From 2d3f771b70f61a69414866265859d9317f1fb487 Mon Sep 17 00:00:00 2001 From: scranen Date: Sun, 2 Jul 2017 16:01:18 +0200 Subject: [PATCH] Cookie token store not working in Spring Security adapter Co-authored-by: scranen Co-authored-by: rainerfrey Co-authored-by: pedroigor --- .../KeycloakAuthenticationEntryPoint.java | 10 ++ .../KeycloakAuthenticationFailureHandler.java | 3 + .../KeycloakAuthenticationSuccessHandler.java | 66 ++++++++ .../KeycloakCookieBasedRedirect.java | 69 +++++++++ .../authentication/KeycloakLogoutHandler.java | 8 + .../KeycloakWebSecurityConfigurerAdapter.java | 3 +- .../AdapterStateCookieRequestMatcher.java | 45 ++++++ ...eycloakAuthenticationProcessingFilter.java | 14 +- .../KeycloakSecurityContextRequestFilter.java | 3 +- .../token/AdapterTokenStoreFactory.java | 8 +- ...pringSecurityAdapterTokenStoreFactory.java | 9 +- .../token/SpringSecurityCookieTokenStore.java | 141 ++++++++++++++++++ ...oakAuthenticationProcessingFilterTest.java | 5 +- ...gSecurityAdapterTokenStoreFactoryTest.java | 34 ++++- 14 files changed, 399 insertions(+), 19 deletions(-) create mode 100644 adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationSuccessHandler.java create mode 100644 adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakCookieBasedRedirect.java create mode 100644 adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/AdapterStateCookieRequestMatcher.java create mode 100644 adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityCookieTokenStore.java diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPoint.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPoint.java index 0cab4f5fd7..166135e2fe 100644 --- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPoint.java +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPoint.java @@ -94,7 +94,17 @@ public class KeycloakAuthenticationEntryPoint implements AuthenticationEntryPoin } } + /** + * Redirects to the login page. If HTTP sessions are disabled, the redirect URL is saved in a + * cookie now, to be retrieved by the {@link KeycloakAuthenticationSuccessHandler} or the + * {@link KeycloakAuthenticationFailureHandler} when the login sequence completes. + */ protected void commenceLoginRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException { + if (request.getSession(false) == null && KeycloakCookieBasedRedirect.getRedirectUrlFromCookie(request) == null) { + // If no session exists yet at this point, then apparently the redirect URL is not + // stored in a session. We'll store it in a cookie instead. + response.addCookie(KeycloakCookieBasedRedirect.createCookieFromRedirectUrl(request.getRequestURI())); + } String contextAwareLoginUri = request.getContextPath() + loginUri; log.debug("Redirecting to login URI {}", contextAwareLoginUri); response.sendRedirect(contextAwareLoginUri); diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationFailureHandler.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationFailureHandler.java index 5bdd3e18f6..fdb6cb84c1 100644 --- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationFailureHandler.java +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationFailureHandler.java @@ -38,6 +38,9 @@ public class KeycloakAuthenticationFailureHandler implements AuthenticationFailu // Check that the response was not committed yet (this may happen when another // part of the Keycloak adapter sends a challenge or a redirect). if (!response.isCommitted()) { + if (KeycloakCookieBasedRedirect.getRedirectUrlFromCookie(request) != null) { + response.addCookie(KeycloakCookieBasedRedirect.createCookieFromRedirectUrl(null)); + } response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unable to authenticate using the Authorization header"); } else { if (200 <= response.getStatus() && response.getStatus() < 300) { diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationSuccessHandler.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationSuccessHandler.java new file mode 100644 index 0000000000..7a0eab9b6a --- /dev/null +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationSuccessHandler.java @@ -0,0 +1,66 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.adapters.springsecurity.authentication; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.Authentication; +import org.springframework.security.web.authentication.AuthenticationSuccessHandler; + +/** + * Wrapper for an authentication success handler that sends a redirect if a redirect URL was set in + * a cookie. + * + * @author Sjoerd Cranen + * + * @see KeycloakCookieBasedRedirect + * @see KeycloakAuthenticationEntryPoint#commenceLoginRedirect + */ +public class KeycloakAuthenticationSuccessHandler implements AuthenticationSuccessHandler { + + private static final Logger LOG = LoggerFactory.getLogger(KeycloakAuthenticationSuccessHandler.class); + + private final AuthenticationSuccessHandler fallback; + + public KeycloakAuthenticationSuccessHandler(AuthenticationSuccessHandler fallback) { + this.fallback = fallback; + } + + @Override + public void onAuthenticationSuccess( + HttpServletRequest request, HttpServletResponse response, Authentication authentication) + throws IOException, ServletException { + String location = KeycloakCookieBasedRedirect.getRedirectUrlFromCookie(request); + if (location == null) { + if (fallback != null) { + fallback.onAuthenticationSuccess(request, response, authentication); + } + } else { + try { + response.addCookie(KeycloakCookieBasedRedirect.createCookieFromRedirectUrl(null)); + response.sendRedirect(location); + } catch (IOException e) { + LOG.warn("Unable to redirect user after login", e); + } + } + } +} diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakCookieBasedRedirect.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakCookieBasedRedirect.java new file mode 100644 index 0000000000..b3b8e7e5f7 --- /dev/null +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakCookieBasedRedirect.java @@ -0,0 +1,69 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.adapters.springsecurity.authentication; + +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; + +/** + * Utility class that provides methods to create and retrieve cookies used for login redirects. + * + * @author Sjoerd Cranen + */ +public final class KeycloakCookieBasedRedirect { + + private static final String REDIRECT_COOKIE = "KC_REDIRECT"; + + private KeycloakCookieBasedRedirect() {} + + /** + * Checks if a cookie with name {@value REDIRECT_COOKIE} exists, and if so, returns its value. + * If multiple cookies of the same name exist, the value of the first cookie is returned. + * + * @param request the request to retrieve the cookie from. + * @return the value of the cookie, if it exists, or else {@code null}. + */ + public static String getRedirectUrlFromCookie(HttpServletRequest request) { + if (request.getCookies() == null) { + return null; + } + for (Cookie cookie : request.getCookies()) { + if (REDIRECT_COOKIE.equals(cookie.getName())) { + return cookie.getValue(); + } + } + return null; + } + + /** + * Creates a cookie with name {@value REDIRECT_COOKIE} and the given URL as value. + * + * @param url the value that the cookie should have. If {@code null}, a cookie is created that + * expires immediately and has an empty string as value. + * @return a cookie that can be added to a response. + */ + public static Cookie createCookieFromRedirectUrl(String url) { + Cookie cookie = new Cookie(REDIRECT_COOKIE, url == null ? "" : url); + cookie.setHttpOnly(true); + cookie.setPath("/"); + if (url == null) { + cookie.setMaxAge(0); + } + return cookie; + } +} diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakLogoutHandler.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakLogoutHandler.java index 935987afc1..213788655f 100644 --- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakLogoutHandler.java +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakLogoutHandler.java @@ -22,7 +22,9 @@ import org.keycloak.adapters.KeycloakDeployment; import org.keycloak.adapters.RefreshableKeycloakSecurityContext; import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade; +import org.keycloak.adapters.springsecurity.token.AdapterTokenStoreFactory; import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken; +import org.keycloak.adapters.springsecurity.token.SpringSecurityAdapterTokenStoreFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.core.Authentication; @@ -43,12 +45,17 @@ public class KeycloakLogoutHandler implements LogoutHandler { private static final Logger log = LoggerFactory.getLogger(KeycloakLogoutHandler.class); private AdapterDeploymentContext adapterDeploymentContext; + private AdapterTokenStoreFactory adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); public KeycloakLogoutHandler(AdapterDeploymentContext adapterDeploymentContext) { Assert.notNull(adapterDeploymentContext); this.adapterDeploymentContext = adapterDeploymentContext; } + public void setAdapterTokenStoreFactory(AdapterTokenStoreFactory adapterTokenStoreFactory) { + this.adapterTokenStoreFactory = adapterTokenStoreFactory; + } + @Override public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { if (authentication == null) { @@ -66,6 +73,7 @@ public class KeycloakLogoutHandler implements LogoutHandler { protected void handleSingleSignOut(HttpServletRequest request, HttpServletResponse response, KeycloakAuthenticationToken authenticationToken) { HttpFacade facade = new SimpleHttpFacade(request, response); KeycloakDeployment deployment = adapterDeploymentContext.resolveDeployment(facade); + adapterTokenStoreFactory.createAdapterTokenStore(deployment, request, response).logout(); RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) authenticationToken.getAccount().getKeycloakSecurityContext(); session.logout(deployment); } diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/config/KeycloakWebSecurityConfigurerAdapter.