> it = checks.iterator(); it.hasNext();) {
+ if (it.next().getClass() == checkClass) {
+ it.remove();
+ }
+ }
+ }
+
+ private void removeCheck(Predicate check) {
+ checks.remove(check);
+ }
+
+ private > TokenVerifier replaceCheck(Class> checkClass, boolean active, P predicate) {
+ removeCheck(checkClass);
+ if (active) {
+ checks.add(predicate);
+ }
+ return this;
+ }
+
+ private > TokenVerifier replaceCheck(Predicate check, boolean active, P predicate) {
+ removeCheck(check);
+ if (active) {
+ checks.add(predicate);
+ }
+ return this;
+ }
+
+ /**
+ * Will test the given checks in {@link #verify()} method in addition to already set checks.
+ * @param checks
+ * @return
+ */
+ public TokenVerifier withChecks(Predicate... checks) {
+ if (checks != null) {
+ this.checks.addAll(Arrays.asList(checks));
+ }
+ return this;
+ }
+
+ /**
+ * Sets the key for verification of RSA-based signature.
+ * @param publicKey
+ * @return
+ */
+ public TokenVerifier publicKey(PublicKey publicKey) {
this.publicKey = publicKey;
return this;
}
- public TokenVerifier secretKey(SecretKey secretKey) {
+ /**
+ * Sets the key for verification of HMAC-based signature.
+ * @param secretKey
+ * @return
+ */
+ public TokenVerifier secretKey(SecretKey secretKey) {
this.secretKey = secretKey;
return this;
}
- public TokenVerifier realmUrl(String realmUrl) {
+ /**
+ * @deprecated This method is here only for backward compatibility with previous version of {@code TokenVerifier}.
+ * @return This token verifier
+ */
+ public TokenVerifier realmUrl(String realmUrl) {
this.realmUrl = realmUrl;
- return this;
+ return replaceCheck(RealmUrlCheck.class, checkRealmUrl, new RealmUrlCheck(realmUrl));
}
- public TokenVerifier checkTokenType(boolean checkTokenType) {
+ /**
+ * @deprecated This method is here only for backward compatibility with previous version of {@code TokenVerifier}.
+ * @return This token verifier
+ */
+ public TokenVerifier checkTokenType(boolean checkTokenType) {
this.checkTokenType = checkTokenType;
- return this;
+ return replaceCheck(TokenTypeCheck.class, this.checkTokenType, new TokenTypeCheck(expectedTokenType));
}
- public TokenVerifier checkActive(boolean checkActive) {
- this.checkActive = checkActive;
- return this;
+ /**
+ * @deprecated This method is here only for backward compatibility with previous version of {@code TokenVerifier}.
+ * @return This token verifier
+ */
+ public TokenVerifier tokenType(String tokenType) {
+ this.expectedTokenType = tokenType;
+ return replaceCheck(TokenTypeCheck.class, this.checkTokenType, new TokenTypeCheck(expectedTokenType));
}
- public TokenVerifier checkRealmUrl(boolean checkRealmUrl) {
+ /**
+ * @deprecated This method is here only for backward compatibility with previous version of {@code TokenVerifier}.
+ * @return This token verifier
+ */
+ public TokenVerifier checkActive(boolean checkActive) {
+ return replaceCheck(IS_ACTIVE, checkActive, IS_ACTIVE);
+ }
+
+ /**
+ * @deprecated This method is here only for backward compatibility with previous version of {@code TokenVerifier}.
+ * @return This token verifier
+ */
+ public TokenVerifier checkRealmUrl(boolean checkRealmUrl) {
this.checkRealmUrl = checkRealmUrl;
- return this;
+ return replaceCheck(RealmUrlCheck.class, this.checkRealmUrl, new RealmUrlCheck(realmUrl));
}
- public TokenVerifier parse() throws VerificationException {
+ public TokenVerifier parse() throws VerificationException {
if (jws == null) {
if (tokenString == null) {
throw new VerificationException("Token not set");
@@ -100,7 +314,7 @@ public class TokenVerifier {
try {
- token = jws.readJsonContent(AccessToken.class);
+ token = jws.readJsonContent(clazz);
} catch (JWSInputException e) {
throw new VerificationException("Failed to read access token from JWT", e);
}
@@ -108,8 +322,10 @@ public class TokenVerifier {
return this;
}
- public AccessToken getToken() throws VerificationException {
- parse();
+ public T getToken() throws VerificationException {
+ if (token == null) {
+ parse();
+ }
return token;
}
@@ -118,53 +334,97 @@ public class TokenVerifier {
return jws.getHeader();
}
- public TokenVerifier verify() throws VerificationException {
- parse();
-
- if (checkRealmUrl && realmUrl == null) {
- throw new VerificationException("Realm URL not set");
- }
-
+ public void verifySignature() throws VerificationException {
AlgorithmType algorithmType = getHeader().getAlgorithm().getType();
- if (AlgorithmType.RSA.equals(algorithmType)) {
- if (publicKey == null) {
- throw new VerificationException("Public key not set");
- }
+ if (null == algorithmType) {
+ throw new VerificationException("Unknown or unsupported token algorithm");
+ } else switch (algorithmType) {
+ case RSA:
+ if (publicKey == null) {
+ throw new VerificationException("Public key not set");
+ }
+ if (!RSAProvider.verify(jws, publicKey)) {
+ throw new TokenSignatureInvalidException(token, "Invalid token signature");
+ } break;
+ case HMAC:
+ if (secretKey == null) {
+ throw new VerificationException("Secret key not set");
+ }
+ if (!HMACProvider.verify(jws, secretKey)) {
+ throw new TokenSignatureInvalidException(token, "Invalid token signature");
+ } break;
+ default:
+ throw new VerificationException("Unknown or unsupported token algorithm");
+ }
+ }
- if (!RSAProvider.verify(jws, publicKey)) {
- throw new VerificationException("Invalid token signature");
- }
- } else if (AlgorithmType.HMAC.equals(algorithmType)) {
- if (secretKey == null) {
- throw new VerificationException("Secret key not set");
- }
-
- if (!HMACProvider.verify(jws, secretKey)) {
- throw new VerificationException("Invalid token signature");
- }
- } else {
- throw new VerificationException("Unknown or unsupported token algorith");
+ public TokenVerifier verify() throws VerificationException {
+ if (getToken() == null) {
+ parse();
+ }
+ if (jws != null) {
+ verifySignature();
}
- String user = token.getSubject();
- if (user == null) {
- throw new VerificationException("Subject missing in token");
- }
-
- if (checkRealmUrl && !realmUrl.equals(token.getIssuer())) {
- throw new VerificationException("Invalid token issuer. Expected '" + realmUrl + "', but was '" + token.getIssuer() + "'");
- }
-
- if (checkTokenType && !TokenUtil.TOKEN_TYPE_BEARER.equalsIgnoreCase(token.getType())) {
- throw new VerificationException("Token type is incorrect. Expected '" + TokenUtil.TOKEN_TYPE_BEARER + "' but was '" + token.getType() + "'");
- }
-
- if (checkActive && !token.isActive()) {
- throw new VerificationException("Token is not active");
+ for (Predicate check : checks) {
+ if (! check.test(getToken())) {
+ throw new VerificationException("JWT check failed for check " + check);
+ }
}
return this;
}
+ /**
+ * Creates an optional predicate from a predicate that will proceed with check but always pass.
+ * @param
+ * @param mandatoryPredicate
+ * @return
+ */
+ public static Predicate optional(final Predicate mandatoryPredicate) {
+ return new Predicate() {
+ @Override
+ public boolean test(T t) throws VerificationException {
+ try {
+ if (! mandatoryPredicate.test(t)) {
+ LOG.finer("[optional] predicate failed: " + mandatoryPredicate);
+ }
+
+ return true;
+ } catch (VerificationException ex) {
+ LOG.log(Level.FINER, "[optional] predicate " + mandatoryPredicate + " failed.", ex);
+ return true;
+ }
+ }
+ };
+ }
+
+ /**
+ * Creates a predicate that will proceed with checks of the given predicates
+ * and will pass if and only if at least one of the given predicates passes.
+ * @param
+ * @param predicates
+ * @return
+ */
+ public static Predicate alternative(final Predicate... predicates) {
+ return new Predicate() {
+ @Override
+ public boolean test(T t) throws VerificationException {
+ for (Predicate predicate : predicates) {
+ try {
+ if (predicate.test(t)) {
+ return true;
+ }
+
+ LOG.finer("[alternative] predicate failed: " + predicate);
+ } catch (VerificationException ex) {
+ LOG.log(Level.FINER, "[alternative] predicate " + predicate + " failed.", ex);
+ }
+ }
+
+ return false;
+ }
+ };
+ }
}
diff --git a/core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java b/core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java
new file mode 100644
index 0000000000..4740567539
--- /dev/null
+++ b/core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.exceptions;
+
+import org.keycloak.representations.JsonWebToken;
+
+/**
+ * Exception thrown for cases when token is invalid due to time constraints (expired, or not yet valid).
+ * Cf. {@link JsonWebToken#isActive()}.
+ * @author hmlnarik
+ */
+public class TokenNotActiveException extends TokenVerificationException {
+
+ public TokenNotActiveException(JsonWebToken token) {
+ super(token);
+ }
+
+ public TokenNotActiveException(JsonWebToken token, String message) {
+ super(token, message);
+ }
+
+ public TokenNotActiveException(JsonWebToken token, String message, Throwable cause) {
+ super(token, message, cause);
+ }
+
+ public TokenNotActiveException(JsonWebToken token, Throwable cause) {
+ super(token, cause);
+ }
+
+}
diff --git a/core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java b/core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java
new file mode 100644
index 0000000000..4d389eb8d7
--- /dev/null
+++ b/core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.exceptions;
+
+import org.keycloak.representations.JsonWebToken;
+
+/**
+ * Thrown when token signature is invalid.
+ * @author hmlnarik
+ */
+public class TokenSignatureInvalidException extends TokenVerificationException {
+
+ public TokenSignatureInvalidException(JsonWebToken token) {
+ super(token);
+ }
+
+ public TokenSignatureInvalidException(JsonWebToken token, String message) {
+ super(token, message);
+ }
+
+ public TokenSignatureInvalidException(JsonWebToken token, String message, Throwable cause) {
+ super(token, message, cause);
+ }
+
+ public TokenSignatureInvalidException(JsonWebToken token, Throwable cause) {
+ super(token, cause);
+ }
+
+}
diff --git a/core/src/main/java/org/keycloak/exceptions/TokenVerificationException.java b/core/src/main/java/org/keycloak/exceptions/TokenVerificationException.java
new file mode 100644
index 0000000000..4d6b7d0177
--- /dev/null
+++ b/core/src/main/java/org/keycloak/exceptions/TokenVerificationException.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.exceptions;
+
+import org.keycloak.common.VerificationException;
+import org.keycloak.representations.JsonWebToken;
+
+/**
+ * Exception thrown on failed verification of a token.
+ *
+ * @author hmlnarik
+ */
+public class TokenVerificationException extends VerificationException {
+
+ private final JsonWebToken token;
+
+ public TokenVerificationException(JsonWebToken token) {
+ this.token = token;
+ }
+
+ public TokenVerificationException(JsonWebToken token, String message) {
+ super(message);
+ this.token = token;
+ }
+
+ public TokenVerificationException(JsonWebToken token, String message, Throwable cause) {
+ super(message, cause);
+ this.token = token;
+ }
+
+ public TokenVerificationException(JsonWebToken token, Throwable cause) {
+ super(cause);
+ this.token = token;
+ }
+
+ public JsonWebToken getToken() {
+ return token;
+ }
+
+}
diff --git a/core/src/main/java/org/keycloak/representations/AccessToken.java b/core/src/main/java/org/keycloak/representations/AccessToken.java
index 4ef6831678..36778e102d 100755
--- a/core/src/main/java/org/keycloak/representations/AccessToken.java
+++ b/core/src/main/java/org/keycloak/representations/AccessToken.java
@@ -97,9 +97,6 @@ public class AccessToken extends IDToken {
}
}
- @JsonProperty("client_session")
- protected String clientSession;
-
@JsonProperty("trusted-certs")
protected Set trustedCertificates;
@@ -156,10 +153,6 @@ public class AccessToken extends IDToken {
return resourceAccess.get(resource);
}
- public String getClientSession() {
- return clientSession;
- }
-
public Access addAccess(String service) {
Access access = resourceAccess.get(service);
if (access != null) return access;
@@ -168,11 +161,6 @@ public class AccessToken extends IDToken {
return access;
}
- public AccessToken clientSession(String session) {
- this.clientSession = session;
- return this;
- }
-
@Override
public AccessToken id(String id) {
return (AccessToken) super.id(id);
diff --git a/core/src/main/java/org/keycloak/representations/RefreshToken.java b/core/src/main/java/org/keycloak/representations/RefreshToken.java
index 4b89cf6f70..3a7a95188d 100755
--- a/core/src/main/java/org/keycloak/representations/RefreshToken.java
+++ b/core/src/main/java/org/keycloak/representations/RefreshToken.java
@@ -40,7 +40,6 @@ public class RefreshToken extends AccessToken {
*/
public RefreshToken(AccessToken token) {
this();
- this.clientSession = token.getClientSession();
this.issuer = token.issuer;
this.subject = token.subject;
this.issuedFor = token.issuedFor;
diff --git a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java
index b14e55bda1..670e1d8bde 100755
--- a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java
@@ -46,6 +46,8 @@ public class RealmRepresentation {
protected Integer accessCodeLifespan;
protected Integer accessCodeLifespanUserAction;
protected Integer accessCodeLifespanLogin;
+ protected Integer actionTokenGeneratedByAdminLifespan;
+ protected Integer actionTokenGeneratedByUserLifespan;
protected Boolean enabled;
protected String sslRequired;
@Deprecated
@@ -338,6 +340,22 @@ public class RealmRepresentation {
this.accessCodeLifespanLogin = accessCodeLifespanLogin;
}
+ public Integer getActionTokenGeneratedByAdminLifespan() {
+ return actionTokenGeneratedByAdminLifespan;
+ }
+
+ public void setActionTokenGeneratedByAdminLifespan(Integer actionTokenGeneratedByAdminLifespan) {
+ this.actionTokenGeneratedByAdminLifespan = actionTokenGeneratedByAdminLifespan;
+ }
+
+ public Integer getActionTokenGeneratedByUserLifespan() {
+ return actionTokenGeneratedByUserLifespan;
+ }
+
+ public void setActionTokenGeneratedByUserLifespan(Integer actionTokenGeneratedByUserLifespan) {
+ this.actionTokenGeneratedByUserLifespan = actionTokenGeneratedByUserLifespan;
+ }
+
public List getDefaultRoles() {
return defaultRoles;
}
diff --git a/distribution/demo-dist/src/main/xslt/standalone.xsl b/distribution/demo-dist/src/main/xslt/standalone.xsl
index 882d1b18f5..d78ff753e7 100755
--- a/distribution/demo-dist/src/main/xslt/standalone.xsl
+++ b/distribution/demo-dist/src/main/xslt/standalone.xsl
@@ -89,9 +89,11 @@
+
+
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli
index def555ec91..0f477458de 100644
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli
@@ -199,4 +199,30 @@ if ((result.default-provider == undefined) && (result.provider.default.enabled =
echo
end-if
+# Migrate from 3.0.0 to 3.2.0
+if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions/:read-resource
+ echo Adding distributed-cache=authenticationSessions to keycloak cache container...
+ /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions/:add(mode=SYNC,owners=1)
+ echo
+end-if
+
+if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:read-resource
+ echo Adding local-cache=actionTokens to keycloak cache container...
+ /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:add(indexing=NONE,start=LAZY)
+ /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=strategy,value=NONE)
+ /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=max-entries,value=-1)
+ /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=interval,value=300000)
+ /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=max-idle,value=-1)
+ echo
+end-if
+
+if (outcome == success) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
+ echo Replacing distributed-cache=authorization with local-cache=authorization
+ /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:remove
+ /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authorization/:add
+ /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:write-attribute(name=strategy,value=LRU)
+ /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:write-attribute(name=max-entries,value=10000)
+ echo
+end-if
+
echo *** End Migration of /profile=$clusteredProfile ***
\ No newline at end of file
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli
index 4547b2ac8b..fc01c29cc1 100644
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli
@@ -187,4 +187,22 @@ if ((result.default-provider == undefined) && (result.provider.default.enabled =
echo
end-if
+
+# Migrate from 3.0.0 to 3.2.0
+if (outcome == failed) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:read-resource
+ echo Adding local-cache=authenticationSessions to keycloak cache container...
+ /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:add(indexing=NONE,start=LAZY)
+ echo
+end-if
+
+if (outcome == failed) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:read-resource
+ echo Adding local-cache=actionTokens to keycloak cache container...
+ /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:add(indexing=NONE,start=LAZY)
+ /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=strategy,value=NONE)
+ /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=max-entries,value=-1)
+ /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=interval,value=300000)
+ /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=max-idle,value=-1)
+ echo
+end-if
+
echo *** End Migration of /profile=$standaloneProfile ***
\ No newline at end of file
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli
index 65b6ef96ec..4d5fac67db 100644
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli
@@ -203,4 +203,31 @@ if ((result.default-provider == undefined) && (result.provider.default.enabled =
/subsystem=keycloak-server/spi=connectionsInfinispan/:write-attribute(name=default-provider,value=default)
echo
end-if
+
+# Migrate from 3.0.0 to 3.2.0
+if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions/:read-resource
+ echo Adding distributed-cache=authenticationSessions to keycloak cache container...
+ /subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions/:add(mode=SYNC,owners=1)
+ echo
+end-if
+
+if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:read-resource
+ echo Adding local-cache=actionTokens to keycloak cache container...
+ /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:add(indexing=NONE,start=LAZY)
+ /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=strategy,value=NONE)
+ /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=max-entries,value=-1)
+ /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=interval,value=300000)
+ /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=max-idle,value=-1)
+ echo
+end-if
+
+if (outcome == success) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
+ echo Replacing distributed-cache=authorization with local-cache=authorization
+ /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:remove
+ /subsystem=infinispan/cache-container=keycloak/local-cache=authorization/:add
+ /subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:write-attribute(name=strategy,value=LRU)
+ /subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:write-attribute(name=max-entries,value=10000)
+ echo
+end-if
+
echo *** End Migration ***
\ No newline at end of file
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli
index 3e0515deed..517759f3bb 100644
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli
@@ -195,4 +195,22 @@ if ((result.default-provider == undefined) && (result.provider.default.enabled =
echo
end-if
+
+# Migrate from 3.0.0 to 3.2.0
+if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:read-resource
+ echo Adding local-cache=authenticationSessions to keycloak cache container...
+ /subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:add(indexing=NONE,start=LAZY)
+ echo
+end-if
+
+if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:read-resource
+ echo Adding local-cache=actionTokens to keycloak cache container...
