From aaac85e5418acd0ac4025a96c51430e735ad7d5b Mon Sep 17 00:00:00 2001 From: sebastienblanc Date: Tue, 5 Sep 2017 15:08:17 +0200 Subject: [PATCH] add new flag to determine if error response must be sent or not --- .../adapters/BearerTokenRequestAuthenticator.java | 7 ++++++- .../org/keycloak/adapters/KeycloakDeployment.java | 12 ++++++++++-- .../KeycloakAuthenticationProcessingFilter.java | 4 ++++ 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java index 5eed432920..fd4544f637 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java @@ -164,7 +164,12 @@ public class BearerTokenRequestAuthenticator { OIDCAuthenticationError error = new OIDCAuthenticationError(reason, description); facade.getRequest().setError(error); facade.getResponse().addHeader("WWW-Authenticate", challenge); - facade.getResponse().sendError(401); + if(deployment.isDelegateBearerErrorResponseSending()){ + facade.getResponse().setStatus(401); + } + else { + facade.getResponse().sendError(401); + } return true; } }; diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java index d5761bcf1a..707b882220 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java @@ -94,6 +94,8 @@ public class KeycloakDeployment { protected Map redirectRewriteRules; + protected boolean delegateBearerErrorResponseSending = false; + public KeycloakDeployment() { } @@ -456,6 +458,12 @@ public class KeycloakDeployment { public void setRewriteRedirectRules(Map redirectRewriteRules) { this.redirectRewriteRules = redirectRewriteRules; } - - + + public boolean isDelegateBearerErrorResponseSending() { + return delegateBearerErrorResponseSending; + } + + public void setDelegateBearerErrorResponseSending(boolean delegateBearerErrorResponseSending) { + this.delegateBearerErrorResponseSending = delegateBearerErrorResponseSending; + } } diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java index 7e235ae520..2e9ef40f6d 100644 --- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java @@ -134,6 +134,10 @@ public class KeycloakAuthenticationProcessingFilter extends AbstractAuthenticati HttpFacade facade = new SimpleHttpFacade(request, response); KeycloakDeployment deployment = adapterDeploymentContext.resolveDeployment(facade); + + // using Spring authenticationFailureHandler + deployment.setDelegateBearerErrorResponseSending(true); + AdapterTokenStore tokenStore = adapterTokenStoreFactory.createAdapterTokenStore(deployment, request); RequestAuthenticator authenticator = new SpringSecurityRequestAuthenticator(facade, request, deployment, tokenStore, -1);