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/config/KeycloakWebSecurityConfigurerAdapter.java index 9d344971da..034189db1f 100644 --- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/config/KeycloakWebSecurityConfigurerAdapter.java +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/config/KeycloakWebSecurityConfigurerAdapter.java @@ -42,7 +42,6 @@ import org.springframework.security.config.annotation.web.servlet.configuration. import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.logout.LogoutFilter; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; -import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter; /** @@ -119,7 +118,7 @@ public abstract class KeycloakWebSecurityConfigurerAdapter extends WebSecurityCo .sessionAuthenticationStrategy(sessionAuthenticationStrategy()) .and() .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class) - .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class) + .addFilterBefore(keycloakAuthenticationProcessingFilter(), LogoutFilter.class) .addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class) .addFilterAfter(keycloakAuthenticatedActionsRequestFilter(), KeycloakSecurityContextRequestFilter.class) .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint()) diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/AdapterStateCookieRequestMatcher.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/AdapterStateCookieRequestMatcher.java new file mode 100644 index 0000000000..bee9d15000 --- /dev/null +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/AdapterStateCookieRequestMatcher.java @@ -0,0 +1,45 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.adapters.springsecurity.filter; + +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import org.keycloak.constants.AdapterConstants; +import org.springframework.security.web.util.matcher.RequestMatcher; + +/** + * Matches a request if it contains a {@value AdapterConstants#KEYCLOAK_ADAPTER_STATE_COOKIE} + * cookie. + * + * @author Sjoerd Cranen + */ +public class AdapterStateCookieRequestMatcher implements RequestMatcher { + + @Override + public boolean matches(HttpServletRequest request) { + if (request.getCookies() == null) { + return false; + } + for (Cookie cookie: request.getCookies()) { + if (AdapterConstants.KEYCLOAK_ADAPTER_STATE_COOKIE.equals(cookie.getName())) { + return true; + } + } + return false; + } +} diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java index 09e6a513fd..930867efd6 100644 --- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java @@ -33,7 +33,9 @@ import org.keycloak.adapters.spi.AuthChallenge; import org.keycloak.adapters.spi.AuthOutcome; import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.adapters.springsecurity.KeycloakAuthenticationException; +import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint; import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationFailureHandler; +import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationSuccessHandler; import org.keycloak.adapters.springsecurity.authentication.RequestAuthenticatorFactory; import org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticatorFactory; import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade; @@ -52,6 +54,7 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; +import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher; @@ -65,18 +68,18 @@ import org.springframework.util.Assert; * @version $Revision: 1 $ */ public class KeycloakAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter implements ApplicationContextAware { - public static final String DEFAULT_LOGIN_URL = "/sso/login"; public static final String AUTHORIZATION_HEADER = "Authorization"; /** * Request matcher that matches requests to the {@link KeycloakAuthenticationEntryPoint#DEFAULT_LOGIN_URI default login URI} - * and any request with a Authorization header. + * and any request with a Authorization header or an {@link AdapterStateCookieRequestMatcher adapter state cookie}. */ public static final RequestMatcher DEFAULT_REQUEST_MATCHER = new OrRequestMatcher( - new AntPathRequestMatcher(DEFAULT_LOGIN_URL), + new AntPathRequestMatcher(KeycloakAuthenticationEntryPoint.DEFAULT_LOGIN_URI), new RequestHeaderRequestMatcher(AUTHORIZATION_HEADER), - new QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN) + new QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN), + new