+ /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:add(indexing=NONE,start=LAZY)
+ /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=strategy,value=NONE)
+ /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=max-entries,value=-1)
+ /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=interval,value=300000)
+ /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=max-idle,value=-1)
+ echo
+end-if
+
echo *** End Migration ***
\ No newline at end of file
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-model-infinispan/main/module.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-model-infinispan/main/module.xml
index e7fdb8abed..4388f83dfc 100755
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-model-infinispan/main/module.xml
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-model-infinispan/main/module.xml
@@ -33,6 +33,7 @@
+
diff --git a/distribution/server-overlay/src/main/cli/keycloak-install-base.cli b/distribution/server-overlay/src/main/cli/keycloak-install-base.cli
index f24502ae4e..5ce3122fa8 100644
--- a/distribution/server-overlay/src/main/cli/keycloak-install-base.cli
+++ b/distribution/server-overlay/src/main/cli/keycloak-install-base.cli
@@ -6,6 +6,7 @@ embed-server --server-config=standalone.xml
/subsystem=infinispan/cache-container=keycloak/local-cache=users:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=users/eviction=EVICTION:add(max-entries=10000,strategy=LRU)
/subsystem=infinispan/cache-container=keycloak/local-cache=sessions:add()
+/subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=offlineSessions:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=loginFailures:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=work:add()
@@ -14,4 +15,7 @@ embed-server --server-config=standalone.xml
/subsystem=infinispan/cache-container=keycloak/local-cache=keys:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=keys/eviction=EVICTION:add(max-entries=1000,strategy=LRU)
/subsystem=infinispan/cache-container=keycloak/local-cache=keys/expiration=EXPIRATION:add(max-idle=3600000)
+/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens:add()
+/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/eviction=EVICTION:add(max-entries=-1,strategy=NONE)
+/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/expiration=EXPIRATION:add(max-idle=-1,interval=300000)
/extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem)
diff --git a/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli b/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli
index ec2b56ff23..4710eb8a82 100644
--- a/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli
+++ b/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli
@@ -7,6 +7,7 @@ embed-server --server-config=standalone-ha.xml
/subsystem=infinispan/cache-container=keycloak/local-cache=users:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=users/eviction=EVICTION:add(max-entries=10000,strategy=LRU)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:add(mode="SYNC",owners="1")
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:add(mode="SYNC",owners="1")
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:add(mode="SYNC",owners="1")
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:add(mode="SYNC",owners="1")
/subsystem=infinispan/cache-container=keycloak/local-cache=authorization:add()
@@ -15,4 +16,7 @@ embed-server --server-config=standalone-ha.xml
/subsystem=infinispan/cache-container=keycloak/local-cache=keys:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=keys/eviction=EVICTION:add(max-entries=1000,strategy=LRU)
/subsystem=infinispan/cache-container=keycloak/local-cache=keys/expiration=EXPIRATION:add(max-idle=3600000)
+/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens:add()
+/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/eviction=EVICTION:add(max-entries=-1,strategy=NONE)
+/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/expiration=EXPIRATION:add(max-idle=-1,interval=300000)
/extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem)
diff --git a/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json b/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json
index f6b9c90927..7983fa39f1 100644
--- a/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json
+++ b/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json
@@ -1,13 +1,10 @@
{
"realm": "servlet-authz",
- "auth-server-url" : "http://localhost:8080/auth",
- "ssl-required" : "external",
- "resource" : "servlet-authz-app",
- "public-client" : false,
+ "auth-server-url": "http://localhost:8080/auth",
+ "ssl-required": "external",
+ "resource": "servlet-authz-app",
"credentials": {
"secret": "secret"
},
- "policy-enforcer": {
- "on-deny-redirect-to" : "/servlet-authz-app/accessDenied.jsp"
- }
+ "policy-enforcer": {}
}
\ No newline at end of file
diff --git a/examples/kerberos/README.md b/examples/kerberos/README.md
index 02bffddf99..2c1d335ace 100644
--- a/examples/kerberos/README.md
+++ b/examples/kerberos/README.md
@@ -47,7 +47,7 @@ is in your `/etc/hosts` before other records for the 127.0.0.1 host to avoid iss
**5)** Configure Kerberos client (On linux it's in file `/etc/krb5.conf` ). You need to configure `KEYCLOAK.ORG` realm for host `localhost` and enable `forwardable` flag, which is needed
for credential delegation example, as application needs to forward Kerberos ticket and authenticate with it against LDAP server.
-See [this file](https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/resources/kerberos/test-krb5.conf) for inspiration.
+See [this file](https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/resources/kerberos/test-krb5.conf) for inspiration.
On OS X the file to edit (or create) is `/Library/Preferences/edu.mit.Kerberos` with the same syntax as `krb5.conf`.
On Windows the file to edit (or create) is `c:\Windows\krb5.ini` with the same syntax as `krb5.conf`.
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientPoliciesResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientPoliciesResource.java
index 3fd7778c49..ef09dde939 100644
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientPoliciesResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientPoliciesResource.java
@@ -27,6 +27,7 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.cache.NoCache;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.ClientPolicyRepresentation;
/**
diff --git a/misc/Testsuite.md b/misc/Testsuite.md
index 8403806470..cb77ad7a59 100644
--- a/misc/Testsuite.md
+++ b/misc/Testsuite.md
@@ -132,6 +132,12 @@ kinit hnelson@KEYCLOAK.ORG
and provide password `secret`
Now when you access `http://localhost:8081/auth/realms/master/account` you should be logged in automatically as user `hnelson` .
+
+Simple loadbalancer
+-------------------
+
+You can run class `SimpleUndertowLoadBalancer` from IDE. By default, it executes the embedded undertow loadbalancer running on `http://localhost:8180`, which communicates with 2 backend Keycloak nodes
+running on `http://localhost:8181` and `http://localhost:8182` . See javadoc for more details.
Create many users or offline sessions
diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java
index 5309fc9e70..17ae1219fb 100755
--- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java
+++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java
@@ -19,6 +19,8 @@ package org.keycloak.connections.infinispan;
import java.util.concurrent.TimeUnit;
+import org.infinispan.commons.util.FileLookup;
+import org.infinispan.commons.util.FileLookupFactory;
import org.infinispan.configuration.cache.CacheMode;
import org.infinispan.configuration.cache.Configuration;
import org.infinispan.configuration.cache.ConfigurationBuilder;
@@ -27,12 +29,13 @@ import org.infinispan.eviction.EvictionStrategy;
import org.infinispan.eviction.EvictionType;
import org.infinispan.manager.DefaultCacheManager;
import org.infinispan.manager.EmbeddedCacheManager;
-import org.infinispan.persistence.remote.configuration.ExhaustedAction;
import org.infinispan.persistence.remote.configuration.RemoteStoreConfigurationBuilder;
+import org.infinispan.remoting.transport.jgroups.JGroupsTransport;
import org.infinispan.transaction.LockingMode;
import org.infinispan.transaction.TransactionMode;
import org.infinispan.transaction.lookup.DummyTransactionManagerLookup;
import org.jboss.logging.Logger;
+import org.jgroups.JChannel;
import org.keycloak.Config;
import org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory;
import org.keycloak.models.KeycloakSession;
@@ -118,7 +121,10 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, getRevisionCacheConfig(userRevisionsMaxEntries));
cacheManager.getCache(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, true);
+ cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, true);
+ cacheManager.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME, true);
cacheManager.getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME, true);
+ cacheManager.getCache(InfinispanConnectionProvider.ACTION_TOKEN_CACHE, true);
long authzRevisionsMaxEntries = cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME).getCacheConfiguration().eviction().maxEntries();
authzRevisionsMaxEntries = authzRevisionsMaxEntries > 0
@@ -147,7 +153,8 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
boolean allowDuplicateJMXDomains = config.getBoolean("allowDuplicateJMXDomains", true);
if (clustered) {
- gcb.transport().defaultTransport();
+ String nodeName = config.get("nodeName", System.getProperty(InfinispanConnectionProvider.JBOSS_NODE_NAME));
+ configureTransport(gcb, nodeName);
}
gcb.globalJmxStatistics().allowDuplicateDomains(allowDuplicateJMXDomains);
@@ -190,6 +197,13 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
cacheManager.defineConfiguration(InfinispanConnectionProvider.SESSION_CACHE_NAME, sessionCacheConfiguration);
cacheManager.defineConfiguration(InfinispanConnectionProvider.OFFLINE_SESSION_CACHE_NAME, sessionCacheConfiguration);
cacheManager.defineConfiguration(InfinispanConnectionProvider.LOGIN_FAILURE_CACHE_NAME, sessionCacheConfiguration);
+ cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME, sessionCacheConfiguration);
+
+ // Retrieve caches to enforce rebalance
+ cacheManager.getCache(InfinispanConnectionProvider.SESSION_CACHE_NAME, true);
+ cacheManager.getCache(InfinispanConnectionProvider.OFFLINE_SESSION_CACHE_NAME, true);
+ cacheManager.getCache(InfinispanConnectionProvider.LOGIN_FAILURE_CACHE_NAME, true);
+ cacheManager.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME, true);
ConfigurationBuilder replicationConfigBuilder = new ConfigurationBuilder();
if (clustered) {
@@ -229,6 +243,9 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
cacheManager.defineConfiguration(InfinispanConnectionProvider.KEYS_CACHE_NAME, getKeysCacheConfig());
cacheManager.getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME, true);
+ cacheManager.defineConfiguration(InfinispanConnectionProvider.ACTION_TOKEN_CACHE, getActionTokenCacheConfig());
+ cacheManager.getCache(InfinispanConnectionProvider.ACTION_TOKEN_CACHE, true);
+
long authzRevisionsMaxEntries = cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME).getCacheConfiguration().eviction().maxEntries();
authzRevisionsMaxEntries = authzRevisionsMaxEntries > 0
? 2 * authzRevisionsMaxEntries
@@ -286,4 +303,40 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
return cb.build();
}
+ private Configuration getActionTokenCacheConfig() {
+ ConfigurationBuilder cb = new ConfigurationBuilder();
+
+ cb.eviction()
+ .strategy(EvictionStrategy.NONE)
+ .type(EvictionType.COUNT)
+ .size(InfinispanConnectionProvider.ACTION_TOKEN_CACHE_DEFAULT_MAX);
+ cb.expiration()
+ .maxIdle(InfinispanConnectionProvider.ACTION_TOKEN_MAX_IDLE_SECONDS, TimeUnit.SECONDS)
+ .wakeUpInterval(InfinispanConnectionProvider.ACTION_TOKEN_WAKE_UP_INTERVAL_SECONDS, TimeUnit.SECONDS);
+
+ return cb.build();
+ }
+
+ protected void configureTransport(GlobalConfigurationBuilder gcb, String nodeName) {
+ if (nodeName == null) {
+ gcb.transport().defaultTransport();
+ } else {
+ FileLookup fileLookup = FileLookupFactory.newInstance();
+
+ try {
+ // Compatibility with Wildfly
+ JChannel channel = new JChannel(fileLookup.lookupFileLocation("default-configs/default-jgroups-udp.xml", this.getClass().getClassLoader()));
+ channel.setName(nodeName);
+ JGroupsTransport transport = new JGroupsTransport(channel);
+
+ gcb.transport().nodeName(nodeName);
+ gcb.transport().transport(transport);
+
+ logger.infof("Configured jgroups transport with the channel name: %s", nodeName);
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+ }
+
}
diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java
index bd57793dfb..8618a699ec 100755
--- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java
+++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java
@@ -36,15 +36,24 @@ public interface InfinispanConnectionProvider extends Provider {
String SESSION_CACHE_NAME = "sessions";
String OFFLINE_SESSION_CACHE_NAME = "offlineSessions";
String LOGIN_FAILURE_CACHE_NAME = "loginFailures";
+ String AUTHENTICATION_SESSIONS_CACHE_NAME = "authenticationSessions";
String WORK_CACHE_NAME = "work";
String AUTHORIZATION_CACHE_NAME = "authorization";
String AUTHORIZATION_REVISIONS_CACHE_NAME = "authorizationRevisions";
int AUTHORIZATION_REVISIONS_CACHE_DEFAULT_MAX = 20000;
+ String ACTION_TOKEN_CACHE = "actionTokens";
+ int ACTION_TOKEN_CACHE_DEFAULT_MAX = -1;
+ int ACTION_TOKEN_MAX_IDLE_SECONDS = -1;
+ long ACTION_TOKEN_WAKE_UP_INTERVAL_SECONDS = 5 * 60 * 1000l;
+
String KEYS_CACHE_NAME = "keys";
int KEYS_CACHE_DEFAULT_MAX = 1000;
int KEYS_CACHE_MAX_IDLE_SECONDS = 3600;
+ // System property used on Wildfly to identify distributedCache address and sticky session route
+ String JBOSS_NODE_NAME = "jboss.node.name";
+
Cache getCache(String name);
diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/AddInvalidatedActionTokenEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/AddInvalidatedActionTokenEvent.java
new file mode 100644
index 0000000000..37a1a218d5
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/AddInvalidatedActionTokenEvent.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models.cache.infinispan;
+
+import org.keycloak.cluster.ClusterEvent;
+import org.keycloak.models.sessions.infinispan.entities.ActionTokenReducedKey;
+import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity;
+
+/**
+ * Event requesting adding of an invalidated action token.
+ */
+public class AddInvalidatedActionTokenEvent implements ClusterEvent {
+
+ private final ActionTokenReducedKey key;
+ private final int expirationInSecs;
+ private final ActionTokenValueEntity tokenValue;
+
+ public AddInvalidatedActionTokenEvent(ActionTokenReducedKey key, int expirationInSecs, ActionTokenValueEntity tokenValue) {
+ this.key = key;
+ this.expirationInSecs = expirationInSecs;
+ this.tokenValue = tokenValue;
+ }
+
+ public ActionTokenReducedKey getKey() {
+ return key;
+ }
+
+ public int getExpirationInSecs() {
+ return expirationInSecs;
+ }
+
+ public ActionTokenValueEntity getTokenValue() {
+ return tokenValue;
+ }
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java
index 8350f0dc30..0bed8262a1 100755
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java
@@ -474,6 +474,30 @@ public class RealmAdapter implements CachedRealmModel {
updated.setAccessCodeLifespanLogin(seconds);
}
+ @Override
+ public int getActionTokenGeneratedByAdminLifespan() {
+ if (isUpdated()) return updated.getActionTokenGeneratedByAdminLifespan();
+ return cached.getActionTokenGeneratedByAdminLifespan();
+ }
+
+ @Override
+ public void setActionTokenGeneratedByAdminLifespan(int seconds) {
+ getDelegateForUpdate();
+ updated.setActionTokenGeneratedByAdminLifespan(seconds);
+ }
+
+ @Override
+ public int getActionTokenGeneratedByUserLifespan() {
+ if (isUpdated()) return updated.getActionTokenGeneratedByUserLifespan();
+ return cached.getActionTokenGeneratedByUserLifespan();
+ }
+
+ @Override
+ public void setActionTokenGeneratedByUserLifespan(int seconds) {
+ getDelegateForUpdate();
+ updated.setActionTokenGeneratedByUserLifespan(seconds);
+ }
+
@Override
public List getRequiredCredentials() {
if (isUpdated()) return updated.getRequiredCredentials();
diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RemoveActionTokensSpecificEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RemoveActionTokensSpecificEvent.java
new file mode 100644
index 0000000000..0a4d858b52
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RemoveActionTokensSpecificEvent.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models.cache.infinispan;
+
+import org.keycloak.cluster.ClusterEvent;
+
+/**
+ * Event requesting removal of the action tokens with the given user and action regardless of nonce.
