Merge remote-tracking branch 'upstream/master'
This commit is contained in:
commit
30b95e0a57
12 changed files with 303 additions and 40 deletions
|
@ -1,3 +1,19 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.security.api.AuthenticationMechanism;
|
import io.undertow.security.api.AuthenticationMechanism;
|
||||||
|
|
|
@ -1,3 +1,19 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.security.api.AuthenticationMechanism;
|
import io.undertow.security.api.AuthenticationMechanism;
|
||||||
|
|
|
@ -1,3 +1,19 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.security.idm.Account;
|
import io.undertow.security.idm.Account;
|
||||||
|
|
|
@ -1,21 +1,34 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.security.api.AuthenticationMechanism;
|
|
||||||
import io.undertow.security.api.SecurityContext;
|
import io.undertow.security.api.SecurityContext;
|
||||||
import io.undertow.server.HttpServerExchange;
|
import io.undertow.server.HttpServerExchange;
|
||||||
import io.undertow.servlet.api.ConfidentialPortManager;
|
import io.undertow.servlet.api.ConfidentialPortManager;
|
||||||
import io.undertow.util.AttachmentKey;
|
|
||||||
import org.keycloak.adapters.AdapterDeploymentContext;
|
import org.keycloak.adapters.AdapterDeploymentContext;
|
||||||
import org.keycloak.adapters.AuthChallenge;
|
|
||||||
import org.keycloak.adapters.AuthOutcome;
|
|
||||||
import org.keycloak.adapters.KeycloakDeployment;
|
import org.keycloak.adapters.KeycloakDeployment;
|
||||||
|
import org.keycloak.adapters.RequestAuthenticator;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||||
|
* @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
|
||||||
* @version $Revision: 1 $
|
* @version $Revision: 1 $
|
||||||
*/
|
*/
|
||||||
public class ServletKeycloakAuthMech implements AuthenticationMechanism {
|
public class ServletKeycloakAuthMech extends UndertowKeycloakAuthMech {
|
||||||
public static final AttachmentKey<AuthChallenge> KEYCLOAK_CHALLENGE_ATTACHMENT_KEY = AttachmentKey.create(AuthChallenge.class);
|
|
||||||
|
|
||||||
protected AdapterDeploymentContext deploymentContext;
|
protected AdapterDeploymentContext deploymentContext;
|
||||||
protected UndertowUserSessionManagement userSessionManagement;
|
protected UndertowUserSessionManagement userSessionManagement;
|
||||||
|
@ -34,23 +47,13 @@ public class ServletKeycloakAuthMech implements AuthenticationMechanism {
|
||||||
if (!deployment.isConfigured()) {
|
if (!deployment.isConfigured()) {
|
||||||
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
|
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
|
||||||
}
|
}
|
||||||
ServletRequestAuthenticator authenticator = createRequestAuthenticator(deployment, exchange, securityContext, facade);
|
|
||||||
AuthOutcome outcome = authenticator.authenticate();
|
RequestAuthenticator authenticator = createRequestAuthenticator(deployment, exchange, securityContext, facade);
|
||||||
if (outcome == AuthOutcome.AUTHENTICATED) {
|
|
||||||
return AuthenticationMechanismOutcome.AUTHENTICATED;
|
return super.keycloakAuthenticate(exchange, authenticator);
|
||||||
}
|
|
||||||
AuthChallenge challenge = authenticator.getChallenge();
|
|
||||||
if (challenge != null) {
|
|
||||||
exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (outcome == AuthOutcome.FAILED) {
|
protected RequestAuthenticator createRequestAuthenticator(KeycloakDeployment deployment, HttpServerExchange exchange, SecurityContext securityContext, UndertowHttpFacade facade) {
|
||||||
return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
|
|
||||||
}
|
|
||||||
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
|
|
||||||
}
|
|
||||||
|
|
||||||
protected ServletRequestAuthenticator createRequestAuthenticator(KeycloakDeployment deployment, HttpServerExchange exchange, SecurityContext securityContext, UndertowHttpFacade facade) {
|
|
||||||
|
|
||||||
int confidentialPort = getConfidentilPort(exchange);
|
int confidentialPort = getConfidentilPort(exchange);
|
||||||
return new ServletRequestAuthenticator(facade, deployment,
|
return new ServletRequestAuthenticator(facade, deployment,
|
||||||
|
@ -67,15 +70,4 @@ public class ServletKeycloakAuthMech implements AuthenticationMechanism {
|
||||||
return confidentialPort;
|
return confidentialPort;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public ChallengeResult sendChallenge(HttpServerExchange exchange, SecurityContext securityContext) {
|
|
||||||
AuthChallenge challenge = exchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
|
|
||||||
if (challenge != null) {
|
|
||||||
UndertowHttpFacade facade = new UndertowHttpFacade(exchange);
|
|
||||||
if (challenge.challenge(facade)) {
|
|
||||||
return new ChallengeResult(true, exchange.getResponseCode());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return new ChallengeResult(false);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,3 +1,19 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.server.HandlerWrapper;
|
import io.undertow.server.HandlerWrapper;
|
||||||
|
|
|
@ -1,3 +1,19 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.security.api.SecurityContext;
|
import io.undertow.security.api.SecurityContext;
|
||||||
|
@ -10,20 +26,21 @@ import org.keycloak.adapters.KeycloakDeployment;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpSession;