AdapterStateCookieRequestMatcher() ); private static final Logger log = LoggerFactory.getLogger(KeycloakAuthenticationProcessingFilter.class); @@ -97,6 +100,7 @@ public class KeycloakAuthenticationProcessingFilter extends AbstractAuthenticati public KeycloakAuthenticationProcessingFilter(AuthenticationManager authenticationManager) { this(authenticationManager, DEFAULT_REQUEST_MATCHER); setAuthenticationFailureHandler(new KeycloakAuthenticationFailureHandler()); + setAuthenticationSuccessHandler(new KeycloakAuthenticationSuccessHandler(new SavedRequestAwareAuthenticationSuccessHandler())); } /** @@ -143,7 +147,7 @@ public class KeycloakAuthenticationProcessingFilter extends AbstractAuthenticati // using Spring authenticationFailureHandler deployment.setDelegateBearerErrorResponseSending(true); - AdapterTokenStore tokenStore = adapterTokenStoreFactory.createAdapterTokenStore(deployment, request); + AdapterTokenStore tokenStore = adapterTokenStoreFactory.createAdapterTokenStore(deployment, request, response); RequestAuthenticator authenticator = requestAuthenticatorFactory.createRequestAuthenticator(facade, request, deployment, tokenStore, -1); diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakSecurityContextRequestFilter.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakSecurityContextRequestFilter.java index cd8cc7f534..4e17183ad3 100644 --- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakSecurityContextRequestFilter.java +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakSecurityContextRequestFilter.java @@ -73,7 +73,8 @@ public class KeycloakSecurityContextRequestFilter extends GenericFilterBean impl // just in case session got serialized if (refreshableSecurityContext.getDeployment()==null) { log.trace("Recreating missing deployment and related fields in deserialized context"); - AdapterTokenStore adapterTokenStore = adapterTokenStoreFactory.createAdapterTokenStore(deployment, (HttpServletRequest) request); + AdapterTokenStore adapterTokenStore = adapterTokenStoreFactory.createAdapterTokenStore(deployment, (HttpServletRequest) request, + (HttpServletResponse) response); refreshableSecurityContext.setCurrentRequestInfo(deployment, adapterTokenStore); } diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/AdapterTokenStoreFactory.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/AdapterTokenStoreFactory.java index 2f90e5d6a7..b8a60ce7d2 100644 --- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/AdapterTokenStoreFactory.java +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/AdapterTokenStoreFactory.java @@ -17,6 +17,7 @@ package org.keycloak.adapters.springsecurity.token; +import javax.servlet.http.HttpServletResponse; import org.keycloak.adapters.AdapterTokenStore; import org.keycloak.adapters.KeycloakDeployment; @@ -34,10 +35,11 @@ public interface AdapterTokenStoreFactory { * * @param deployment the KeycloakDeployment (required) * @param request the current HttpServletRequest (required) + * @param response the current HttpServletResponse (required when using cookies) * - * @return a new AdapterTokenStore for the given deployment and request - * @throws IllegalArgumentException if either the deployment or request is null + * @return a new AdapterTokenStore for the given deployment, request and response + * @throws IllegalArgumentException if any required parameter is null */ - AdapterTokenStore createAdapterTokenStore(KeycloakDeployment deployment, HttpServletRequest request); + AdapterTokenStore createAdapterTokenStore(KeycloakDeployment deployment, HttpServletRequest request, HttpServletResponse response); } diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityAdapterTokenStoreFactory.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityAdapterTokenStoreFactory.java index fb309c1656..321744cede 100644 --- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityAdapterTokenStoreFactory.java +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityAdapterTokenStoreFactory.java @@ -19,8 +19,11 @@ package org.keycloak.adapters.springsecurity.token; import org.keycloak.adapters.AdapterTokenStore; import org.keycloak.adapters.KeycloakDeployment; +import org.keycloak.enums.TokenStore; +import org.springframework.util.Assert; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; /** * {@link AdapterTokenStoreFactory} that returns a new {@link SpringSecurityTokenStore} for each request. @@ -30,7 +33,11 @@ import javax.servlet.http.HttpServletRequest; public class SpringSecurityAdapterTokenStoreFactory implements AdapterTokenStoreFactory { @Override - public AdapterTokenStore createAdapterTokenStore(KeycloakDeployment deployment, HttpServletRequest request) { + public AdapterTokenStore createAdapterTokenStore(KeycloakDeployment deployment, HttpServletRequest request, HttpServletResponse response) { + Assert.notNull(deployment, "KeycloakDeployment is required"); + if (deployment.getTokenStore() == TokenStore.COOKIE) { + return new SpringSecurityCookieTokenStore(deployment, request, response); + } return new SpringSecurityTokenStore(deployment, request); } } diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityCookieTokenStore.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityCookieTokenStore.java new file mode 100644 index 0000000000..92699f82b4 --- /dev/null +++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityCookieTokenStore.java @@ -0,0 +1,141 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.adapters.springsecurity.token; + +import java.util.Set; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.keycloak.KeycloakPrincipal; +import org.keycloak.KeycloakSecurityContext; +import org.keycloak.adapters.AdapterUtils; +import org.keycloak.adapters.CookieTokenStore; +import org.keycloak.adapters.KeycloakDeployment; +import org.keycloak.adapters.OIDCHttpFacade; +import org.keycloak.adapters.OidcKeycloakAccount; +import org.keycloak.adapters.RefreshableKeycloakSecurityContext; +import org.keycloak.adapters.RequestAuthenticator; +import org.keycloak.adapters.spi.HttpFacade; +import org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount; +import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.util.Assert; + +/** + * Extension of {@link SpringSecurityTokenStore} that stores the obtains tokens in a cookie. + * + * @author Sjoerd Cranen + */ +public class SpringSecurityCookieTokenStore extends SpringSecurityTokenStore { + + private final Logger logger = LoggerFactory.getLogger(SpringSecurityCookieTokenStore.class); + + private final KeycloakDeployment deployment; + private final HttpFacade facade; + private volatile boolean cookieChecked = false; + + public SpringSecurityCookieTokenStore( + KeycloakDeployment deployment, + HttpServletRequest request, + HttpServletResponse response) { + super(deployment, request); + Assert.notNull(response, "HttpServletResponse is required"); + this.deployment = deployment; + this.facade = new SimpleHttpFacade(request, response); + } + + @Override + public void checkCurrentToken() { + final KeycloakPrincipal principal = + checkPrincipalFromCookie(); + if (principal != null) { + final RefreshableKeycloakSecurityContext securityContext = + principal.getKeycloakSecurityContext(); + KeycloakSecurityContext current = ((OIDCHttpFacade) facade).getSecurityContext(); + if (current != null) { + securityContext.setAuthorizationContext(current.getAuthorizationContext()); + } + final Set roles = AdapterUtils.getRolesFromSecurityContext(securityContext); + final OidcKeycloakAccount account = + new SimpleKeycloakAccount(principal, roles, securityContext); + SecurityContextHolder.getContext() + .setAuthentication(new KeycloakAuthenticationToken(account, false)); + } else { + super.checkCurrentToken(); + } + cookieChecked = true; + } + + @Override + public boolean isCached(RequestAuthenticator authenticator) { + if (!cookieChecked) { + checkCurrentToken(); + } + return super.isCached(authenticator); + } + + @Override + public void refreshCallback(RefreshableKeycloakSecurityContext securityContext) { + super.refreshCallback(securityContext); + CookieTokenStore.setTokenCookie(deployment, facade, securityContext); + } + + @Override + public void saveAccountInfo(OidcKeycloakAccount account) { + super.saveAccountInfo(account); + RefreshableKeycloakSecurityContext securityContext = + (RefreshableKeycloakSecurityContext) account.getKeycloakSecurityContext(); + CookieTokenStore.setTokenCookie(deployment, facade, securityContext); + } + + @Override + public void logout() { + CookieTokenStore.removeCookie(deployment, facade); + super.logout(); + } + + /** + * Verify if we already have authenticated and active principal in cookie. Perform refresh if + * it's not active + * + * @return valid principal + */ + private KeycloakPrincipal checkPrincipalFromCookie() { + KeycloakPrincipal principal = + CookieTokenStore.getPrincipalFromCookie(deployment, facade, this); + if (principal == null) { + logger.debug("Account was not in cookie or was invalid"); + return null; + } + + RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext(); + + if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal; + boolean success = session.refreshExpiredToken(false); + if (success && session.isActive()) { + refreshCallback(session); + return principal; + } + + logger.debug( + "Cleanup and expire cookie for user {} after failed refresh", principal.getName()); + CookieTokenStore.removeCookie(deployment, facade); + return null; + } +} diff --git a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilterTest.java