+ */
+public class RemoveActionTokensSpecificEvent implements ClusterEvent {
+
+ private final String userId;
+ private final String actionId;
+
+ public RemoveActionTokensSpecificEvent(String userId, String actionId) {
+ this.userId = userId;
+ this.actionId = actionId;
+ }
+
+ public String getUserId() {
+ return userId;
+ }
+
+ public String getActionId() {
+ return actionId;
+ }
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java
index fef0486af1..3668d9740e 100755
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java
@@ -83,6 +83,8 @@ public class CachedRealm extends AbstractExtendableRevisioned {
protected int accessCodeLifespan;
protected int accessCodeLifespanUserAction;
protected int accessCodeLifespanLogin;
+ protected int actionTokenGeneratedByAdminLifespan;
+ protected int actionTokenGeneratedByUserLifespan;
protected int notBefore;
protected PasswordPolicy passwordPolicy;
protected OTPPolicy otpPolicy;
@@ -175,6 +177,8 @@ public class CachedRealm extends AbstractExtendableRevisioned {
accessCodeLifespan = model.getAccessCodeLifespan();
accessCodeLifespanUserAction = model.getAccessCodeLifespanUserAction();
accessCodeLifespanLogin = model.getAccessCodeLifespanLogin();
+ actionTokenGeneratedByAdminLifespan = model.getActionTokenGeneratedByAdminLifespan();
+ actionTokenGeneratedByUserLifespan = model.getActionTokenGeneratedByUserLifespan();
notBefore = model.getNotBefore();
passwordPolicy = model.getPasswordPolicy();
otpPolicy = model.getOTPPolicy();
@@ -399,6 +403,14 @@ public class CachedRealm extends AbstractExtendableRevisioned {
return accessCodeLifespanLogin;
}
+ public int getActionTokenGeneratedByAdminLifespan() {
+ return actionTokenGeneratedByAdminLifespan;
+ }
+
+ public int getActionTokenGeneratedByUserLifespan() {
+ return actionTokenGeneratedByUserLifespan;
+ }
+
public List getRequiredCredentials() {
return requiredCredentials;
}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/events/AuthenticationSessionAuthNoteUpdateEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/events/AuthenticationSessionAuthNoteUpdateEvent.java
new file mode 100644
index 0000000000..d7bdcdfcce
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/events/AuthenticationSessionAuthNoteUpdateEvent.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models.cache.infinispan.events;
+
+import org.keycloak.cluster.ClusterEvent;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+/**
+ *
+ * @author hmlnarik
+ */
+public class AuthenticationSessionAuthNoteUpdateEvent implements ClusterEvent {
+
+ private String authSessionId;
+
+ private Map authNotesFragment;
+
+ public static AuthenticationSessionAuthNoteUpdateEvent create(String authSessionId, Map authNotesFragment) {
+ AuthenticationSessionAuthNoteUpdateEvent event = new AuthenticationSessionAuthNoteUpdateEvent();
+ event.authSessionId = authSessionId;
+ event.authNotesFragment = new LinkedHashMap<>(authNotesFragment);
+ return event;
+ }
+
+ public String getAuthSessionId() {
+ return authSessionId;
+ }
+
+ public Map getAuthNotesFragment() {
+ return authNotesFragment;
+ }
+
+ @Override
+ public String toString() {
+ return String.format("AuthenticationSessionAuthNoteUpdateEvent [ authSessionId=%s, authNotesFragment=%s ]", authSessionId, authNotesFragment);
+ }
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java
new file mode 100644
index 0000000000..13352dfcab
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java
@@ -0,0 +1,197 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.sessions.infinispan;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.infinispan.Cache;
+import org.keycloak.models.AuthenticatedClientSessionModel;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserSessionModel;
+import org.keycloak.models.sessions.infinispan.entities.AuthenticatedClientSessionEntity;
+import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
+import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity;
+
+/**
+ * @author Marek Posolda
+ */
+public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSessionModel {
+
+ private final AuthenticatedClientSessionEntity entity;
+ private final ClientModel client;
+ private final InfinispanUserSessionProvider provider;
+ private final Cache cache;
+ private UserSessionAdapter userSession;
+
+ public AuthenticatedClientSessionAdapter(AuthenticatedClientSessionEntity entity, ClientModel client, UserSessionAdapter userSession, InfinispanUserSessionProvider provider, Cache cache) {
+ this.provider = provider;
+ this.entity = entity;
+ this.client = client;
+ this.cache = cache;
+ this.userSession = userSession;
+ }
+
+ private void update() {
+ provider.getTx().replace(cache, userSession.getEntity().getId(), userSession.getEntity());
+ }
+
+
+ @Override
+ public void setUserSession(UserSessionModel userSession) {
+ String clientUUID = client.getId();
+ UserSessionEntity sessionEntity = this.userSession.getEntity();
+
+ // Dettach userSession
+ if (userSession == null) {
+ if (sessionEntity.getAuthenticatedClientSessions() != null) {
+ sessionEntity.getAuthenticatedClientSessions().remove(clientUUID);
+ update();
+ this.userSession = null;
+ }
+ } else {
+ this.userSession = (UserSessionAdapter) userSession;
+
+ if (sessionEntity.getAuthenticatedClientSessions() == null) {
+ sessionEntity.setAuthenticatedClientSessions(new HashMap<>());
+ }
+ sessionEntity.getAuthenticatedClientSessions().put(clientUUID, entity);
+ update();
+ }
+ }
+
+ @Override
+ public UserSessionModel getUserSession() {
+ return this.userSession;
+ }
+
+ @Override
+ public String getRedirectUri() {
+ return entity.getRedirectUri();
+ }
+
+ @Override
+ public void setRedirectUri(String uri) {
+ entity.setRedirectUri(uri);
+ update();
+ }
+
+ @Override
+ public String getId() {
+ return null;
+ }
+
+ @Override
+ public RealmModel getRealm() {
+ return userSession.getRealm();
+ }
+
+ @Override
+ public ClientModel getClient() {
+ return client;
+ }
+
+ @Override
+ public int getTimestamp() {
+ return entity.getTimestamp();
+ }
+
+ @Override
+ public void setTimestamp(int timestamp) {
+ entity.setTimestamp(timestamp);
+ update();
+ }
+
+ @Override
+ public String getAction() {
+ return entity.getAction();
+ }
+
+ @Override
+ public void setAction(String action) {
+ entity.setAction(action);
+ update();
+ }
+
+ @Override
+ public String getProtocol() {
+ return entity.getAuthMethod();
+ }
+
+ @Override
+ public void setProtocol(String method) {
+ entity.setAuthMethod(method);
+ update();
+ }
+
+ @Override
+ public Set getRoles() {
+ return entity.getRoles();
+ }
+
+ @Override
+ public void setRoles(Set roles) {
+ entity.setRoles(roles);
+ update();
+ }
+
+ @Override
+ public Set getProtocolMappers() {
+ return entity.getProtocolMappers();
+ }
+
+ @Override
+ public void setProtocolMappers(Set protocolMappers) {
+ entity.setProtocolMappers(protocolMappers);
+ update();
+ }
+
+ @Override
+ public String getNote(String name) {
+ return entity.getNotes()==null ? null : entity.getNotes().get(name);
+ }
+
+ @Override
+ public void setNote(String name, String value) {
+ if (entity.getNotes() == null) {
+ entity.setNotes(new HashMap<>());
+ }
+ entity.getNotes().put(name, value);
+ update();
+ }
+
+ @Override
+ public void removeNote(String name) {
+ if (entity.getNotes() != null) {
+ entity.getNotes().remove(name);
+ update();
+ }
+ }
+
+ @Override
+ public Map getNotes() {
+ if (entity.getNotes() == null || entity.getNotes().isEmpty()) return Collections.emptyMap();
+ Map copy = new HashMap<>();
+ copy.putAll(entity.getNotes());
+ return copy;
+ }
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java
old mode 100755
new mode 100644
similarity index 53%
rename from model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java
rename to model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java
index c67a576250..05a762b54f
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java
@@ -17,44 +17,48 @@
package org.keycloak.models.sessions.infinispan;
-import org.infinispan.Cache;
-import org.keycloak.models.ClientModel;
-import org.keycloak.models.ClientSessionModel;
-import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.RealmModel;
-import org.keycloak.models.UserModel;
-import org.keycloak.models.UserSessionModel;
-import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity;
-import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
-
import java.util.Collections;
-import java.util.HashMap;
+import java.util.concurrent.ConcurrentHashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
+import org.infinispan.Cache;
+import org.keycloak.common.util.Time;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEntity;
+import org.keycloak.sessions.AuthenticationSessionModel;
+
/**
- * @author Stian Thorgersen
+ * NOTE: Calling setter doesn't automatically enlist for update
+ *
+ * @author Marek Posolda
*/
-public class ClientSessionAdapter implements ClientSessionModel {
+public class AuthenticationSessionAdapter implements AuthenticationSessionModel {
private KeycloakSession session;
- private InfinispanUserSessionProvider provider;
- private Cache cache;
+ private InfinispanAuthenticationSessionProvider provider;
+ private Cache cache;
private RealmModel realm;
- private ClientSessionEntity entity;
- private boolean offline;
+ private AuthenticationSessionEntity entity;
- public ClientSessionAdapter(KeycloakSession session, InfinispanUserSessionProvider provider, Cache cache, RealmModel realm,
- ClientSessionEntity entity, boolean offline) {
+ public AuthenticationSessionAdapter(KeycloakSession session, InfinispanAuthenticationSessionProvider provider, Cache cache, RealmModel realm,
+ AuthenticationSessionEntity entity) {
this.session = session;
this.provider = provider;
this.cache = cache;
this.realm = realm;
this.entity = entity;
- this.offline = offline;
}
+ void update() {
+ provider.tx.replace(cache, entity.getId(), entity);
+ }
+
+
@Override
public String getId() {
return entity.getId();
@@ -67,36 +71,7 @@ public class ClientSessionAdapter implements ClientSessionModel {
@Override
public ClientModel getClient() {
- return realm.getClientById(entity.getClient());
- }
-
- @Override
- public UserSessionAdapter getUserSession() {
- return entity.getUserSession() != null ? provider.getUserSession(realm, entity.getUserSession(), offline) : null;
- }
-
- @Override
- public void setUserSession(UserSessionModel userSession) {
- if (userSession == null) {
- if (entity.getUserSession() != null) {
- provider.dettachSession(getUserSession(), this);
- }
- entity.setUserSession(null);
- } else {
- UserSessionAdapter userSessionAdapter = (UserSessionAdapter) userSession;
- if (entity.getUserSession() != null) {
- if (entity.getUserSession().equals(userSession.getId())) {
- return;
- } else {
- provider.dettachSession(userSessionAdapter, this);
- }
- } else {
- provider.attachSession(userSessionAdapter, this);
- }
-
- entity.setUserSession(userSession.getId());
- }
- update();
+ return realm.getClientById(entity.getClientUuid());
}
@Override
@@ -157,52 +132,104 @@ public class ClientSessionAdapter implements ClientSessionModel {
}
@Override
- public String getAuthMethod() {
- return entity.getAuthMethod();
+ public String getProtocol() {
+ return entity.getProtocol();
}
@Override
- public void setAuthMethod(String authMethod) {
- entity.setAuthMethod(authMethod);
+ public void setProtocol(String protocol) {
+ entity.setProtocol(protocol);
update();
}
@Override
- public String getNote(String name) {
- return entity.getNotes() != null ? entity.getNotes().get(name) : null;
+ public String getClientNote(String name) {
+ return (entity.getClientNotes() != null && name != null) ? entity.getClientNotes().get(name) : null;
}
@Override
- public void setNote(String name, String value) {
- if (entity.getNotes() == null) {
- entity.setNotes(new HashMap());
+ public void setClientNote(String name, String value) {
+ if (entity.getClientNotes() == null) {
+ entity.setClientNotes(new ConcurrentHashMap<>());
+ }
+ if (name != null) {
+ if (value == null) {
+ entity.getClientNotes().remove(name);
+ } else {
+ entity.getClientNotes().put(name, value);
+ }
}
- entity.getNotes().put(name, value);
update();
}
@Override
- public void removeNote(String name) {
- if (entity.getNotes() != null) {
- entity.getNotes().remove(name);
- update();
+ public void removeClientNote(String name) {
+ if (entity.getClientNotes() != null && name != null) {
+ entity.getClientNotes().remove(name);
}
+ update();
}
@Override
- public Map getNotes() {
- if (entity.getNotes() == null || entity.getNotes().isEmpty()) return Collections.emptyMap();
- Map copy = new HashMap<>();
- copy.putAll(entity.getNotes());
+ public Map getClientNotes() {
+ if (entity.getClientNotes() == null || entity.getClientNotes().isEmpty()) return Collections.emptyMap();
+ Map copy = new ConcurrentHashMap<>();
+ copy.putAll(entity.getClientNotes());
return copy;
}
+ @Override
+ public void clearClientNotes() {
+ entity.setClientNotes(new ConcurrentHashMap<>());
+ update();
+ }
+
+ @Override
+ public String getAuthNote(String name) {
+ return (entity.getAuthNotes() != null && name != null) ? entity.getAuthNotes().get(name) : null;
+ }
+
+ @Override
+ public void setAuthNote(String name, String value) {
+ if (entity.getAuthNotes() == null) {
+ entity.setAuthNotes(new ConcurrentHashMap<>());
+ }
+ if (name != null) {
+ if (value == null) {
+ entity.getAuthNotes().remove(name);
+ } else {
+ entity.getAuthNotes().put(name, value);
+ }
+ }
+ update();
+ }
+
+ @Override
+ public void removeAuthNote(String name) {
+ if (entity.getAuthNotes() != null && name != null) {
+ entity.getAuthNotes().remove(name);
+ }
+ update();
+ }
+
+ @Override
+ public void clearAuthNotes() {
+ entity.setAuthNotes(new ConcurrentHashMap<>());
+ update();
+ }
+
@Override
public void setUserSessionNote(String name, String value) {
if (entity.getUserSessionNotes() == null) {
- entity.setUserSessionNotes(new HashMap());
+ entity.setUserSessionNotes(new ConcurrentHashMap<>());
+ }
+ if (name != null) {
+ if (value == null) {
+ entity.getUserSessionNotes().remove(name);
+ } else {
+ entity.getUserSessionNotes().put(name, value);
+ }
}
- entity.getUserSessionNotes().put(name, value);
update();
}
@@ -212,14 +239,14 @@ public class ClientSessionAdapter implements ClientSessionModel {
if (entity.getUserSessionNotes() == null) {
return Collections.EMPTY_MAP;
}
- HashMap copy = new HashMap<>();
+ ConcurrentHashMap copy = new ConcurrentHashMap<>();
copy.putAll(entity.getUserSessionNotes());
return copy;
}
@Override
public void clearUserSessionNotes() {
- entity.setUserSessionNotes(new HashMap());
+ entity.setUserSessionNotes(new ConcurrentHashMap<>());
update();
}
@@ -248,7 +275,6 @@ public class ClientSessionAdapter implements ClientSessionModel {
@Override
public void addRequiredAction(UserModel.RequiredAction action) {
addRequiredAction(action.name());
-
}
@Override
@@ -256,24 +282,22 @@ public class ClientSessionAdapter implements ClientSessionModel {
removeRequiredAction(action.name());
}
- void update() {
- provider.getTx().replace(cache, entity.getId(), entity);
- }
@Override
- public Map getExecutionStatus() {
- return entity.getAuthenticatorStatus();
+ public Map getExecutionStatus() {
+
+ return entity.getExecutionStatus();
}
@Override
- public void setExecutionStatus(String authenticator, ExecutionStatus status) {
- entity.getAuthenticatorStatus().put(authenticator, status);
+ public void setExecutionStatus(String authenticator, AuthenticationSessionModel.ExecutionStatus status) {
+ entity.getExecutionStatus().put(authenticator, status);
update();
}
@Override
public void clearExecutionStatus() {
- entity.getAuthenticatorStatus().clear();
+ entity.getExecutionStatus().clear();
update();
}
@@ -286,7 +310,22 @@ public class ClientSessionAdapter implements ClientSessionModel {
if (user == null) entity.setAuthUserId(null);
else entity.setAuthUserId(user.getId());
update();
-
}
+ @Override
+ public void updateClient(ClientModel client) {
+ entity.setClientUuid(client.getId());
+ update();
+ }
+
+ @Override
+ public void restartSession(RealmModel realm, ClientModel client) {
+ String id = entity.getId();
+ entity = new AuthenticationSessionEntity();
+ entity.setId(id);
+ entity.setRealm(realm.getId());
+ entity.setClientUuid(client.getId());
+ entity.setTimestamp(Time.currentTime());
+ update();
+ }
}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/Consumers.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/Consumers.java
index e55cf3181c..19cb7c7560 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/Consumers.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/Consumers.java
@@ -19,11 +19,9 @@ package org.keycloak.models.sessions.infinispan;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
-import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity;
import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity;
-import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
@@ -41,21 +39,6 @@ public class Consumers {
return new UserSessionModelsConsumer(provider, realm, offline);
}
- public static class UserSessionIdAndTimestampConsumer implements Consumer> {
-
- private Map sessions = new HashMap<>();
-
- @Override
- public void accept(Map.Entry entry) {
- SessionEntity e = entry.getValue();
- if (e instanceof ClientSessionEntity) {
- ClientSessionEntity ce = (ClientSessionEntity) e;
- sessions.put(ce.getUserSession(), ce.getTimestamp());
- }
- }
-
- }
-
public static class UserSessionModelsConsumer implements Consumer> {
private InfinispanUserSessionProvider provider;
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProvider.java
new file mode 100644
index 0000000000..127879a4d1
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProvider.java
@@ -0,0 +1,98 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models.sessions.infinispan;
+
+import org.keycloak.cluster.ClusterProvider;
+import org.keycloak.models.*;
+
+import org.keycloak.models.cache.infinispan.AddInvalidatedActionTokenEvent;
+import org.keycloak.models.cache.infinispan.RemoveActionTokensSpecificEvent;
+import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity;
+import org.keycloak.models.sessions.infinispan.entities.ActionTokenReducedKey;
+import java.util.*;
+import org.infinispan.Cache;
+
+/**
+ *
+ * @author hmlnarik
+ */
+public class InfinispanActionTokenStoreProvider implements ActionTokenStoreProvider {