|
import javax.servlet.http.HttpSession;
|
||||||
|
import org.keycloak.KeycloakPrincipal;
|
||||||
|
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||||
|
* @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
|
||||||
* @version $Revision: 1 $
|
* @version $Revision: 1 $
|
||||||
*/
|
*/
|
||||||
public class ServletRequestAuthenticator extends UndertowRequestAuthenticator {
|
public class ServletRequestAuthenticator extends UndertowRequestAuthenticator {
|
||||||
|
|
||||||
protected UndertowUserSessionManagement userSessionManagement;
|
|
||||||
|
|
||||||
public ServletRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort,
|
public ServletRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort,
|
||||||
SecurityContext securityContext, HttpServerExchange exchange,
|
SecurityContext securityContext, HttpServerExchange exchange,
|
||||||
UndertowUserSessionManagement userSessionManagement) {
|
UndertowUserSessionManagement userSessionManagement) {
|
||||||
super(facade, deployment, sslRedirectPort, securityContext, exchange);
|
super(facade, deployment, sslRedirectPort, securityContext, exchange, userSessionManagement);
|
||||||
this.userSessionManagement = userSessionManagement;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -69,4 +86,9 @@ public class ServletRequestAuthenticator extends UndertowRequestAuthenticator {
|
||||||
userSessionManagement.login(servletRequestContext.getDeployment().getSessionManager(), session.getId(), account.getPrincipal().getName(), account.getKeycloakSecurityContext().getToken().getSessionState());
|
userSessionManagement.login(servletRequestContext.getDeployment().getSessionManager(), session.getId(), account.getPrincipal().getName(), account.getKeycloakSecurityContext().getToken().getSessionState());
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected KeycloakUndertowAccount createAccount(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
|
||||||
|
return new KeycloakUndertowAccount(principal, session, deployment);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,3 +1,19 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.server.session.SessionManager;
|
import io.undertow.server.session.SessionManager;
|
||||||
|
|
|
@ -1,3 +1,19 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.server.HandlerWrapper;
|
import io.undertow.server.HandlerWrapper;
|
||||||
|
@ -12,6 +28,7 @@ import org.keycloak.adapters.KeycloakDeployment;
|
||||||
* Bridge for authenticated Keycloak adapter actions
|
* Bridge for authenticated Keycloak adapter actions
|
||||||
*
|
*
|
||||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||||
|
* @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
|
||||||
* @version $Revision: 1 $
|
* @version $Revision: 1 $
|
||||||
*/
|
*/
|
||||||
public class UndertowAuthenticatedActionsHandler implements HttpHandler {
|
public class UndertowAuthenticatedActionsHandler implements HttpHandler {
|
||||||
|
@ -33,7 +50,7 @@ public class UndertowAuthenticatedActionsHandler implements HttpHandler {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
protected UndertowAuthenticatedActionsHandler(AdapterDeploymentContext deploymentContext, HttpHandler next) {
|
public UndertowAuthenticatedActionsHandler(AdapterDeploymentContext deploymentContext, HttpHandler next) {
|
||||||
this.deploymentContext = deploymentContext;
|
this.deploymentContext = deploymentContext;
|
||||||
this.next = next;
|
this.next = next;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,3 +1,19 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.server.HttpServerExchange;
|
import io.undertow.server.HttpServerExchange;
|
||||||
|
|
|
@ -0,0 +1,68 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
|
import io.undertow.security.api.AuthenticationMechanism;
|
||||||
|
import io.undertow.security.api.SecurityContext;
|
||||||
|
import io.undertow.server.HttpServerExchange;
|
||||||
|
import io.undertow.util.AttachmentKey;
|
||||||
|
import org.keycloak.adapters.AuthChallenge;
|
||||||
|
import org.keycloak.adapters.AuthOutcome;
|
||||||
|
import org.keycloak.adapters.RequestAuthenticator;
|
||||||
|
import static org.keycloak.adapters.undertow.ServletKeycloakAuthMech.KEYCLOAK_CHALLENGE_ATTACHMENT_KEY;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Abstract base class for a Keycloak-enabled Undertow AuthenticationMechanism.
|
||||||
|
*
|
||||||
|
* @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
|
||||||
|
*/
|
||||||
|
public abstract class UndertowKeycloakAuthMech implements AuthenticationMechanism {
|
||||||
|
public static final AttachmentKey<AuthChallenge> KEYCLOAK_CHALLENGE_ATTACHMENT_KEY = AttachmentKey.create(AuthChallenge.class);
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ChallengeResult sendChallenge(HttpServerExchange exchange, SecurityContext securityContext) {
|
||||||
|
AuthChallenge challenge = exchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
|
||||||
|
if (challenge != null) {
|
||||||
|
UndertowHttpFacade facade = new UndertowHttpFacade(exchange);
|
||||||
|
if (challenge.challenge(facade)) {
|
||||||
|
return new ChallengeResult(true, exchange.getResponseCode());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return new ChallengeResult(false);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Call this inside your authenticate method.