b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilterTest.java index b8452190a4..c0a69c1268 100755 --- a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilterTest.java +++ b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilterTest.java @@ -27,6 +27,7 @@ import org.keycloak.adapters.OidcKeycloakAccount; import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.adapters.springsecurity.KeycloakAuthenticationException; import org.keycloak.adapters.springsecurity.account.KeycloakRole; +import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint; import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationFailureHandler; import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken; import org.keycloak.common.enums.SslRequired; @@ -50,8 +51,6 @@ import java.util.Collections; import java.util.List; import java.util.UUID; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; import static org.mockito.Mockito.any; import static org.mockito.Mockito.eq; import static org.mockito.Mockito.never; @@ -107,6 +106,7 @@ public class KeycloakAuthenticationProcessingFilterTest { public void setUp() throws Exception { MockitoAnnotations.initMocks(this); request = spy(new MockHttpServletRequest()); + request.setRequestURI("http://host"); filter = new KeycloakAuthenticationProcessingFilter(authenticationManager); keycloakFailureHandler = new KeycloakAuthenticationFailureHandler(); @@ -151,6 +151,7 @@ public class KeycloakAuthenticationProcessingFilterTest { @Test public void testSuccessfulAuthenticationInteractive() throws Exception { + request.setRequestURI("http://host" + KeycloakAuthenticationEntryPoint.DEFAULT_LOGIN_URI + "?query"); Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, true, authorities); filter.successfulAuthentication(request, response, chain, authentication); diff --git a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/token/SpringSecurityAdapterTokenStoreFactoryTest.java b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/token/SpringSecurityAdapterTokenStoreFactoryTest.java index d074fd2570..6984cd5fa5 100755 --- a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/token/SpringSecurityAdapterTokenStoreFactoryTest.java +++ b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/token/SpringSecurityAdapterTokenStoreFactoryTest.java @@ -21,13 +21,15 @@ import org.junit.Before; import org.junit.Test; import org.keycloak.adapters.KeycloakDeployment; import org.keycloak.adapters.spi.AdapterSessionStore; +import org.keycloak.enums.TokenStore; import org.mockito.Mock; import org.mockito.MockitoAnnotations; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; -import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.when; /** * Spring Security adapter token store factory tests. @@ -42,6 +44,9 @@ public class SpringSecurityAdapterTokenStoreFactoryTest { @Mock private HttpServletRequest request; + @Mock + private HttpServletResponse response; + @Before public void setUp() throws Exception { MockitoAnnotations.initMocks(this); @@ -49,18 +54,37 @@ public class SpringSecurityAdapterTokenStoreFactoryTest { @Test public void testCreateAdapterTokenStore() throws Exception { - AdapterSessionStore store = factory.createAdapterTokenStore(deployment, request); - assertNotNull(store); + when(deployment.getTokenStore()).thenReturn(TokenStore.SESSION); + AdapterSessionStore store = factory.createAdapterTokenStore(deployment, request, response); assertTrue(store instanceof SpringSecurityTokenStore); } + @Test + public void testCreateAdapterTokenStoreUsingCookies() throws Exception { + when(deployment.getTokenStore()).thenReturn(TokenStore.COOKIE); + AdapterSessionStore store = factory.createAdapterTokenStore(deployment, request, response); + assertTrue(store instanceof SpringSecurityCookieTokenStore); + } + @Test(expected = IllegalArgumentException.class) public void testCreateAdapterTokenStoreNullDeployment() throws Exception { - factory.createAdapterTokenStore(null, request); + factory.createAdapterTokenStore(null, request, response); } @Test(expected = IllegalArgumentException.class) public void testCreateAdapterTokenStoreNullRequest() throws Exception { - factory.createAdapterTokenStore(deployment, null); + factory.createAdapterTokenStore(deployment, null, response); + } + + @Test + public void testCreateAdapterTokenStoreNullResponse() throws Exception { + when(deployment.getTokenStore()).thenReturn(TokenStore.SESSION); + factory.createAdapterTokenStore(deployment, request, null); + } + + @Test(expected = IllegalArgumentException.class) + public void testCreateAdapterTokenStoreNullResponseUsingCookies() throws Exception { + when(deployment.getTokenStore()).thenReturn(TokenStore.COOKIE); + factory.createAdapterTokenStore(deployment, request, null); } }