+
+ private final Cache actionKeyCache;
+ private final InfinispanKeycloakTransaction tx;
+ private final KeycloakSession session;
+
+ public InfinispanActionTokenStoreProvider(KeycloakSession session, Cache actionKeyCache) {
+ this.session = session;
+ this.actionKeyCache = actionKeyCache;
+ this.tx = new InfinispanKeycloakTransaction();
+
+ session.getTransactionManager().enlistAfterCompletion(tx);
+ }
+
+ @Override
+ public void close() {
+ }
+
+ @Override
+ public void put(ActionTokenKeyModel key, Map notes) {
+ if (key == null || key.getUserId() == null || key.getActionId() == null) {
+ return;
+ }
+
+ ActionTokenReducedKey tokenKey = new ActionTokenReducedKey(key.getUserId(), key.getActionId(), key.getActionVerificationNonce());
+ ActionTokenValueEntity tokenValue = new ActionTokenValueEntity(notes);
+
+ ClusterProvider cluster = session.getProvider(ClusterProvider.class);
+ this.tx.notify(cluster, InfinispanActionTokenStoreProviderFactory.ACTION_TOKEN_EVENTS, new AddInvalidatedActionTokenEvent(tokenKey, key.getExpiration(), tokenValue), false);
+ }
+
+ @Override
+ public ActionTokenValueModel get(ActionTokenKeyModel actionTokenKey) {
+ if (actionTokenKey == null || actionTokenKey.getUserId() == null || actionTokenKey.getActionId() == null) {
+ return null;
+ }
+
+ ActionTokenReducedKey key = new ActionTokenReducedKey(actionTokenKey.getUserId(), actionTokenKey.getActionId(), actionTokenKey.getActionVerificationNonce());
+ return this.actionKeyCache.getAdvancedCache().get(key);
+ }
+
+ @Override
+ public ActionTokenValueModel remove(ActionTokenKeyModel actionTokenKey) {
+ if (actionTokenKey == null || actionTokenKey.getUserId() == null || actionTokenKey.getActionId() == null) {
+ return null;
+ }
+
+ ActionTokenReducedKey key = new ActionTokenReducedKey(actionTokenKey.getUserId(), actionTokenKey.getActionId(), actionTokenKey.getActionVerificationNonce());
+ ActionTokenValueEntity value = this.actionKeyCache.get(key);
+
+ if (value != null) {
+ this.tx.remove(actionKeyCache, key);
+ }
+
+ return value;
+ }
+
+ public void removeAll(String userId, String actionId) {
+ if (userId == null || actionId == null) {
+ return;
+ }
+
+ ClusterProvider cluster = session.getProvider(ClusterProvider.class);
+ this.tx.notify(cluster, InfinispanActionTokenStoreProviderFactory.ACTION_TOKEN_EVENTS, new RemoveActionTokensSpecificEvent(userId, actionId), false);
+ }
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProviderFactory.java
new file mode 100644
index 0000000000..a8c5e3899e
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProviderFactory.java
@@ -0,0 +1,100 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models.sessions.infinispan;
+
+import org.keycloak.Config;
+import org.keycloak.Config.Scope;
+import org.keycloak.cluster.ClusterProvider;
+import org.keycloak.common.util.Time;
+import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
+import org.keycloak.models.*;
+
+import org.keycloak.models.cache.infinispan.AddInvalidatedActionTokenEvent;
+import org.keycloak.models.cache.infinispan.RemoveActionTokensSpecificEvent;
+import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity;
+import org.keycloak.models.sessions.infinispan.entities.ActionTokenReducedKey;
+import java.util.Objects;
+import java.util.concurrent.TimeUnit;
+import org.infinispan.Cache;
+import org.infinispan.context.Flag;
+
+/**
+ *
+ * @author hmlnarik
+ */
+public class InfinispanActionTokenStoreProviderFactory implements ActionTokenStoreProviderFactory {
+
+ public static final String ACTION_TOKEN_EVENTS = "ACTION_TOKEN_EVENTS";
+
+ /**
+ * If expiration is set to this value, no expiration is set on the corresponding cache entry (hence cache default is honored)
+ */
+ private static final int DEFAULT_CACHE_EXPIRATION = 0;
+
+ private Config.Scope config;
+
+ @Override
+ public ActionTokenStoreProvider create(KeycloakSession session) {
+ InfinispanConnectionProvider connections = session.getProvider(InfinispanConnectionProvider.class);
+ Cache actionTokenCache = connections.getCache(InfinispanConnectionProvider.ACTION_TOKEN_CACHE);
+
+ ClusterProvider cluster = session.getProvider(ClusterProvider.class);
+
+ cluster.registerListener(ACTION_TOKEN_EVENTS, event -> {
+ if (event instanceof RemoveActionTokensSpecificEvent) {
+ RemoveActionTokensSpecificEvent e = (RemoveActionTokensSpecificEvent) event;
+
+ actionTokenCache
+ .getAdvancedCache()
+ .withFlags(Flag.CACHE_MODE_LOCAL, Flag.SKIP_CACHE_LOAD)
+ .keySet()
+ .stream()
+ .filter(k -> Objects.equals(k.getUserId(), e.getUserId()) && Objects.equals(k.getActionId(), e.getActionId()))
+ .forEach(actionTokenCache::remove);
+ } else if (event instanceof AddInvalidatedActionTokenEvent) {
+ AddInvalidatedActionTokenEvent e = (AddInvalidatedActionTokenEvent) event;
+
+ if (e.getExpirationInSecs() == DEFAULT_CACHE_EXPIRATION) {
+ actionTokenCache.put(e.getKey(), e.getTokenValue());
+ } else {
+ actionTokenCache.put(e.getKey(), e.getTokenValue(), e.getExpirationInSecs() - Time.currentTime(), TimeUnit.SECONDS);
+ }
+ }
+ });
+
+ return new InfinispanActionTokenStoreProvider(session, actionTokenCache);
+ }
+
+ @Override
+ public void init(Scope config) {
+ this.config = config;
+ }
+
+ @Override
+ public void postInit(KeycloakSessionFactory factory) {
+ }
+
+ @Override
+ public void close() {
+ }
+
+ @Override
+ public String getId() {
+ return "infinispan";
+ }
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java
new file mode 100644
index 0000000000..5991f98944
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java
@@ -0,0 +1,162 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.sessions.infinispan;
+
+import org.keycloak.cluster.ClusterProvider;
+import java.util.Iterator;
+import java.util.Map;
+
+import org.infinispan.Cache;
+import org.infinispan.context.Flag;
+import org.jboss.logging.Logger;
+import org.keycloak.common.util.Time;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.cache.infinispan.events.AuthenticationSessionAuthNoteUpdateEvent;
+import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEntity;
+import org.keycloak.models.sessions.infinispan.stream.AuthenticationSessionPredicate;
+import org.keycloak.models.utils.KeycloakModelUtils;
+import org.keycloak.models.utils.RealmInfoUtil;
+import org.keycloak.sessions.AuthenticationSessionModel;
+import org.keycloak.sessions.AuthenticationSessionProvider;
+
+/**
+ * @author Marek Posolda
+ */
+public class InfinispanAuthenticationSessionProvider implements AuthenticationSessionProvider {
+
+ private static final Logger log = Logger.getLogger(InfinispanAuthenticationSessionProvider.class);
+
+ private final KeycloakSession session;
+ private final Cache cache;
+ protected final InfinispanKeycloakTransaction tx;
+
+ public InfinispanAuthenticationSessionProvider(KeycloakSession session, Cache cache) {
+ this.session = session;
+ this.cache = cache;
+
+ this.tx = new InfinispanKeycloakTransaction();
+ session.getTransactionManager().enlistAfterCompletion(tx);
+ }
+
+ @Override
+ public AuthenticationSessionModel createAuthenticationSession(RealmModel realm, ClientModel client) {
+ String id = KeycloakModelUtils.generateId();
+ return createAuthenticationSession(id, realm, client);
+ }
+
+ @Override
+ public AuthenticationSessionModel createAuthenticationSession(String id, RealmModel realm, ClientModel client) {
+ AuthenticationSessionEntity entity = new AuthenticationSessionEntity();
+ entity.setId(id);
+ entity.setRealm(realm.getId());
+ entity.setTimestamp(Time.currentTime());
+ entity.setClientUuid(client.getId());
+
+ tx.put(cache, id, entity);
+
+ AuthenticationSessionAdapter wrap = wrap(realm, entity);
+ return wrap;
+ }
+
+ private AuthenticationSessionAdapter wrap(RealmModel realm, AuthenticationSessionEntity entity) {
+ return entity==null ? null : new AuthenticationSessionAdapter(session, this, cache, realm, entity);
+ }
+
+ @Override
+ public AuthenticationSessionModel getAuthenticationSession(RealmModel realm, String authenticationSessionId) {
+ AuthenticationSessionEntity entity = getAuthenticationSessionEntity(realm, authenticationSessionId);
+ return wrap(realm, entity);
+ }
+
+ private AuthenticationSessionEntity getAuthenticationSessionEntity(RealmModel realm, String authSessionId) {
+ // Chance created in this transaction
+ AuthenticationSessionEntity entity = tx.get(cache, authSessionId);
+
+ if (entity == null) {
+ entity = cache.get(authSessionId);
+ }
+
+ return entity;
+ }
+
+ @Override
+ public void removeAuthenticationSession(RealmModel realm, AuthenticationSessionModel authenticationSession) {
+ tx.remove(cache, authenticationSession.getId());
+ }
+
+ @Override
+ public void removeExpired(RealmModel realm) {
+ log.debugf("Removing expired sessions");
+
+ int expired = Time.currentTime() - RealmInfoUtil.getDettachedClientSessionLifespan(realm);
+
+
+ // Each cluster node cleanups just local sessions, which are those owned by himself (+ few more taking l1 cache into account)
+ Iterator> itr = cache.getAdvancedCache().withFlags(Flag.CACHE_MODE_LOCAL)
+ .entrySet().stream().filter(AuthenticationSessionPredicate.create(realm.getId()).expired(expired)).iterator();
+
+ int counter = 0;
+ while (itr.hasNext()) {
+ counter++;
+ AuthenticationSessionEntity entity = itr.next().getValue();
+ tx.remove(cache, entity.getId());
+ }
+
+ log.debugf("Removed %d expired user sessions for realm '%s'", counter, realm.getName());
+ }
+
+ // TODO: Should likely listen to "RealmRemovedEvent" received from cluster and clean just local sessions
+ @Override
+ public void onRealmRemoved(RealmModel realm) {
+ Iterator> itr = cache.entrySet().stream().filter(AuthenticationSessionPredicate.create(realm.getId())).iterator();
+ while (itr.hasNext()) {
+ cache.remove(itr.next().getKey());
+ }
+ }
+
+ // TODO: Should likely listen to "ClientRemovedEvent" received from cluster and clean just local sessions
+ @Override
+ public void onClientRemoved(RealmModel realm, ClientModel client) {
+ Iterator> itr = cache.entrySet().stream().filter(AuthenticationSessionPredicate.create(realm.getId()).client(client.getId())).iterator();
+ while (itr.hasNext()) {
+ cache.remove(itr.next().getKey());
+ }
+ }
+
+ @Override
+ public void updateNonlocalSessionAuthNotes(String authSessionId, Map authNotesFragment) {
+ if (authSessionId == null) {
+ return;
+ }
+
+ ClusterProvider cluster = session.getProvider(ClusterProvider.class);
+ cluster.notify(
+ InfinispanAuthenticationSessionProviderFactory.AUTHENTICATION_SESSION_EVENTS,
+ AuthenticationSessionAuthNoteUpdateEvent.create(authSessionId, authNotesFragment),
+ true
+ );
+ }
+
+ @Override
+ public void close() {
+
+ }
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java
new file mode 100644
index 0000000000..83e970ddaa
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.sessions.infinispan;
+
+import org.infinispan.Cache;
+import org.keycloak.Config;
+import org.keycloak.cluster.ClusterEvent;
+import org.keycloak.cluster.ClusterProvider;
+import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.models.cache.infinispan.events.AuthenticationSessionAuthNoteUpdateEvent;
+import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEntity;
+import org.keycloak.sessions.AuthenticationSessionProvider;
+import org.keycloak.sessions.AuthenticationSessionProviderFactory;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.concurrent.ConcurrentHashMap;
+import org.jboss.logging.Logger;
+
+/**
+ * @author Marek Posolda
+ */
+public class InfinispanAuthenticationSessionProviderFactory implements AuthenticationSessionProviderFactory {
+
+ private static final Logger log = Logger.getLogger(InfinispanAuthenticationSessionProviderFactory.class);
+
+ private volatile Cache authSessionsCache;
+
+ public static final String AUTHENTICATION_SESSION_EVENTS = "AUTHENTICATION_SESSION_EVENTS";
+
+ @Override
+ public void init(Config.Scope config) {
+
+ }
+
+ @Override
+ public AuthenticationSessionProvider create(KeycloakSession session) {
+ lazyInit(session);
+ return new InfinispanAuthenticationSessionProvider(session, authSessionsCache);
+ }
+
+ private void updateAuthNotes(ClusterEvent clEvent) {
+ if (! (clEvent instanceof AuthenticationSessionAuthNoteUpdateEvent)) {
+ return;
+ }
+
+ AuthenticationSessionAuthNoteUpdateEvent event = (AuthenticationSessionAuthNoteUpdateEvent) clEvent;
+ AuthenticationSessionEntity authSession = this.authSessionsCache.get(event.getAuthSessionId());
+ updateAuthSession(authSession, event.getAuthNotesFragment());
+ }
+
+ private static void updateAuthSession(AuthenticationSessionEntity authSession, Map authNotesFragment) {
+ if (authSession != null) {
+ if (authSession.getAuthNotes() == null) {
+ authSession.setAuthNotes(new ConcurrentHashMap<>());
+ }
+
+ for (Entry me : authNotesFragment.entrySet()) {
+ String value = me.getValue();
+ if (value == null) {
+ authSession.getAuthNotes().remove(me.getKey());
+ } else {
+ authSession.getAuthNotes().put(me.getKey(), value);
+ }
+ }
+ }
+ }
+
+ private void lazyInit(KeycloakSession session) {
+ if (authSessionsCache == null) {
+ synchronized (this) {
+ if (authSessionsCache == null) {
+ InfinispanConnectionProvider connections = session.getProvider(InfinispanConnectionProvider.class);
+ authSessionsCache = connections.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME);
+
+ ClusterProvider cluster = session.getProvider(ClusterProvider.class);
+ cluster.registerListener(AUTHENTICATION_SESSION_EVENTS, this::updateAuthNotes);
+
+ log.debug("Registered cluster listeners");
+ }
+ }
+ }
+ }
+
+ @Override
+ public void postInit(KeycloakSessionFactory factory) {
+ }
+
+ @Override
+ public void close() {
+ }
+
+ @Override
+ public String getId() {
+ return "infinispan";
+ }
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java
new file mode 100644
index 0000000000..5471184da9
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java
@@ -0,0 +1,218 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models.sessions.infinispan;
+
+import org.keycloak.cluster.ClusterEvent;
+import org.keycloak.cluster.ClusterProvider;
+import org.infinispan.context.Flag;
+import org.keycloak.models.KeycloakTransaction;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+import org.infinispan.Cache;
+import org.jboss.logging.Logger;
+
+/**
+ * @author Stian Thorgersen
+ */
+public class InfinispanKeycloakTransaction implements KeycloakTransaction {
+
+ private final static Logger log = Logger.getLogger(InfinispanKeycloakTransaction.class);
+
+ public enum CacheOperation {
+ ADD, ADD_WITH_LIFESPAN, REMOVE, REPLACE, ADD_IF_ABSENT // ADD_IF_ABSENT throws an exception if there is existing value
+ }
+
+ private boolean active;
+ private boolean rollback;
+ private final Map tasks = new LinkedHashMap<>();
+
+ @Override
+ public void begin() {
+ active = true;
+ }
+
+ @Override
+ public void commit() {
+ if (rollback) {
+ throw new RuntimeException("Rollback only!");
+ }
+
+ tasks.values().forEach(CacheTask::execute);
+ }
+
+ @Override
+ public void rollback() {
+ tasks.clear();
+ }
+
+ @Override
+ public void setRollbackOnly() {
+ rollback = true;
+ }
+
+ @Override
+ public boolean getRollbackOnly() {
+ return rollback;
+ }
+
+ @Override
+ public boolean isActive() {
+ return active;
+ }
+
+ public void put(Cache cache, K key, V value) {
+ log.tracev("Adding cache operation: {0} on {1}", CacheOperation.ADD, key);
+
+ Object taskKey = getTaskKey(cache, key);
+ if (tasks.containsKey(taskKey)) {
+ throw new IllegalStateException("Can't add session: task in progress for session");
+ } else {
+ tasks.put(taskKey, new CacheTaskWithValue(value) {
+ @Override
+ public void execute() {
+ decorateCache(cache).put(key, value);
+ }
+ });
+ }
+ }
+
+ public void put(Cache cache, K key, V value, long lifespan, TimeUnit lifespanUnit) {
+ log.tracev("Adding cache operation: {0} on {1}", CacheOperation.ADD_WITH_LIFESPAN, key);
+
+ Object taskKey = getTaskKey(cache, key);
+ if (tasks.containsKey(taskKey)) {
+ throw new IllegalStateException("Can't add session: task in progress for session");
+ } else {
+ tasks.put(taskKey, new CacheTaskWithValue(value) {
+ @Override
+ public void execute() {
+ decorateCache(cache).put(key, value, lifespan, lifespanUnit);
+ }
+ });
+ }
+ }
+
+ public void putIfAbsent(Cache cache, K key, V value) {
+ log.tracev("Adding cache operation: {0} on {1}", CacheOperation.ADD_IF_ABSENT, key);
+
+ Object taskKey = getTaskKey(cache, key);
+ if (tasks.containsKey(taskKey)) {
+ throw new IllegalStateException("Can't add session: task in progress for session");
+ } else {
+ tasks.put(taskKey, new CacheTaskWithValue(value) {
+ @Override
+ public void execute() {
+ V existing = cache.putIfAbsent(key, value);
+ if (existing != null) {
+ throw new IllegalStateException("There is already existing value in cache for key " + key);
+ }
+ }
+ });
+ }
+ }
+
+ public void replace(Cache cache, K key, V value) {
+ log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REPLACE, key);
+
+ Object taskKey = getTaskKey(cache, key);
+ CacheTask current = tasks.get(taskKey);
+ if (current != null) {
+ if (current instanceof CacheTaskWithValue) {
+ ((CacheTaskWithValue) current).setValue(value);
+ }
+ } else {
+ tasks.put(taskKey, new CacheTaskWithValue(value) {
+ @Override
+ public void execute() {
+ decorateCache(cache).replace(key, value);
+ }
+ });
+ }
+ }
+
+ public void notify(ClusterProvider clusterProvider, String taskKey, ClusterEvent event, boolean ignoreSender) {
+ log.tracev("Adding cache operation SEND_EVENT: {0}", event);
+
+ String theTaskKey = taskKey;
+ int i = 1;
+ while (tasks.containsKey(theTaskKey)) {
+ theTaskKey = taskKey + "-" + (i++);
+ }
+
+ tasks.put(taskKey, () -> clusterProvider.notify(taskKey, event, ignoreSender));
+ }
+
+ public void remove(Cache cache, K key) {
+ log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REMOVE, key);
+
+ Object taskKey = getTaskKey(cache, key);
+ tasks.put(taskKey, () -> decorateCache(cache).remove(key));
+ }
+
+ // This is for possibility to lookup for session by id, which was created in this transaction
+ public V get(Cache cache, K key) {
+ Object taskKey = getTaskKey(cache, key);
+ CacheTask current = tasks.get(taskKey);
+ if (current != null) {
+ if (current instanceof CacheTaskWithValue) {
+ return ((CacheTaskWithValue) current).getValue();
+ }
+ return null;
+ }
+
+ // Should we have per-transaction cache for lookups?
