default properties...
  /profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema)
@ -225,4 +226,13 @@ if (outcome == success) of /profile=$clusteredProfile/subsystem=infinispan/cache
  echo
 end-if

+# Migrate from 3.2.0 to 3.4.0
+if (outcome == success) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
+  echo Removing X-Powered-By and Server headers from Keycloak responses...
+  /profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
+  /profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
+  /profile=$clusteredProfile/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
+  /profile=$clusteredProfile/subsystem=undertow/configuration=filter/response-header=server-header/:remove
+end-if
+
 echo *** End Migration of /profile=$clusteredProfile ***
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli
@ -205,4 +205,13 @@ if (outcome == failed) of /profile=$standaloneProfile/subsystem=infinispan/cache
  echo
 end-if

+# Migrate from 3.2.0 to 3.4.0
+if (outcome == success) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
+  echo Removing X-Powered-By and Server headers from Keycloak responses...
+  /profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
+  /profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
+  /profile=$standaloneProfile/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
+  /profile=$standaloneProfile/subsystem=undertow/configuration=filter/response-header=server-header/:remove
+end-if
+
 echo *** End Migration of /profile=$standaloneProfile ***
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli
@ -60,11 +60,12 @@ if (outcome == failed) of /subsystem=deployment-scanner/scanner=default/:read-re
  /subsystem=deployment-scanner/scanner=default/:add(path=deployments,relative-to=jboss.server.base.dir,runtime-failure-causes-rollback=${jboss.deployment.scanner.rollback.on.failure:false},scan-interval=5000)
  echo
 end-if
-if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
-  echo Additing distributed-cache=authorization
-  /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
-  echo
-end-if
+# Do not add.  This is now removed.
+#if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
+#  echo Adding distributed-cache=authorization
+#  /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
+#  echo
+#end-if
 if (result == update) of /subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema)
  echo Updating connectionsJpa default properties...
  /subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema)
@ -230,4 +231,13 @@ if (outcome == success) of /subsystem=infinispan/cache-container=keycloak/distri
  echo
 end-if

+# Migrate from 3.2.0 to 3.4.0
+if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
+  echo Removing X-Powered-By and Server headers from Keycloak responses...
+  /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
+  /subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
+  /subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
+  /subsystem=undertow/configuration=filter/response-header=server-header/:remove
+end-if
+
 echo *** End Migration ***
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli
@ -213,4 +213,12 @@ if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-c
  echo
 end-if

+# Migrate from 3.2.0 to 3.4.0
+if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
+  echo Removing X-Powered-By and Server headers from Keycloak responses...
+  /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
+  /subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
+  /subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
+  /subsystem=undertow/configuration=filter/response-header=server-header/:remove
+end-if
 echo *** End Migration ***
--- a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-undertow.xml
+++ b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-undertow.xml
@ -0,0 +1,47 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!--
+  ~ Copyright 2016 Red Hat, Inc. and/or its affiliates
+  ~ and other contributors as indicated by the @author tags.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<config>
+    <extension-module>org.wildfly.extension.undertow</extension-module>
+    <subsystem xmlns="urn:jboss:domain:undertow:4.0">
+        <buffer-cache name="default" />
+        <server name="default-server">
+            <?AJP?>
+            <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" />
+            <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" />
+            <host name="default-host" alias="localhost">
+                <location name="/" handler="welcome-content" />
+                <http-invoker security-realm="ApplicationRealm"/>
+            </host>
+        </server>
+        <servlet-container name="default">
+            <jsp-config/>
+            <websockets/>
+        </servlet-container>
+        <handlers>
+            <file name="welcome-content" path="${jboss.home.dir}/welcome-content" />
+        </handlers>
+    </subsystem>
+    <supplement name="ha">
+        <replacement placeholder="AJP">
+            <ajp-listener name="ajp" socket-binding="ajp" />
+        </replacement>
+    </supplement>
+    <socket-binding name="http" port="${jboss.http.port:8080}"/>
+    <socket-binding name="https" port="${jboss.https.port:8443}"/>
+    <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
+</config>