+ return cache.get(key);
+ }
+
+ private static Object getTaskKey(Cache cache, K key) {
+ if (key instanceof String) {
+ return new StringBuilder(cache.getName())
+ .append("::")
+ .append(key).toString();
+ } else {
+ return key;
+ }
+ }
+
+ public interface CacheTask {
+ void execute();
+ }
+
+ public abstract class CacheTaskWithValue implements CacheTask {
+ protected V value;
+
+ public CacheTaskWithValue(V value) {
+ this.value = value;
+ }
+
+ public V getValue() {
+ return value;
+ }
+
+ public void setValue(V value) {
+ this.value = value;
+ }
+ }
+
+ // Ignore return values. Should have better performance within cluster / cross-dc env
+ private static Cache decorateCache(Cache cache) {
+ return cache.getAdvancedCache()
+ .withFlags(Flag.IGNORE_RETURN_VALUES, Flag.SKIP_REMOTE_LOOKUP);
+ }
+}
\ No newline at end of file
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProvider.java
new file mode 100644
index 0000000000..0aca09f81c
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProvider.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.sessions.infinispan;
+
+import org.infinispan.Cache;
+import org.infinispan.distribution.DistributionManager;
+import org.infinispan.remoting.transport.Address;
+import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.sessions.StickySessionEncoderProvider;
+
+/**
+ * @author Marek Posolda
+ */
+public class InfinispanStickySessionEncoderProvider implements StickySessionEncoderProvider {
+
+ private final KeycloakSession session;
+ private final String myNodeName;
+
+ public InfinispanStickySessionEncoderProvider(KeycloakSession session, String myNodeName) {
+ this.session = session;
+ this.myNodeName = myNodeName;
+ }
+
+ @Override
+ public String encodeSessionId(String sessionId) {
+ String nodeName = getNodeName(sessionId);
+ if (nodeName != null) {
+ return sessionId + '.' + nodeName;
+ } else {
+ return sessionId;
+ }
+ }
+
+ @Override
+ public String decodeSessionId(String encodedSessionId) {
+ int index = encodedSessionId.indexOf('.');
+ return index == -1 ? encodedSessionId : encodedSessionId.substring(0, index);
+ }
+
+ @Override
+ public void close() {
+
+ }
+
+
+ private String getNodeName(String sessionId) {
+ InfinispanConnectionProvider ispnProvider = session.getProvider(InfinispanConnectionProvider.class);
+ Cache cache = ispnProvider.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME);
+ DistributionManager distManager = cache.getAdvancedCache().getDistributionManager();
+
+ if (distManager != null) {
+ // Sticky session to the node, who owns this authenticationSession
+ Address address = distManager.getPrimaryLocation(sessionId);
+ return address.toString();
+ } else {
+ // Fallback to jbossNodeName if authSession cache is local
+ return myNodeName;
+ }
+ }
+
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProviderFactory.java
new file mode 100644
index 0000000000..b8e6a7131d
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProviderFactory.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.sessions.infinispan;
+
+import org.keycloak.Config;
+import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.sessions.StickySessionEncoderProvider;
+import org.keycloak.sessions.StickySessionEncoderProviderFactory;
+
+/**
+ * @author Marek Posolda
+ */
+public class InfinispanStickySessionEncoderProviderFactory implements StickySessionEncoderProviderFactory {
+
+ private String myNodeName;
+
+ @Override
+ public StickySessionEncoderProvider create(KeycloakSession session) {
+ return new InfinispanStickySessionEncoderProvider(session, myNodeName);
+ }
+
+ @Override
+ public void init(Config.Scope config) {
+ myNodeName = config.get("nodeName", System.getProperty(InfinispanConnectionProvider.JBOSS_NODE_NAME));
+ }
+
+ @Override
+ public void postInit(KeycloakSessionFactory factory) {
+
+ }
+
+ @Override
+ public void close() {
+
+ }
+
+ @Override
+ public String getId() {
+ return "infinispan";
+ }
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
index a7c8c31ec4..0e50a73d3d 100755
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
@@ -23,10 +23,9 @@ import org.infinispan.context.Flag;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.models.ClientInitialAccessModel;
+import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.KeycloakTransaction;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserLoginFailureModel;
import org.keycloak.models.UserModel;
@@ -34,31 +33,29 @@ import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.session.UserSessionPersisterProvider;
import org.keycloak.models.sessions.infinispan.entities.ClientInitialAccessEntity;
-import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity;
+import org.keycloak.models.sessions.infinispan.entities.AuthenticatedClientSessionEntity;
import org.keycloak.models.sessions.infinispan.entities.LoginFailureEntity;
import org.keycloak.models.sessions.infinispan.entities.LoginFailureKey;
import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity;
import org.keycloak.models.sessions.infinispan.stream.ClientInitialAccessPredicate;
-import org.keycloak.models.sessions.infinispan.stream.ClientSessionPredicate;
import org.keycloak.models.sessions.infinispan.stream.Comparators;
import org.keycloak.models.sessions.infinispan.stream.Mappers;
import org.keycloak.models.sessions.infinispan.stream.SessionPredicate;
import org.keycloak.models.sessions.infinispan.stream.UserLoginFailurePredicate;
import org.keycloak.models.sessions.infinispan.stream.UserSessionPredicate;
import org.keycloak.models.utils.KeycloakModelUtils;
-import org.keycloak.models.utils.RealmInfoUtil;
import java.util.Collection;
+import java.util.Collections;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
-import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Predicate;
+import java.util.stream.Collectors;
import java.util.stream.Stream;
/**
@@ -90,28 +87,27 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
}
@Override
- public ClientSessionModel createClientSession(RealmModel realm, ClientModel client) {
- String id = KeycloakModelUtils.generateId();
+ public AuthenticatedClientSessionModel createClientSession(RealmModel realm, ClientModel client, UserSessionModel userSession) {
+ AuthenticatedClientSessionEntity entity = new AuthenticatedClientSessionEntity();
- ClientSessionEntity entity = new ClientSessionEntity();
- entity.setId(id);
- entity.setRealm(realm.getId());
- entity.setTimestamp(Time.currentTime());
- entity.setClient(client.getId());
-
-
- tx.put(sessionCache, id, entity);
-
- ClientSessionAdapter wrap = wrap(realm, entity, false);
- return wrap;
+ AuthenticatedClientSessionAdapter adapter = new AuthenticatedClientSessionAdapter(entity, client, (UserSessionAdapter) userSession, this, sessionCache);
+ adapter.setUserSession(userSession);
+ return adapter;
}
@Override
- public UserSessionModel createUserSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId) {
- String id = KeycloakModelUtils.generateId();
-
+ public UserSessionModel createUserSession(String id, RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId) {
UserSessionEntity entity = new UserSessionEntity();
entity.setId(id);
+
+ updateSessionEntity(entity, realm, user, loginUsername, ipAddress, authMethod, rememberMe, brokerSessionId, brokerUserId);
+
+ tx.putIfAbsent(sessionCache, id, entity);
+
+ return wrap(realm, entity, false);
+ }
+
+ void updateSessionEntity(UserSessionEntity entity, RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId) {
entity.setRealm(realm.getId());
entity.setUser(user.getId());
entity.setLoginUsername(loginUsername);
@@ -126,42 +122,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
entity.setStarted(currentTime);
entity.setLastSessionRefresh(currentTime);
- tx.put(sessionCache, id, entity);
- return wrap(realm, entity, false);
- }
-
- @Override
- public ClientSessionModel getClientSession(RealmModel realm, String id) {
- return getClientSession(realm, id, false);
- }
-
- protected ClientSessionModel getClientSession(RealmModel realm, String id, boolean offline) {
- Cache cache = getCache(offline);
- ClientSessionEntity entity = (ClientSessionEntity) cache.get(id);
-
- // Chance created in this transaction
- if (entity == null) {
- entity = (ClientSessionEntity) tx.get(cache, id);
- }
-
- return wrap(realm, entity, offline);
- }
-
- @Override
- public ClientSessionModel getClientSession(String id) {
- ClientSessionEntity entity = (ClientSessionEntity) sessionCache.get(id);
-
- // Chance created in this transaction
- if (entity == null) {
- entity = (ClientSessionEntity) tx.get(sessionCache, id);
- }
-
- if (entity != null) {
- RealmModel realm = session.realms().getRealm(entity.getRealm());
- return wrap(realm, entity, false);
- }
- return null;
}
@Override
@@ -171,11 +132,10 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
protected UserSessionAdapter getUserSession(RealmModel realm, String id, boolean offline) {
Cache cache = getCache(offline);
- UserSessionEntity entity = (UserSessionEntity) cache.get(id);
+ UserSessionEntity entity = (UserSessionEntity) tx.get(cache, id); // Chance created in this transaction
- // Chance created in this transaction
if (entity == null) {
- entity = (UserSessionEntity) tx.get(cache, id);
+ entity = (UserSessionEntity) cache.get(id);
}
return wrap(realm, entity, offline);
@@ -221,37 +181,50 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
protected List getUserSessions(final RealmModel realm, ClientModel client, int firstResult, int maxResults, final boolean offline) {
final Cache cache = getCache(offline);
- Iterator itr = cache.entrySet().stream()
- .filter(ClientSessionPredicate.create(realm.getId()).client(client.getId()).requireUserSession())
- .map(Mappers.clientSessionToUserSessionTimestamp())
- .iterator();
+ Stream stream = cache.entrySet().stream()
+ .filter(UserSessionPredicate.create(realm.getId()).client(client.getId()))
+ .map(Mappers.userSessionEntity())
+ .sorted(Comparators.userSessionLastSessionRefresh());
- Map m = new HashMap<>();
- while(itr.hasNext()) {
- UserSessionTimestamp next = itr.next();
- if (!m.containsKey(next.getUserSessionId()) || m.get(next.getUserSessionId()).getClientSessionTimestamp() < next.getClientSessionTimestamp()) {
- m.put(next.getUserSessionId(), next);
- }
+ // Doesn't work due to ISPN-6575 . TODO Fix once infinispan upgraded to 8.2.2.Final or 9.0
+// if (firstResult > 0) {
+// stream = stream.skip(firstResult);
+// }
+//
+// if (maxResults > 0) {
+// stream = stream.limit(maxResults);
+// }
+//
+// List entities = stream.collect(Collectors.toList());
+
+
+ // Workaround for ISPN-6575 TODO Fix once infinispan upgraded to 8.2.2.Final or 9.0 and replace with the more effective code above
+ if (firstResult < 0) {
+ firstResult = 0;
+ }
+ if (maxResults < 0) {
+ maxResults = Integer.MAX_VALUE;
}
- Stream stream = new LinkedList<>(m.values()).stream().sorted(Comparators.userSessionTimestamp());
+ int count = firstResult + maxResults;
+ if (count > 0) {
+ stream = stream.limit(count);
+ }
+ List entities = stream.collect(Collectors.toList());
- if (firstResult > 0) {
- stream = stream.skip(firstResult);
+ if (firstResult > entities.size()) {
+ return Collections.emptyList();
}
- if (maxResults > 0) {
- stream = stream.limit(maxResults);
- }
+ maxResults = Math.min(maxResults, entities.size() - firstResult);
+ entities = entities.subList(firstResult, firstResult + maxResults);
+
final List sessions = new LinkedList<>();
- stream.forEach(new Consumer() {
+ entities.stream().forEach(new Consumer() {
@Override
- public void accept(UserSessionTimestamp userSessionTimestamp) {
- SessionEntity entity = cache.get(userSessionTimestamp.getUserSessionId());
- if (entity != null) {
- sessions.add(wrap(realm, (UserSessionEntity) entity, offline));
- }
+ public void accept(UserSessionEntity userSessionEntity) {
+ sessions.add(wrap(realm, userSessionEntity, offline));
}
});
@@ -264,7 +237,9 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
}
protected long getUserSessionsCount(RealmModel realm, ClientModel client, boolean offline) {
- return getCache(offline).entrySet().stream().filter(ClientSessionPredicate.create(realm.getId()).client(client.getId()).requireUserSession()).map(Mappers.clientSessionToUserSessionId()).distinct().count();
+ return getCache(offline).entrySet().stream()
+ .filter(UserSessionPredicate.create(realm.getId()).client(client.getId()))
+ .count();
}
@Override
@@ -294,9 +269,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
public void removeExpired(RealmModel realm) {
log.debugf("Removing expired sessions");
removeExpiredUserSessions(realm);
- removeExpiredClientSessions(realm);
removeExpiredOfflineUserSessions(realm);
- removeExpiredOfflineClientSessions(realm);
removeExpiredClientInitialAccess(realm);
}
@@ -313,33 +286,11 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
counter++;
UserSessionEntity entity = (UserSessionEntity) itr.next().getValue();
tx.remove(sessionCache, entity.getId());
-
- if (entity.getClientSessions() != null) {
- for (String clientSessionId : entity.getClientSessions()) {
- tx.remove(sessionCache, clientSessionId);
- }
- }
}
log.debugf("Removed %d expired user sessions for realm '%s'", counter, realm.getName());
}
- private void removeExpiredClientSessions(RealmModel realm) {
- int expiredDettachedClientSession = Time.currentTime() - RealmInfoUtil.getDettachedClientSessionLifespan(realm);
-
- // Each cluster node cleanups just local sessions, which are those owned by himself (+ few more taking l1 cache into account)
- Iterator> itr = sessionCache.getAdvancedCache().withFlags(Flag.CACHE_MODE_LOCAL)
- .entrySet().stream().filter(ClientSessionPredicate.create(realm.getId()).expiredRefresh(expiredDettachedClientSession).requireNullUserSession()).iterator();
-
- int counter = 0;
- while (itr.hasNext()) {
- counter++;
- tx.remove(sessionCache, itr.next().getKey());
- }
-
- log.debugf("Removed %d expired client sessions for realm '%s'", counter, realm.getName());
- }
-
private void removeExpiredOfflineUserSessions(RealmModel realm) {
UserSessionPersisterProvider persister = session.getProvider(UserSessionPersisterProvider.class);
int expiredOffline = Time.currentTime() - realm.getOfflineSessionIdleTimeout();
@@ -357,33 +308,14 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
persister.removeUserSession(entity.getId(), true);
- for (String clientSessionId : entity.getClientSessions()) {
- tx.remove(offlineSessionCache, clientSessionId);
+ for (String clientUUID : entity.getAuthenticatedClientSessions().keySet()) {
+ persister.removeClientSession(entity.getId(), clientUUID, true);
}
}
log.debugf("Removed %d expired offline user sessions for realm '%s'", counter, realm.getName());
}
- private void removeExpiredOfflineClientSessions(RealmModel realm) {
- UserSessionPersisterProvider persister = session.getProvider(UserSessionPersisterProvider.class);
- int expiredOffline = Time.currentTime() - realm.getOfflineSessionIdleTimeout();
-
- // Each cluster node cleanups just local sessions, which are those owned by himself (+ few more taking l1 cache into account)
- Iterator itr = offlineSessionCache.getAdvancedCache().withFlags(Flag.CACHE_MODE_LOCAL)
- .entrySet().stream().filter(ClientSessionPredicate.create(realm.getId()).expiredRefresh(expiredOffline)).map(Mappers.sessionId()).iterator();
-
- int counter = 0;
- while (itr.hasNext()) {
- counter++;
- String sessionId = itr.next();
- tx.remove(offlineSessionCache, sessionId);
- persister.removeClientSession(sessionId, true);
- }
-
- log.debugf("Removed %d expired offline client sessions for realm '%s'", counter, realm.getName());
- }
-
private void removeExpiredClientInitialAccess(RealmModel realm) {
Iterator itr = sessionCache.getAdvancedCache().withFlags(Flag.CACHE_MODE_LOCAL)
.entrySet().stream().filter(ClientInitialAccessPredicate.create(realm.getId()).expired(Time.currentTime())).map(Mappers.sessionId()).iterator();
@@ -445,21 +377,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
@Override
public void onClientRemoved(RealmModel realm, ClientModel client) {
- onClientRemoved(realm, client, true);
- onClientRemoved(realm, client, false);
- }
-
- private void onClientRemoved(RealmModel realm, ClientModel client, boolean offline) {
- Cache cache = getCache(offline);
-
- Iterator> itr = cache.entrySet().stream().filter(ClientSessionPredicate.create(realm.getId()).client(client.getId())).iterator();
- while (itr.hasNext()) {
- ClientSessionEntity entity = (ClientSessionEntity) itr.next().getValue();
- ClientSessionAdapter adapter = wrap(realm, entity, offline);
- adapter.setUserSession(null);
-
- tx.remove(cache, entity.getId());
- }
+ // Nothing for now. userSession.getAuthenticatedClientSessions() will check lazily if particular client exists and update userSession on-the-fly.
}
@@ -475,55 +393,10 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
public void close() {
}
- void attachSession(UserSessionAdapter userSession, ClientSessionModel clientSession) {
- UserSessionEntity entity = userSession.getEntity();
- String clientSessionId = clientSession.getId();
- if (!entity.getClientSessions().contains(clientSessionId)) {
- entity.getClientSessions().add(clientSessionId);
- userSession.update();
- }
- }
-
- @Override
- public void removeClientSession(RealmModel realm, ClientSessionModel clientSession) {
- removeClientSession(realm, clientSession, false);
- }
-
- protected void removeClientSession(RealmModel realm, ClientSessionModel clientSession, boolean offline) {
- Cache cache = getCache(offline);
-
- UserSessionModel userSession = clientSession.getUserSession();
- if (userSession != null) {
- UserSessionEntity entity = ((UserSessionAdapter) userSession).getEntity();
- if (entity.getClientSessions() != null) {
- entity.getClientSessions().remove(clientSession.getId());
-
- }
- tx.replace(cache, entity.getId(), entity);
- }
- tx.remove(cache, clientSession.getId());
- }
-
-
- void dettachSession(UserSessionAdapter userSession, ClientSessionModel clientSession) {
- UserSessionEntity entity = userSession.getEntity();
- String clientSessionId = clientSession.getId();
- if (entity.getClientSessions() != null && entity.getClientSessions().contains(clientSessionId)) {
- entity.getClientSessions().remove(clientSessionId);
- userSession.update();
- }
- }
-
protected void removeUserSession(RealmModel realm, UserSessionEntity sessionEntity, boolean offline) {
Cache cache = getCache(offline);
tx.remove(cache, sessionEntity.getId());
-
- if (sessionEntity.getClientSessions() != null) {
- for (String clientSessionId : sessionEntity.getClientSessions()) {
- tx.remove(cache, clientSessionId);
- }
- }
}
InfinispanKeycloakTransaction getTx() {
@@ -551,11 +424,6 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
return models;
}
- ClientSessionAdapter wrap(RealmModel realm, ClientSessionEntity entity, boolean offline) {
- Cache cache = getCache(offline);
- return entity != null ? new ClientSessionAdapter(session, this, cache, realm, entity, offline) : null;
- }
-
ClientInitialAccessAdapter wrap(RealmModel realm, ClientInitialAccessEntity entity) {
Cache cache = getCache(false);
return entity != null ? new ClientInitialAccessAdapter(session, this, cache, realm, entity) : null;
@@ -565,14 +433,6 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
return entity != null ? new UserLoginFailureAdapter(this, loginFailureCache, key, entity) : null;
}
- List wrapClientSessions(RealmModel realm, Collection entities, boolean offline) {
- List models = new LinkedList<>();
- for (ClientSessionEntity e : entities) {
- models.add(wrap(realm, e, offline));
- }
- return models;
- }
-
UserSessionEntity getUserSessionEntity(UserSessionModel userSession, boolean offline) {
if (userSession instanceof UserSessionAdapter) {
return ((UserSessionAdapter) userSession).getEntity();
@@ -585,7 +445,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
@Override
public UserSessionModel createOfflineUserSession(UserSessionModel userSession) {
- UserSessionAdapter offlineUserSession = importUserSession(userSession, true);
+ UserSessionAdapter offlineUserSession = importUserSession(userSession, true, false);
// started and lastSessionRefresh set to current time
int currentTime = Time.currentTime();
@@ -596,7 +456,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
}
@Override
- public UserSessionModel getOfflineUserSession(RealmModel realm, String userSessionId) {
+ public UserSessionAdapter getOfflineUserSession(RealmModel realm, String userSessionId) {
return getUserSession(realm, userSessionId, true);
}
@@ -608,9 +468,14 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
}
}
+
+
@Override
- public ClientSessionModel createOfflineClientSession(ClientSessionModel clientSession) {
- ClientSessionAdapter offlineClientSession = importClientSession(clientSession, true);
+ public AuthenticatedClientSessionModel createOfflineClientSession(AuthenticatedClientSessionModel clientSession, UserSessionModel offlineUserSession) {
+ UserSessionAdapter userSessionAdapter = (offlineUserSession instanceof UserSessionAdapter) ? (UserSessionAdapter) offlineUserSession :
+ getOfflineUserSession(offlineUserSession.getRealm(), offlineUserSession.getId());
+
+ AuthenticatedClientSessionAdapter offlineClientSession = importClientSession(userSessionAdapter, clientSession);
// update timestamp to current time
offlineClientSession.setTimestamp(Time.currentTime());
@@ -619,38 +484,17 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
}
@Override
- public ClientSessionModel getOfflineClientSession(RealmModel realm, String clientSessionId) {
- return getClientSession(realm, clientSessionId, true);
- }
-
- @Override
- public List getOfflineClientSessions(RealmModel realm, UserModel user) {
+ public List getOfflineUserSessions(RealmModel realm, UserModel user) {
Iterator> itr = offlineSessionCache.entrySet().stream().filter(UserSessionPredicate.create(realm.getId()).user(user.getId())).iterator();
- List clientSessions = new LinkedList<>();
+ List userSessions = new LinkedList<>();
while(itr.hasNext()) {
UserSessionEntity entity = (UserSessionEntity) itr.next().getValue();
- Set currClientSessions = entity.getClientSessions();
-
- if (currClientSessions == null) {
- continue;
- }
-
- for (String clientSessionId : currClientSessions) {
- ClientSessionEntity cls = (ClientSessionEntity) offlineSessionCache.get(clientSessionId);
- if (cls != null) {
- clientSessions.add(wrap(realm, cls, true));
- }
- }
+ UserSessionModel userSession = wrap(realm, entity, true);
+ userSessions.add(userSession);
}
- return clientSessions;
- }
-
- @Override
- public void removeOfflineClientSession(RealmModel realm, String clientSessionId) {
- ClientSessionModel clientSession = getOfflineClientSession(realm, clientSessionId);
- removeClientSession(realm, clientSession, true);
+ return userSessions;
}
@Override
@@ -664,7 +508,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
}
@Override
- public UserSessionAdapter importUserSession(UserSessionModel userSession, boolean offline) {
+ public UserSessionAdapter importUserSession(UserSessionModel userSession, boolean offline, boolean importAuthenticatedClientSessions) {
UserSessionEntity entity = new UserSessionEntity();
entity.setId(userSession.getId());
entity.setRealm(userSession.getRealm().getId());
@@ -682,34 +526,45 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
entity.setStarted(userSession.getStarted());
entity.setLastSessionRefresh(userSession.getLastSessionRefresh());
+
Cache cache = getCache(offline);
tx.put(cache, userSession.getId(), entity);
- return wrap(userSession.getRealm(), entity, offline);
+ UserSessionAdapter importedSession = wrap(userSession.getRealm(), entity, offline);
+
+ // Handle client sessions
+ if (importAuthenticatedClientSessions) {
+ for (AuthenticatedClientSessionModel clientSession : userSession.getAuthenticatedClientSessions().values()) {
+ importClientSession(importedSession, clientSession);
+ }
+ }
+
+ return importedSession;
}
- @Override
- public ClientSessionAdapter importClientSession(ClientSessionModel clientSession, boolean offline) {
- ClientSessionEntity entity = new ClientSessionEntity();
- entity.setId(clientSession.getId());
- entity.setRealm(clientSession.getRealm().getId());
+
+ private AuthenticatedClientSessionAdapter importClientSession(UserSessionAdapter importedUserSession, AuthenticatedClientSessionModel clientSession) {
+ AuthenticatedClientSessionEntity entity = new AuthenticatedClientSessionEntity();
entity.setAction(clientSession.getAction());
- entity.setAuthenticatorStatus(clientSession.getExecutionStatus());
- entity.setAuthMethod(clientSession.getAuthMethod());
- if (clientSession.getAuthenticatedUser() != null) {
- entity.setAuthUserId(clientSession.getAuthenticatedUser().getId());
- }
- entity.setClient(clientSession.getClient().getId());
+ entity.setAuthMethod(clientSession.getProtocol());
+
entity.setNotes(clientSession.getNotes());
entity.setProtocolMappers(clientSession.getProtocolMappers());
entity.setRedirectUri(clientSession.getRedirectUri());
entity.setRoles(clientSession.getRoles());
entity.setTimestamp(clientSession.getTimestamp());
- entity.setUserSessionNotes(clientSession.getUserSessionNotes());
- Cache cache = getCache(offline);
- tx.put(cache, clientSession.getId(), entity);
- return wrap(clientSession.getRealm(), entity, offline);
+ Map clientSessions = importedUserSession.getEntity().getAuthenticatedClientSessions();
+ if (clientSessions == null) {
+ clientSessions = new HashMap<>();
+ importedUserSession.getEntity().setAuthenticatedClientSessions(clientSessions);
+ }
+
+ clientSessions.put(clientSession.getClient().getId(), entity);
+
+ importedUserSession.update();
+
+ return new AuthenticatedClientSessionAdapter(entity, clientSession.getClient(), importedUserSession, this, importedUserSession.getCache());
}
@Override
@@ -732,11 +587,10 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
@Override
public ClientInitialAccessModel getClientInitialAccessModel(RealmModel realm, String id) {
Cache cache = getCache(false);
- ClientInitialAccessEntity entity = (ClientInitialAccessEntity) cache.get(id);
+ ClientInitialAccessEntity entity = (ClientInitialAccessEntity) tx.get(cache, id); // Chance created in this transaction
- // If created in this transaction
if (entity == null) {
- entity = (ClientInitialAccessEntity) tx.get(cache, id);
+ entity = (ClientInitialAccessEntity) cache.get(id);
}
return wrap(realm, entity);
@@ -757,145 +611,4 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
return list;
}
-
- class InfinispanKeycloakTransaction implements KeycloakTransaction {
-
- private boolean active;
- private boolean rollback;
- private Map tasks = new HashMap<>();
-
- @Override
- public void begin() {
- active = true;
- }
-
- @Override
- public void commit() {
- if (rollback) {
- throw new RuntimeException("Rollback only!");
- }
-
- for (CacheTask task : tasks.values()) {
- task.execute();
- }
- }
-
- @Override
- public void rollback() {
- tasks.clear();
- }
-
- @Override
- public void setRollbackOnly() {
- rollback = true;
- }
-
- @Override
- public boolean getRollbackOnly() {
- return rollback;
- }
-
- @Override
- public boolean isActive() {
- return active;
- }
-
- public void put(Cache cache, Object key, Object value) {
- log.tracev("Adding cache operation: {0} on {1}", CacheOperation.ADD, key);
-
- Object taskKey = getTaskKey(cache, key);
- if (tasks.containsKey(taskKey)) {
- throw new IllegalStateException("Can't add session: task in progress for session");
- } else {
- tasks.put(taskKey, new CacheTask(cache, CacheOperation.ADD, key, value));
- }
- }
-
- public void replace(Cache cache, Object key, Object value) {
- log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REPLACE, key);
-
- Object taskKey = getTaskKey(cache, key);
- CacheTask current = tasks.get(taskKey);
- if (current != null) {
- switch (current.operation) {
- case ADD:
- case REPLACE:
- current.value = value;
- return;
- case REMOVE:
- return;
- }
- } else {
- tasks.put(taskKey, new CacheTask(cache, CacheOperation.REPLACE, key, value));
- }
- }
-
- public void remove(Cache cache, Object key) {
- log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REMOVE, key);
-
- Object taskKey = getTaskKey(cache, key);
- tasks.put(taskKey, new CacheTask(cache, CacheOperation.REMOVE, key, null));
- }
-
- // This is for possibility to lookup for session by id, which was created in this transaction
- public Object get(Cache cache, Object key) {
- Object taskKey = getTaskKey(cache, key);
- CacheTask current = tasks.get(taskKey);
- if (current != null) {
- switch (current.operation) {
- case ADD:
- case REPLACE:
- return current.value; }
- }
-
- return null;
- }
-
- private Object getTaskKey(Cache cache, Object key) {
- if (key instanceof String) {
- return new StringBuilder(cache.getName())
- .append("::")
- .append(key.toString()).toString();
- } else {
- // loginFailure cache
- return key;
- }
- }
-
- public class CacheTask {
- private Cache cache;
- private CacheOperation operation;
- private Object key;
- private Object value;
-
- public CacheTask(Cache cache, CacheOperation operation, Object key, Object value) {
- this.cache = cache;
- this.operation = operation;
- this.key = key;
- this.value = value;
- }
-
- public void execute() {
- log.tracev("Executing cache operation: {0} on {1}", operation, key);
-
- switch (operation) {
- case ADD:
- cache.put(key, value);
- break;
- case REMOVE:
- cache.remove(key);
- break;
- case REPLACE:
- cache.replace(key, value);
- break;
- }
- }
- }
-
- }
-
- public enum CacheOperation {
- ADD, REMOVE, REPLACE
- }
-
}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java
index bf1e6fd391..8ab15f7a0e 100755
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java
@@ -18,11 +18,13 @@
package org.keycloak.models.sessions.infinispan;
import org.infinispan.Cache;
-import org.keycloak.models.ClientSessionModel;
+import org.keycloak.models.AuthenticatedClientSessionModel;
+import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
+import org.keycloak.models.sessions.infinispan.entities.AuthenticatedClientSessionEntity;
import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity;
@@ -60,6 +62,36 @@ public class UserSessionAdapter implements UserSessionModel {
this.offline = offline;
}
+ @Override
+ public Map getAuthenticatedClientSessions() {
+ Map clientSessionEntities = entity.getAuthenticatedClientSessions();
+ Map result = new HashMap<>();
+
+ List removedClientUUIDS = new LinkedList<>();
+
+ if (clientSessionEntities != null) {
+ clientSessionEntities.forEach((String key, AuthenticatedClientSessionEntity value) -> {
+ // Check if client still exists
+ ClientModel client = realm.getClientById(key);
+ if (client != null) {
+ result.put(key, new AuthenticatedClientSessionAdapter(value, client, this, provider, cache));
+ } else {
+ removedClientUUIDS.add(key);
+ }
+ });
+ }
+
+ // Update user session
+ if (!removedClientUUIDS.isEmpty()) {
+ for (String clientUUID : removedClientUUIDS) {
+ entity.getAuthenticatedClientSessions().remove(clientUUID);
+ }
+ update();
+ }
+
+ return Collections.unmodifiableMap(result);
+ }
+
public String getId() {
return entity.getId();
}
@@ -82,6 +114,12 @@ public class UserSessionAdapter implements UserSessionModel {
return session.users().getUserById(entity.getUser(), realm);
}
+ @Override
+ public void setUser(UserModel user) {
+ entity.setUser(user.getId());
+ update();
+ }
+
@Override
public String getLoginUsername() {
return entity.getLoginUsername();
@@ -159,19 +197,14 @@ public class UserSessionAdapter implements UserSessionModel {
}
@Override
- public List getClientSessions() {
- if (entity.getClientSessions() != null) {
- List clientSessions = new LinkedList<>();
- for (String c : entity.getClientSessions()) {
- ClientSessionModel clientSession = provider.getClientSession(realm, c, offline);
- if (clientSession != null) {
- clientSessions.add(clientSession);
- }
- }
- return clientSessions;
- } else {
- return Collections.emptyList();
- }
+ public void restartSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId) {
+ provider.updateSessionEntity(entity, realm, user, loginUsername, ipAddress, authMethod, rememberMe, brokerSessionId, brokerUserId);
+
+ entity.setState(null);
+ entity.setNotes(null);
+ entity.setAuthenticatedClientSessions(null);
+
+ update();
}
@Override
@@ -196,4 +229,7 @@ public class UserSessionAdapter implements UserSessionModel {
provider.getTx().replace(cache, entity.getId(), entity);
}
+ Cache getCache() {
+ return cache;
+ }
}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenReducedKey.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenReducedKey.java
new file mode 100644
index 0000000000..173c43497d
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenReducedKey.java
@@ -0,0 +1,104 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models.sessions.infinispan.entities;
+
+import java.io.*;
+import java.util.Objects;
+import java.util.UUID;
+import org.infinispan.commons.marshall.Externalizer;
+import org.infinispan.commons.marshall.SerializeWith;
+
+/**
+ *
+ * @author hmlnarik
+ */
+@SerializeWith(value = ActionTokenReducedKey.ExternalizerImpl.class)
+public class ActionTokenReducedKey implements Serializable {
+
+ private final String userId;
+ private final String actionId;
+
+ /**
+ * Nonce that must match.
+ */
+ private final UUID actionVerificationNonce;
+
+ public ActionTokenReducedKey(String userId, String actionId, UUID actionVerificationNonce) {
+ this.userId = userId;
+ this.actionId = actionId;
+ this.actionVerificationNonce = actionVerificationNonce;
+ }
+
+ public String getUserId() {
+ return userId;
+ }
+
+ public String getActionId() {
+ return actionId;
+ }
+
+ public UUID getActionVerificationNonce() {
+ return actionVerificationNonce;
+ }
+
+ @Override
+ public int hashCode() {
+ int hash = 7;
+ hash = 71 * hash + Objects.hashCode(this.userId);
+ hash = 71 * hash + Objects.hashCode(this.actionId);
+ hash = 71 * hash + Objects.hashCode(this.actionVerificationNonce);
+ return hash;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj) {
+ return true;
+ }
+ if (obj == null) {
+ return false;
+ }
+ if (getClass() != obj.getClass()) {
+ return false;
+ }
+ final ActionTokenReducedKey other = (ActionTokenReducedKey) obj;
+ return Objects.equals(this.userId, other.getUserId())
+ && Objects.equals(this.actionId, other.getActionId())
+ && Objects.equals(this.actionVerificationNonce, other.getActionVerificationNonce());
+ }
+
+ public static class ExternalizerImpl implements Externalizer {
+
+ @Override
+ public void writeObject(ObjectOutput output, ActionTokenReducedKey t) throws IOException {
+ output.writeUTF(t.userId);
+ output.writeUTF(t.actionId);
+ output.writeLong(t.actionVerificationNonce.getMostSignificantBits());
+ output.writeLong(t.actionVerificationNonce.getLeastSignificantBits());
+ }
+
+ @Override
+ public ActionTokenReducedKey readObject(ObjectInput input) throws IOException, ClassNotFoundException {
+ return new ActionTokenReducedKey(
+ input.readUTF(),
+ input.readUTF(),
+ new UUID(input.readLong(), input.readLong())
+ );
+ }
+ }
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenValueEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenValueEntity.java
new file mode 100644
index 0000000000..7c0f663da6
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenValueEntity.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models.sessions.infinispan.entities;
+
+import org.keycloak.models.ActionTokenValueModel;
+
+import java.io.*;
+import java.util.*;
+import org.infinispan.commons.marshall.Externalizer;
+import org.infinispan.commons.marshall.SerializeWith;
+
+/**
+ * @author hmlnarik
+ */
+@SerializeWith(ActionTokenValueEntity.ExternalizerImpl.class)
+public class ActionTokenValueEntity implements ActionTokenValueModel {
+
+ private final Map notes;
+
+ public ActionTokenValueEntity(Map notes) {
+ this.notes = notes == null ? Collections.EMPTY_MAP : new HashMap<>(notes);
+ }
+
+ @Override
+ public Map getNotes() {
+ return Collections.unmodifiableMap(notes);
+ }
+
+ @Override
+ public String getNote(String name) {
+ return notes.get(name);
+ }
+
+ public static class ExternalizerImpl implements Externalizer {
+
+ private static final int VERSION_1 = 1;
+
+ @Override
+ public void writeObject(ObjectOutput output, ActionTokenValueEntity t) throws IOException {
+ output.writeByte(VERSION_1);
+
+ output.writeBoolean(! t.notes.isEmpty());
+ if (! t.notes.isEmpty()) {
+ output.writeObject(t.notes);
+ }
+ }
+
+ @Override
+ public ActionTokenValueEntity readObject(ObjectInput input) throws IOException, ClassNotFoundException {
+ byte version = input.readByte();
+
+ if (version != VERSION_1) {
+ throw new IOException("Invalid version: " + version);
+ }
+ boolean notesEmpty = input.readBoolean();
+
+ Map notes = notesEmpty ? Collections.EMPTY_MAP : (Map) input.readObject();
+
+ return new ActionTokenValueEntity(notes);
+ }
+ }
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java
new file mode 100644
index 0000000000..3641d5f171
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java
@@ -0,0 +1,94 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.sessions.infinispan.entities;
+
+import java.io.Serializable;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * @author Marek Posolda
+ */
+public class AuthenticatedClientSessionEntity implements Serializable {
+
+ private String authMethod;
+ private String redirectUri;
+ private int timestamp;
+ private String action;
+
+ private Set roles;
+ private Set protocolMappers;
+ private Map notes;
+
+ public String getAuthMethod() {
+ return authMethod;
+ }
+
+ public void setAuthMethod(String authMethod) {
+ this.authMethod = authMethod;
+ }
+
+ public String getRedirectUri() {
+ return redirectUri;
+ }
+
+ public void setRedirectUri(String redirectUri) {
+ this.redirectUri = redirectUri;
+ }
+
+ public int getTimestamp() {
+ return timestamp;
+ }
+
+ public void setTimestamp(int timestamp) {
+ this.timestamp = timestamp;
+ }
+
+ public String getAction() {
+ return action;
+ }
+
+ public void setAction(String action) {
+ this.action = action;
+ }
+
+ public Set getRoles() {
+ return roles;
+ }
+
+ public void setRoles(Set roles) {
+ this.roles = roles;
+ }
+
+ public Set getProtocolMappers() {
+ return protocolMappers;
+ }
+
+ public void setProtocolMappers(Set protocolMappers) {
+ this.protocolMappers = protocolMappers;
+ }
+
+ public Map getNotes() {
+ return notes;
+ }
+
+ public void setNotes(Map notes) {
+ this.notes = notes;
+ }
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticationSessionEntity.java
old mode 100755
new mode 100644
similarity index 61%
rename from model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java
rename to model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticationSessionEntity.java
index 0cbdc79d9b..0b992254b2
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticationSessionEntity.java
@@ -17,61 +17,49 @@
package org.keycloak.models.sessions.infinispan.entities;
-import org.keycloak.models.ClientSessionModel;
-
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
+import org.keycloak.sessions.AuthenticationSessionModel;
+
/**
- * @author Stian Thorgersen
+ * @author Marek Posolda
*/
-public class ClientSessionEntity extends SessionEntity {
+public class AuthenticationSessionEntity extends SessionEntity {
- private String client;
-
- private String userSession;
-
- private String authMethod;
+ private String clientUuid;
+ private String authUserId;
private String redirectUri;
-
private int timestamp;
-
private String action;
-
private Set roles;
private Set protocolMappers;
- private Map notes;
+
+ private Map executionStatus = new HashMap<>();;
+ private String protocol;
+
+ private Map clientNotes;
+ private Map authNotes;
+ private Set requiredActions = new HashSet<>();
private Map userSessionNotes;
- private Map authenticatorStatus = new HashMap<>();
- private String authUserId;
- private Set requiredActions = new HashSet<>();
-
- public String getClient() {
- return client;
+ public String getClientUuid() {
+ return clientUuid;
}
- public void setClient(String client) {
- this.client = client;
+ public void setClientUuid(String clientUuid) {
+ this.clientUuid = clientUuid;
}
- public String getUserSession() {
- return userSession;
+ public String getAuthUserId() {
+ return authUserId;
}
- public void setUserSession(String userSession) {
- this.userSession = userSession;
- }
-
- public String getAuthMethod() {
- return authMethod;
- }
-
- public void setAuthMethod(String authMethod) {
- this.authMethod = authMethod;
+ public void setAuthUserId(String authUserId) {
+ this.authUserId = authUserId;
}
public String getRedirectUri() {
@@ -114,28 +102,36 @@ public class ClientSessionEntity extends SessionEntity {
this.protocolMappers = protocolMappers;
}
- public Map getNotes() {
- return notes;
+ public Map getExecutionStatus() {
+ return executionStatus;
}
- public void setNotes(Map notes) {
- this.notes = notes;
+ public void setExecutionStatus(Map executionStatus) {
+ this.executionStatus = executionStatus;
}
- public Map getAuthenticatorStatus() {
- return authenticatorStatus;
+ public String getProtocol() {
+ return protocol;
}
- public void setAuthenticatorStatus(Map authenticatorStatus) {
- this.authenticatorStatus = authenticatorStatus;
+ public void setProtocol(String protocol) {
+ this.protocol = protocol;
}
- public String getAuthUserId() {
- return authUserId;
+ public Map getClientNotes() {
+ return clientNotes;
}
- public void setAuthUserId(String authUserId) {
- this.authUserId = authUserId;
+ public void setClientNotes(Map clientNotes) {
+ this.clientNotes = clientNotes;
+ }
+
+ public Set getRequiredActions() {
+ return requiredActions;
+ }
+
+ public void setRequiredActions(Set requiredActions) {
+ this.requiredActions = requiredActions;
}
public Map getUserSessionNotes() {
@@ -146,7 +142,11 @@ public class ClientSessionEntity extends SessionEntity {
this.userSessionNotes = userSessionNotes;
}
- public Set getRequiredActions() {
- return requiredActions;
+ public Map getAuthNotes() {
+ return authNotes;
+ }
+
+ public void setAuthNotes(Map authNotes) {
+ this.authNotes = authNotes;
}
}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java
index 538babfa4d..54d182f0d8 100755
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java
@@ -46,12 +46,12 @@ public class UserSessionEntity extends SessionEntity {
private int lastSessionRefresh;
- private Set clientSessions = new CopyOnWriteArraySet<>();
-
private UserSessionModel.State state;
private Map notes = new ConcurrentHashMap<>();
+ private Map authenticatedClientSessions;
+
public String getUser() {
return user;
}
@@ -108,10 +108,6 @@ public class UserSessionEntity extends SessionEntity {
this.lastSessionRefresh = lastSessionRefresh;
}
- public Set getClientSessions() {
- return clientSessions;
- }
-
public Map getNotes() {
return notes;
}
@@ -120,6 +116,14 @@ public class UserSessionEntity extends SessionEntity {
this.notes = notes;
}
+ public Map getAuthenticatedClientSessions() {
+ return authenticatedClientSessions;
+ }
+
+ public void setAuthenticatedClientSessions(Map authenticatedClientSessions) {
+ this.authenticatedClientSessions = authenticatedClientSessions;
+ }
+
public UserSessionModel.State getState() {
return state;
}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/initializer/OfflineUserSessionLoader.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/initializer/OfflineUserSessionLoader.java
index 83a3885172..2b6fb71752 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/initializer/OfflineUserSessionLoader.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/initializer/OfflineUserSessionLoader.java
@@ -19,7 +19,6 @@ package org.keycloak.models.sessions.infinispan.initializer;
import org.jboss.logging.Logger;
import org.keycloak.cluster.ClusterProvider;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.session.UserSessionPersisterProvider;
@@ -64,12 +63,7 @@ public class OfflineUserSessionLoader implements SessionLoader {
for (UserSessionModel persistentSession : sessions) {
// Save to memory/infinispan
- UserSessionModel offlineUserSession = session.sessions().importUserSession(persistentSession, true);
-
- for (ClientSessionModel persistentClientSession : persistentSession.getClientSessions()) {
- ClientSessionModel offlineClientSession = session.sessions().importClientSession(persistentClientSession, true);
- offlineClientSession.setUserSession(offlineUserSession);
- }
+ UserSessionModel offlineUserSession = session.sessions().importUserSession(persistentSession, true, true);
}
return true;
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionMapper.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionMapper.java
deleted file mode 100644
index 351921591c..0000000000
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionMapper.java
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright 2016 Red Hat, Inc. and/or its affiliates
- * and other contributors as indicated by the @author tags.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.keycloak.models.sessions.infinispan.mapreduce;
-
-import org.infinispan.distexec.mapreduce.Collector;
-import org.infinispan.distexec.mapreduce.Mapper;
-import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity;
-import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
-
-import java.io.Serializable;
-
-/**
- * @author Stian Thorgersen
- */
-public class ClientSessionMapper implements Mapper, Serializable {
-
- public ClientSessionMapper(String realm) {
- this.realm = realm;
- }
-
- private enum EmitValue {
- KEY, ENTITY, USER_SESSION_AND_TIMESTAMP
- }
-
- private String realm;
-
- private EmitValue emit = EmitValue.ENTITY;
-
- private String client;
-
- private String userSession;
-
- private Long expiredRefresh;
-
- private Boolean requireNullUserSession = false;
-
- public static ClientSessionMapper create(String realm) {
- return new ClientSessionMapper(realm);
- }
-
- public ClientSessionMapper emitKey() {
- emit = EmitValue.KEY;
- return this;
- }
-
- public ClientSessionMapper emitUserSessionAndTimestamp() {
- emit = EmitValue.USER_SESSION_AND_TIMESTAMP;
- return this;
- }
-
- public ClientSessionMapper client(String client) {
- this.client = client;
- return this;
- }
-
- public ClientSessionMapper userSession(String userSession) {
- this.userSession = userSession;
- return this;
- }
-
- public ClientSessionMapper expiredRefresh(long expiredRefresh) {
- this.expiredRefresh = expiredRefresh;
- return this;
- }
-
- public ClientSessionMapper requireNullUserSession(boolean requireNullUserSession) {
- this.requireNullUserSession = requireNullUserSession;
- return this;
- }
-
- @Override
- public void map(String key, SessionEntity e, Collector collector) {
- if (!realm.equals(e.getRealm())) {
- return;
- }
-
- if (!(e instanceof ClientSessionEntity)) {
- return;
- }
-
- ClientSessionEntity entity = (ClientSessionEntity) e;
-
- if (client != null && !entity.getClient().equals(client)) {
- return;
- }
-
- if (userSession != null && !userSession.equals(entity.getUserSession())) {
- return;
- }
-
- if (requireNullUserSession && entity.getUserSession() != null) {
- return;
- }
-
- if (expiredRefresh != null && entity.getTimestamp() > expiredRefresh) {
- return;
- }
-
- switch (emit) {
- case KEY:
- collector.emit(key, key);
- break;
- case ENTITY:
- collector.emit(key, entity);
- break;
- case USER_SESSION_AND_TIMESTAMP:
- if (entity.getUserSession() != null) {
- collector.emit(entity.getUserSession(), entity.getTimestamp());
- }
- break;
- }
- }
-
-}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionsOfUserSessionMapper.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionsOfUserSessionMapper.java
deleted file mode 100644
index 971f89af19..0000000000
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionsOfUserSessionMapper.java
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright 2016 Red Hat, Inc. and/or its affiliates
- * and other contributors as indicated by the @author tags.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.keycloak.models.sessions.infinispan.mapreduce;
-
-import org.infinispan.distexec.mapreduce.Collector;
-import org.infinispan.distexec.mapreduce.Mapper;
-import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity;
-import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
-
-import java.io.Serializable;
-import java.util.Collection;
-
-/**
- * Return all clientSessions attached to any from input list of userSessions
- *
- * @author Marek Posolda
- */
-public class ClientSessionsOfUserSessionMapper implements Mapper, Serializable {
-
- private String realm;
- private Collection userSessions;
-
- private EmitValue emit = EmitValue.ENTITY;
-
- private enum EmitValue {
- KEY, ENTITY
- }
-
- public ClientSessionsOfUserSessionMapper(String realm, Collection userSessions) {
- this.realm = realm;
- this.userSessions = userSessions;
- }
-
- public ClientSessionsOfUserSessionMapper emitKey() {
- emit = EmitValue.KEY;
- return this;
- }
-
- @Override
- public void map(String key, SessionEntity e, Collector collector) {
- if (!realm.equals(e.getRealm())) {
- return;
- }
-
- if (!(e instanceof ClientSessionEntity)) {
- return;
- }
-
- ClientSessionEntity entity = (ClientSessionEntity) e;
-
- if (userSessions.contains(entity.getUserSession())) {
- switch (emit) {
- case KEY:
- collector.emit(entity.getId(), entity.getId());
- break;
- case ENTITY:
- collector.emit(entity.getId(), entity);
- break;
- }
- }
- }
-}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/AuthenticationSessionPredicate.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/AuthenticationSessionPredicate.java
new file mode 100644
index 0000000000..c471793842
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/AuthenticationSessionPredicate.java
@@ -0,0 +1,105 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.sessions.infinispan.stream;
+
+import java.io.Serializable;
+import java.util.Map;
+import java.util.function.Predicate;
+
+import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEntity;
+
+/**
+ * @author Marek Posolda
+ */
+public class AuthenticationSessionPredicate implements Predicate>, Serializable {
+
+ private String realm;
+
+ private String client;
+
+ private String user;
+
+ private Integer expired;
+
+ //private String brokerSessionId;
+ //private String brokerUserId;
+
+ private AuthenticationSessionPredicate(String realm) {
+ this.realm = realm;
+ }
+
+ public static AuthenticationSessionPredicate create(String realm) {
+ return new AuthenticationSessionPredicate(realm);
+ }
+
+ public AuthenticationSessionPredicate user(String user) {
+ this.user = user;
+ return this;
+ }
+
+ public AuthenticationSessionPredicate client(String client) {
+ this.client = client;
+ return this;
+ }
+
+ public AuthenticationSessionPredicate expired(Integer expired) {
+ this.expired = expired;
+ return this;
+ }
+
+// public UserSessionPredicate brokerSessionId(String id) {
+// this.brokerSessionId = id;
+// return this;
+// }
+
+// public UserSessionPredicate brokerUserId(String id) {
+// this.brokerUserId = id;
+// return this;
+// }
+
+ @Override
+ public boolean test(Map.Entry entry) {
+ AuthenticationSessionEntity entity = entry.getValue();
+
+ if (!realm.equals(entity.getRealm())) {
+ return false;
+ }
+
+ if (user != null && !entity.getAuthUserId().equals(user)) {
+ return false;
+ }
+
+ if (client != null && !entity.getClientUuid().equals(client)) {
+ return false;
+ }
+
+// if (brokerSessionId != null && !brokerSessionId.equals(entity.getBrokerSessionId())) {
+// return false;
+// }
+//
+// if (brokerUserId != null && !brokerUserId.equals(entity.getBrokerUserId())) {
+// return false;
+// }
+
+ if (expired != null && entity.getTimestamp() > expired) {
+ return false;
+ }
+
+ return true;
+ }
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/ClientSessionPredicate.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/ClientSessionPredicate.java
deleted file mode 100644
index 0f3ce5aebf..0000000000
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/ClientSessionPredicate.java
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * Copyright 2016 Red Hat, Inc. and/or its affiliates
- * and other contributors as indicated by the @author tags.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.keycloak.models.sessions.infinispan.stream;
-
-import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity;
-import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
-
-import java.io.Serializable;
-import java.util.Map;
-import java.util.function.Predicate;
-
-/**
- * @author Stian Thorgersen
- */
-public class ClientSessionPredicate implements Predicate>, Serializable {
-
- private String realm;
-
- private String client;
-
- private String userSession;
-
- private Long expiredRefresh;
-
- private Boolean requireUserSession = false;
-
- private Boolean requireNullUserSession = false;
-
- private ClientSessionPredicate(String realm) {
- this.realm = realm;
- }
-
- public static ClientSessionPredicate create(String realm) {
- return new ClientSessionPredicate(realm);
- }
-
- public ClientSessionPredicate client(String client) {
- this.client = client;
- return this;
- }
-
- public ClientSessionPredicate userSession(String userSession) {
- this.userSession = userSession;
- return this;
- }
-
- public ClientSessionPredicate expiredRefresh(long expiredRefresh) {
- this.expiredRefresh = expiredRefresh;
- return this;
- }
-
- public ClientSessionPredicate requireUserSession() {
- requireUserSession = true;
- return this;
- }
-
- public ClientSessionPredicate requireNullUserSession() {
- requireNullUserSession = true;
- return this;
- }
-
- @Override
- public boolean test(Map.Entry entry) {
- SessionEntity e = entry.getValue();
-
- if (!realm.equals(e.getRealm())) {
- return false;
- }
-
- if (!(e instanceof ClientSessionEntity)) {
- return false;
- }
-
- ClientSessionEntity entity = (ClientSessionEntity) e;
-
- if (client != null && !entity.getClient().equals(client)) {
- return false;
- }
-
- if (userSession != null && !userSession.equals(entity.getUserSession())) {
- return false;
- }
-
- if (requireUserSession && entity.getUserSession() == null) {
- return false;
- }
-
- if (requireNullUserSession && entity.getUserSession() != null) {
- return false;
- }
-
- if (expiredRefresh != null && entity.getTimestamp() > expiredRefresh) {
- return false;
- }
-
- return true;
- }
-
-}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Comparators.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Comparators.java
index 4907ec1ed2..ec2a2cb853 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Comparators.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Comparators.java
@@ -18,6 +18,8 @@
package org.keycloak.models.sessions.infinispan.stream;
import org.keycloak.models.sessions.infinispan.UserSessionTimestamp;
+import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
+import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity;
import java.io.Serializable;
import java.util.Comparator;
@@ -38,4 +40,17 @@ public class Comparators {
}
}
+
+ public static Comparator userSessionLastSessionRefresh() {
+ return new UserSessionLastSessionRefreshComparator();
+ }
+
+ private static class UserSessionLastSessionRefreshComparator implements Comparator, Serializable {
+
+ @Override
+ public int compare(UserSessionEntity u1, UserSessionEntity u2) {
+ return u1.getLastSessionRefresh() - u2.getLastSessionRefresh();
+ }
+ }
+
}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Mappers.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Mappers.java
index 6bf13580ed..dd2db6821f 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Mappers.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Mappers.java
@@ -18,10 +18,10 @@
package org.keycloak.models.sessions.infinispan.stream;
import org.keycloak.models.sessions.infinispan.UserSessionTimestamp;
-import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity;
import org.keycloak.models.sessions.infinispan.entities.LoginFailureEntity;
import org.keycloak.models.sessions.infinispan.entities.LoginFailureKey;
import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
+import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity;
import java.io.Serializable;
import java.util.Map;
@@ -33,10 +33,6 @@ import java.util.function.Function;
*/
public class Mappers {
- public static Function, UserSessionTimestamp> clientSessionToUserSessionTimestamp() {
- return new ClientSessionToUserSessionTimestampMapper();
- }
-
public static Function>, UserSessionTimestamp> userSessionTimestamp() {
return new UserSessionTimestampMapper();
}
@@ -49,23 +45,14 @@ public class Mappers {
return new SessionEntityMapper();
}
+ public static Function, UserSessionEntity> userSessionEntity() {
+ return new UserSessionEntityMapper();
+ }
+
public static Function, LoginFailureKey> loginFailureId() {
return new LoginFailureIdMapper();
}
- public static Function, String> clientSessionToUserSessionId() {
- return new ClientSessionToUserSessionIdMapper();
- }
-
- private static class ClientSessionToUserSessionTimestampMapper implements Function, UserSessionTimestamp>, Serializable {
- @Override
- public UserSessionTimestamp apply(Map.Entry entry) {
- SessionEntity e = entry.getValue();
- ClientSessionEntity entity = (ClientSessionEntity) e;
- return new UserSessionTimestamp(entity.getUserSession(), entity.getTimestamp());
- }
- }
-
private static class UserSessionTimestampMapper implements Function>, org.keycloak.models.sessions.infinispan.UserSessionTimestamp>, Serializable {
@Override
public org.keycloak.models.sessions.infinispan.UserSessionTimestamp apply(Map.Entry> e) {
@@ -87,6 +74,13 @@ public class Mappers {
}
}
+ private static class UserSessionEntityMapper implements Function, UserSessionEntity>, Serializable {
+ @Override
+ public UserSessionEntity apply(Map.Entry entry) {
+ return (UserSessionEntity) entry.getValue();
+ }
+ }
+
private static class LoginFailureIdMapper implements Function, LoginFailureKey>, Serializable {
@Override
public LoginFailureKey apply(Map.Entry entry) {
@@ -94,12 +88,4 @@ public class Mappers {
}
}
- private static class ClientSessionToUserSessionIdMapper implements Function, String>, Serializable {
- @Override
- public String apply(Map.Entry entry) {
- SessionEntity e = entry.getValue();
- ClientSessionEntity entity = (ClientSessionEntity) e;
- return entity.getUserSession();
- }
- }
}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/UserSessionPredicate.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/UserSessionPredicate.java
index 77ff572305..0cc3fccf97 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/UserSessionPredicate.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/UserSessionPredicate.java
@@ -33,6 +33,8 @@ public class UserSessionPredicate implements Predicate {
em.flush();
}
+ @Override
+ public int getActionTokenGeneratedByAdminLifespan() {
+ return getAttribute(RealmAttributes.ACTION_TOKEN_GENERATED_BY_ADMIN_LIFESPAN, 12 * 60 * 60);
+ }
+
+ @Override
+ public void setActionTokenGeneratedByAdminLifespan(int actionTokenGeneratedByAdminLifespan) {
+ setAttribute(RealmAttributes.ACTION_TOKEN_GENERATED_BY_ADMIN_LIFESPAN, actionTokenGeneratedByAdminLifespan);
+ }
+
+ @Override
+ public int getActionTokenGeneratedByUserLifespan() {
+ return getAttribute(RealmAttributes.ACTION_TOKEN_GENERATED_BY_USER_LIFESPAN, getAccessCodeLifespanUserAction());
+ }
+
+ @Override
+ public void setActionTokenGeneratedByUserLifespan(int actionTokenGeneratedByUserLifespan) {
+ setAttribute(RealmAttributes.ACTION_TOKEN_GENERATED_BY_USER_LIFESPAN, actionTokenGeneratedByUserLifespan);
+ }
+
protected RequiredCredentialModel initRequiredCredentialModel(String type) {
RequiredCredentialModel model = RequiredCredentialModel.BUILT_IN.get(type);
if (model == null) {
diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmAttributes.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmAttributes.java
index 499a008647..6ee1074c6c 100644
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmAttributes.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmAttributes.java
@@ -26,4 +26,8 @@ public interface RealmAttributes {
String DISPLAY_NAME_HTML = "displayNameHtml";
+ String ACTION_TOKEN_GENERATED_BY_ADMIN_LIFESPAN = "actionTokenGeneratedByAdminLifespan";
+
+ String ACTION_TOKEN_GENERATED_BY_USER_LIFESPAN = "actionTokenGeneratedByUserLifespan";
+
}
diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java b/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java
index b3aea63f55..64246e8d6d 100644
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java
@@ -17,14 +17,14 @@
package org.keycloak.models.jpa.session;
+import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
-import org.keycloak.models.session.PersistentClientSessionAdapter;
+import org.keycloak.models.session.PersistentAuthenticatedClientSessionAdapter;
import org.keycloak.models.session.PersistentClientSessionModel;
import org.keycloak.models.session.PersistentUserSessionAdapter;
import org.keycloak.models.session.PersistentUserSessionModel;
@@ -34,8 +34,9 @@ import javax.persistence.EntityManager;
import javax.persistence.Query;
import javax.persistence.TypedQuery;
import java.util.ArrayList;
-import java.util.LinkedList;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
/**
* @author Marek Posolda
@@ -68,12 +69,11 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv
}
@Override
- public void createClientSession(ClientSessionModel clientSession, boolean offline) {
- PersistentClientSessionAdapter adapter = new PersistentClientSessionAdapter(clientSession);
+ public void createClientSession(AuthenticatedClientSessionModel clientSession, boolean offline) {
+ PersistentAuthenticatedClientSessionAdapter adapter = new PersistentAuthenticatedClientSessionAdapter(clientSession);
PersistentClientSessionModel model = adapter.getUpdatedModel();
PersistentClientSessionEntity entity = new PersistentClientSessionEntity();
- entity.setClientSessionId(clientSession.getId());
entity.setClientId(clientSession.getClient().getId());
entity.setTimestamp(clientSession.getTimestamp());
String offlineStr = offlineToString(offline);
@@ -121,9 +121,9 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv
}
@Override
- public void removeClientSession(String clientSessionId, boolean offline) {
+ public void removeClientSession(String userSessionId, String clientUUID, boolean offline) {
String offlineStr = offlineToString(offline);
- PersistentClientSessionEntity sessionEntity = em.find(PersistentClientSessionEntity.class, new PersistentClientSessionEntity.Key(clientSessionId, offlineStr));
+ PersistentClientSessionEntity sessionEntity = em.find(PersistentClientSessionEntity.class, new PersistentClientSessionEntity.Key(userSessionId, clientUUID, offlineStr));
if (sessionEntity != null) {
em.remove(sessionEntity);
@@ -227,14 +227,14 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv
int j = 0;
for (UserSessionModel ss : result) {
PersistentUserSessionAdapter userSession = (PersistentUserSessionAdapter) ss;
- List currentClientSessions = userSession.getClientSessions(); // This is empty now and we want to fill it
+ Map currentClientSessions = userSession.getAuthenticatedClientSessions(); // This is empty now and we want to fill it
boolean next = true;
while (next && j < clientSessions.size()) {
PersistentClientSessionEntity clientSession = clientSessions.get(j);
if (clientSession.getUserSessionId().equals(userSession.getId())) {
- PersistentClientSessionAdapter clientSessAdapter = toAdapter(userSession.getRealm(), userSession, clientSession);
- currentClientSessions.add(clientSessAdapter);
+ PersistentAuthenticatedClientSessionAdapter clientSessAdapter = toAdapter(userSession.getRealm(), userSession, clientSession);
+ currentClientSessions.put(clientSession.getClientId(), clientSessAdapter);
j++;
} else {
next = false;
@@ -243,6 +243,7 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv
}
}
+
return result;
}
@@ -252,21 +253,20 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv
model.setLastSessionRefresh(entity.getLastSessionRefresh());
model.setData(entity.getData());
- List clientSessions = new LinkedList<>();
+ Map clientSessions = new HashMap<>();
return new PersistentUserSessionAdapter(model, realm, user, clientSessions);
}
- private PersistentClientSessionAdapter toAdapter(RealmModel realm, PersistentUserSessionAdapter userSession, PersistentClientSessionEntity entity) {
+ private PersistentAuthenticatedClientSessionAdapter toAdapter(RealmModel realm, PersistentUserSessionAdapter userSession, PersistentClientSessionEntity entity) {
ClientModel client = realm.getClientById(entity.getClientId());
PersistentClientSessionModel model = new PersistentClientSessionModel();
- model.setClientSessionId(entity.getClientSessionId());
model.setClientId(entity.getClientId());
model.setUserSessionId(userSession.getId());
model.setUserId(userSession.getUser().getId());
model.setTimestamp(entity.getTimestamp());
model.setData(entity.getData());
- return new PersistentClientSessionAdapter(model, realm, client, userSession);
+ return new PersistentAuthenticatedClientSessionAdapter(model, realm, client, userSession);
}
@Override
diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProviderFactory.java b/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProviderFactory.java
index 35265afe30..e12223df35 100644
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProviderFactory.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProviderFactory.java
@@ -20,7 +20,6 @@ package org.keycloak.models.jpa.session;
import org.keycloak.Config;
import org.keycloak.connections.jpa.JpaConnectionProvider;
import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.session.UserSessionPersisterProvider;
import org.keycloak.models.session.UserSessionPersisterProviderFactory;
diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/session/PersistentClientSessionEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/session/PersistentClientSessionEntity.java
index 7250836580..8910bca948 100644
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/session/PersistentClientSessionEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/session/PersistentClientSessionEntity.java
@@ -45,12 +45,10 @@ import java.io.Serializable;
public class PersistentClientSessionEntity {
@Id
- @Column(name="CLIENT_SESSION_ID", length = 36)
- protected String clientSessionId;
-
@Column(name = "USER_SESSION_ID", length = 36)
protected String userSessionId;
+ @Id
@Column(name="CLIENT_ID", length = 36)
protected String clientId;
@@ -64,14 +62,6 @@ public class PersistentClientSessionEntity {
@Column(name="DATA")
protected String data;
- public String getClientSessionId() {
- return clientSessionId;
- }
-
- public void setClientSessionId(String clientSessionId) {
- this.clientSessionId = clientSessionId;
- }
-
public String getUserSessionId() {
return userSessionId;
}
@@ -114,20 +104,27 @@ public class PersistentClientSessionEntity {
public static class Key implements Serializable {
- protected String clientSessionId;
+ protected String userSessionId;
+
+ protected String clientId;
protected String offline;
public Key() {
}
- public Key(String clientSessionId, String offline) {
- this.clientSessionId = clientSessionId;
+ public Key(String userSessionId, String clientId, String offline) {
+ this.userSessionId = userSessionId;
+ this.clientId = clientId;
this.offline = offline;
}
- public String getClientSessionId() {
- return clientSessionId;
+ public String getUserSessionId() {
+ return userSessionId;
+ }
+
+ public String getClientId() {
+ return clientId;
}
public String getOffline() {
@@ -141,7 +138,8 @@ public class PersistentClientSessionEntity {
Key key = (Key) o;
- if (this.clientSessionId != null ? !this.clientSessionId.equals(key.clientSessionId) : key.clientSessionId != null) return false;
+ if (this.userSessionId != null ? !this.userSessionId.equals(key.userSessionId) : key.userSessionId != null) return false;
+ if (this.clientId != null ? !this.clientId.equals(key.clientId) : key.clientId != null) return false;
if (this.offline != null ? !this.offline.equals(key.offline) : key.offline != null) return false;
return true;
@@ -149,7 +147,8 @@ public class PersistentClientSessionEntity {
@Override
public int hashCode() {
- int result = this.clientSessionId != null ? this.clientSessionId.hashCode() : 0;
+ int result = this.userSessionId != null ? this.userSessionId.hashCode() : 0;
+ result = 37 * result + (this.clientId != null ? this.clientId.hashCode() : 0);
result = 31 * result + (this.offline != null ? this.offline.hashCode() : 0);
return result;
}
diff --git a/model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml b/model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml
new file mode 100644
index 0000000000..51be2fd18c
--- /dev/null
+++ b/model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml
@@ -0,0 +1,27 @@
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/model/jpa/src/main/resources/META-INF/jpa-changelog-master.xml b/model/jpa/src/main/resources/META-INF/jpa-changelog-master.xml
index 59855ec614..ae7d98b4e4 100755
--- a/model/jpa/src/main/resources/META-INF/jpa-changelog-master.xml
+++ b/model/jpa/src/main/resources/META-INF/jpa-changelog-master.xml
@@ -47,4 +47,5 @@
+
diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java
index 98632fbe3c..fb6e02997a 100755
--- a/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java
+++ b/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java
@@ -18,10 +18,10 @@
package org.keycloak.authentication;
import org.keycloak.forms.login.LoginFormsProvider;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.FormMessage;
+import org.keycloak.sessions.AuthenticationSessionModel;
import java.net.URI;
@@ -62,7 +62,7 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon
*
* @return
*/
- ClientSessionModel getClientSession();
+ AuthenticationSessionModel getAuthenticationSession();
/**
* Create a Freemarker form builder that presets the user, action URI, and a generated access code
@@ -80,11 +80,19 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon
URI getActionUrl(String code);
/**
- * Get the action URL for the required action. This auto-generates the access code.
+ * Get the action URL for the action token executor.
+ *
+ * @param tokenString String representation (JWT) of action token
+ * @return
+ */
+ URI getActionTokenUrl(String tokenString);
+
+ /**
+ * Get the refresh URL for the required action.
*
* @return
*/
- URI getActionUrl();
+ URI getRefreshExecutionUrl();
/**
* End the flow and redirect browser based on protocol specific respones. This should only be executed
@@ -99,6 +107,12 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon
*/
void resetFlow();
+ /**
+ * Reset the current flow to the beginning and restarts it. Allows to add additional listener, which is triggered after flow restarted
+ *
+ */
+ void resetFlow(Runnable afterResetListener);
+
/**
* Fork the current flow. The client session will be cloned and set to point at the realm's browser login flow. The Response will be the result
* of this fork. The previous flow will still be set at the current execution. This is used by reset password when it sends an email.
diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java
index 7c7d143f13..2c1255d57a 100755
--- a/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java
+++ b/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java
@@ -22,10 +22,10 @@ import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticatorConfigModel;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
+import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.core.UriInfo;
@@ -79,11 +79,11 @@ public interface FormContext {
RealmModel getRealm();
/**
- * ClientSessionModel attached to this flow
+ * AuthenticationSessionModel attached to this flow
*
* @return
*/
- ClientSessionModel getClientSession();
+ AuthenticationSessionModel getAuthenticationSession();
/**
* Information about the IP address from the connecting HTTP client.
diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java
index 3ece79e5f4..caaa14e59c 100755
--- a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java
+++ b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java
@@ -21,11 +21,10 @@ import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.forms.login.LoginFormsProvider;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
-import org.keycloak.models.UserSessionModel;
+import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
@@ -90,8 +89,7 @@ public interface RequiredActionContext {
*/
UserModel getUser();
RealmModel getRealm();
- ClientSessionModel getClientSession();
- UserSessionModel getUserSession();
+ AuthenticationSessionModel getAuthenticationSession();
ClientConnection getConnection();
UriInfo getUriInfo();
KeycloakSession getSession();
diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionFactory.java b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionFactory.java
index 76dc582e0e..517b5f4a4c 100755
--- a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionFactory.java
@@ -35,4 +35,13 @@ public interface RequiredActionFactory extends ProviderFactory
}
@Override
- public void attachUserSession(UserSessionModel userSession, ClientSessionModel clientSession, BrokeredIdentityContext context) {
+ public void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) {
}
diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java
index 863decb984..ba8276f497 100644
--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java
@@ -17,9 +17,9 @@
package org.keycloak.broker.provider;
import org.jboss.resteasy.spi.HttpRequest;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
+import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.core.UriInfo;
@@ -34,16 +34,16 @@ public class AuthenticationRequest {
private final HttpRequest httpRequest;
private final RealmModel realm;
private final String redirectUri;
- private final ClientSessionModel clientSession;
+ private final AuthenticationSessionModel authSession;
- public AuthenticationRequest(KeycloakSession session, RealmModel realm, ClientSessionModel clientSession, HttpRequest httpRequest, UriInfo uriInfo, String state, String redirectUri) {
+ public AuthenticationRequest(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, HttpRequest httpRequest, UriInfo uriInfo, String state, String redirectUri) {
this.session = session;
this.realm = realm;
this.httpRequest = httpRequest;
this.uriInfo = uriInfo;
this.state = state;
this.redirectUri = redirectUri;
- this.clientSession = clientSession;
+ this.authSession = authSession;
}
public KeycloakSession getSession() {
@@ -76,7 +76,7 @@ public class AuthenticationRequest {
return this.redirectUri;
}
- public ClientSessionModel getClientSession() {
- return this.clientSession;
+ public AuthenticationSessionModel getAuthenticationSession() {
+ return this.authSession;
}
}
diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java
index f2c8a7aad7..a2b1dc5624 100755
--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java
@@ -16,9 +16,9 @@
*/
package org.keycloak.broker.provider;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.Constants;
import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.sessions.AuthenticationSessionModel;
import java.util.ArrayList;
import java.util.HashMap;
@@ -46,7 +46,7 @@ public class BrokeredIdentityContext {
private IdentityProviderModel idpConfig;
private IdentityProvider idp;
private Map contextData = new HashMap<>();
- private ClientSessionModel clientSession;
+ private AuthenticationSessionModel authenticationSession;
public BrokeredIdentityContext(String id) {
if (id == null) {
@@ -190,12 +190,12 @@ public class BrokeredIdentityContext {
this.lastName = lastName;
}
- public ClientSessionModel getClientSession() {
- return clientSession;
+ public AuthenticationSessionModel getAuthenticationSession() {
+ return authenticationSession;
}
- public void setClientSession(ClientSessionModel clientSession) {
- this.clientSession = clientSession;
+ public void setAuthenticationSession(AuthenticationSessionModel authenticationSession) {
+ this.authenticationSession = authenticationSession;
}
public void setName(String name) {
diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProvider.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProvider.java
index b14572ee5d..c4f1c5c3b6 100755
--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProvider.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProvider.java
@@ -17,7 +17,6 @@
package org.keycloak.broker.provider;
import org.keycloak.events.EventBuilder;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
@@ -25,6 +24,7 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.provider.Provider;
+import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
@@ -51,7 +51,7 @@ public interface IdentityProvider extends Provi
void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context);
- void attachUserSession(UserSessionModel userSession, ClientSessionModel clientSession, BrokeredIdentityContext context);
+ void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context);
void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context);
void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context);
diff --git a/server-spi-private/src/main/java/org/keycloak/events/Details.java b/server-spi-private/src/main/java/org/keycloak/events/Details.java
index 0ef227dabc..5e3a9b37e4 100755
--- a/server-spi-private/src/main/java/org/keycloak/events/Details.java
+++ b/server-spi-private/src/main/java/org/keycloak/events/Details.java
@@ -25,6 +25,7 @@ public interface Details {
String EMAIL = "email";
String PREVIOUS_EMAIL = "previous_email";
String UPDATED_EMAIL = "updated_email";
+ String ACTION = "action";
String CODE_ID = "code_id";
String REDIRECT_URI = "redirect_uri";
String RESPONSE_TYPE = "response_type";
@@ -63,4 +64,6 @@ public interface Details {
String CLIENT_REGISTRATION_POLICY = "client_registration_policy";
+ String EXISTING_USER = "previous_user";
+
}
diff --git a/server-spi-private/src/main/java/org/keycloak/events/Errors.java b/server-spi-private/src/main/java/org/keycloak/events/Errors.java
index e82421f079..ab954bc40a 100755
--- a/server-spi-private/src/main/java/org/keycloak/events/Errors.java
+++ b/server-spi-private/src/main/java/org/keycloak/events/Errors.java
@@ -37,6 +37,7 @@ public interface Errors {
String USER_DISABLED = "user_disabled";
String USER_TEMPORARILY_DISABLED = "user_temporarily_disabled";
String INVALID_USER_CREDENTIALS = "invalid_user_credentials";
+ String DIFFERENT_USER_AUTHENTICATED = "different_user_authenticated";
String USERNAME_MISSING = "username_missing";
String USERNAME_IN_USE = "username_in_use";
diff --git a/server-spi-private/src/main/java/org/keycloak/events/EventType.java b/server-spi-private/src/main/java/org/keycloak/events/EventType.java
index f77137fc0a..920646fa58 100755
--- a/server-spi-private/src/main/java/org/keycloak/events/EventType.java
+++ b/server-spi-private/src/main/java/org/keycloak/events/EventType.java
@@ -79,6 +79,9 @@ public enum EventType {
RESET_PASSWORD(true),
RESET_PASSWORD_ERROR(true),
+ RESTART_AUTHENTICATION(true),
+ RESTART_AUTHENTICATION_ERROR(true),
+
INVALID_SIGNATURE(false),
INVALID_SIGNATURE_ERROR(false),
REGISTER_NODE(false),
@@ -89,6 +92,8 @@ public enum EventType {
USER_INFO_REQUEST(false),
USER_INFO_REQUEST_ERROR(false),
+ IDENTITY_PROVIDER_LINK_ACCOUNT(true),
+ IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR(true),
IDENTITY_PROVIDER_LOGIN(false),
IDENTITY_PROVIDER_LOGIN_ERROR(false),
IDENTITY_PROVIDER_FIRST_LOGIN(true),
@@ -105,6 +110,8 @@ public enum EventType {
CUSTOM_REQUIRED_ACTION_ERROR(true),
EXECUTE_ACTIONS(true),
EXECUTE_ACTIONS_ERROR(true),
+ EXECUTE_ACTION_TOKEN(true),
+ EXECUTE_ACTION_TOKEN_ERROR(true),
CLIENT_INFO(false),
CLIENT_INFO_ERROR(false),
@@ -124,6 +131,10 @@ public enum EventType {
this.saveByDefault = saveByDefault;
}
+ /**
+ * Determines whether this event is stored when the admin has not set a specific set of event types to save.
+ * @return
+ */
public boolean isSaveByDefault() {
return saveByDefault;
}
diff --git a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java
index fcaff7a520..476e3aa8bf 100755
--- a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java
+++ b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java
@@ -24,6 +24,6 @@ public enum LoginFormsPages {
LOGIN, LOGIN_TOTP, LOGIN_CONFIG_TOTP, LOGIN_VERIFY_EMAIL,
LOGIN_IDP_LINK_CONFIRM, LOGIN_IDP_LINK_EMAIL,
- OAUTH_GRANT, LOGIN_RESET_PASSWORD, LOGIN_UPDATE_PASSWORD, REGISTER, INFO, ERROR, LOGIN_UPDATE_PROFILE, CODE;
+ OAUTH_GRANT, LOGIN_RESET_PASSWORD, LOGIN_UPDATE_PASSWORD, REGISTER, INFO, ERROR, LOGIN_UPDATE_PROFILE, LOGIN_PAGE_EXPIRED, CODE;
}
diff --git a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java
index f16f0c2165..32195ef4db 100755
--- a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java
+++ b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java
@@ -17,12 +17,12 @@
package org.keycloak.forms.login;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.provider.Provider;
+import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
@@ -68,16 +68,16 @@ public interface LoginFormsProvider extends Provider {
public Response createIdpLinkEmailPage();
+ public Response createLoginExpiredPage();
+
public Response createErrorPage();
- public Response createOAuthGrant(ClientSessionModel clientSessionModel);
+ public Response createOAuthGrant();
public Response createCode();
public LoginFormsProvider setClientSessionCode(String accessCode);
- public LoginFormsProvider setClientSession(ClientSessionModel clientSession);
-
public LoginFormsProvider setAccessRequest(List realmRolesRequested, MultivaluedMap resourceRolesRequested, List protocolMappers);
public LoginFormsProvider setAccessRequest(String message);
diff --git a/server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreProvider.java b/server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreProvider.java
new file mode 100644
index 0000000000..4e4a8dbb5f
--- /dev/null
+++ b/server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreProvider.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models;
+
+import org.keycloak.provider.Provider;
+
+import java.util.Map;
+
+/**
+ * Internal action token store provider.
+ * @author hmlnarik
+ */
+public interface ActionTokenStoreProvider extends Provider {
+
+ /**
+ * Adds a given token to token store.
+ * @param actionTokenKey key
+ * @param notes Optional notes to be stored with the token. Can be {@code null} in which case it is treated as an empty map.
+ */
+ void put(ActionTokenKeyModel actionTokenKey, Map