|
||||||
|
*/
|
||||||
|
protected AuthenticationMechanismOutcome keycloakAuthenticate(HttpServerExchange exchange, RequestAuthenticator authenticator) {
|
||||||
|
AuthOutcome outcome = authenticator.authenticate();
|
||||||
|
if (outcome == AuthOutcome.AUTHENTICATED) {
|
||||||
|
return AuthenticationMechanismOutcome.AUTHENTICATED;
|
||||||
|
}
|
||||||
|
AuthChallenge challenge = authenticator.getChallenge();
|
||||||
|
if (challenge != null) {
|
||||||
|
exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (outcome == AuthOutcome.FAILED) {
|
||||||
|
return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
|
||||||
|
}
|
||||||
|
|
||||||
|
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -1,7 +1,25 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.security.api.SecurityContext;
|
import io.undertow.security.api.SecurityContext;
|
||||||
import io.undertow.server.HttpServerExchange;
|
import io.undertow.server.HttpServerExchange;
|
||||||
|
import io.undertow.server.session.Session;
|
||||||
|
import io.undertow.util.Sessions;
|
||||||
import org.keycloak.KeycloakPrincipal;
|
import org.keycloak.KeycloakPrincipal;
|
||||||
import org.keycloak.adapters.HttpFacade;
|
import org.keycloak.adapters.HttpFacade;
|
||||||
import org.keycloak.adapters.KeycloakAccount;
|
import org.keycloak.adapters.KeycloakAccount;
|
||||||
|
@ -12,17 +30,22 @@ import org.keycloak.adapters.RequestAuthenticator;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||||
|
* @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
|
||||||
* @version $Revision: 1 $
|
* @version $Revision: 1 $
|
||||||
*/
|
*/
|
||||||
public class UndertowRequestAuthenticator extends RequestAuthenticator {
|
public abstract class UndertowRequestAuthenticator extends RequestAuthenticator {
|
||||||
protected SecurityContext securityContext;
|
protected SecurityContext securityContext;
|
||||||
protected HttpServerExchange exchange;
|
protected HttpServerExchange exchange;
|
||||||
|
protected UndertowUserSessionManagement userSessionManagement;
|
||||||
|
|
||||||
|
|
||||||
public UndertowRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort, SecurityContext securityContext, HttpServerExchange exchange) {
|
public UndertowRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort,
|
||||||
|
SecurityContext securityContext, HttpServerExchange exchange,
|
||||||
|
UndertowUserSessionManagement userSessionManagement) {
|
||||||
super(facade, deployment, sslRedirectPort);
|
super(facade, deployment, sslRedirectPort);
|
||||||
this.securityContext = securityContext;
|
this.securityContext = securityContext;
|
||||||
this.exchange = exchange;
|
this.exchange = exchange;
|
||||||
|
this.userSessionManagement = userSessionManagement;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void propagateKeycloakContext(KeycloakUndertowAccount account) {
|
protected void propagateKeycloakContext(KeycloakUndertowAccount account) {
|
||||||
|
@ -41,26 +64,55 @@ public class UndertowRequestAuthenticator extends RequestAuthenticator {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected void completeOAuthAuthentication(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
|
protected void completeOAuthAuthentication(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
|
||||||
KeycloakUndertowAccount account = new KeycloakUndertowAccount(principal, session, deployment);
|
KeycloakUndertowAccount account = createAccount(principal, session);
|
||||||
securityContext.authenticationComplete(account, "KEYCLOAK", false);
|
securityContext.authenticationComplete(account, "KEYCLOAK", false);
|
||||||
propagateKeycloakContext(account);
|
propagateKeycloakContext(account);
|
||||||
login(account);
|
login(account);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void login(KeycloakAccount account) {
|
protected void login(KeycloakAccount account) {
|
||||||
|
Session session = Sessions.getOrCreateSession(exchange);
|
||||||
|
session.setAttribute(KeycloakUndertowAccount.class.getName(), account);
|
||||||
|
String username = account.getPrincipal().getName();
|
||||||
|
String keycloakSessionId = account.getKeycloakSecurityContext().getToken().getSessionState();
|
||||||
|
userSessionManagement.login(session.getSessionManager(), session.getId(), username, keycloakSessionId);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected void completeBearerAuthentication(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
|
protected void completeBearerAuthentication(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
|
||||||
KeycloakUndertowAccount account = new KeycloakUndertowAccount(principal, session, deployment);
|
KeycloakUndertowAccount account = createAccount(principal, session);
|
||||||
securityContext.authenticationComplete(account, "KEYCLOAK", false);
|
securityContext.authenticationComplete(account, "KEYCLOAK", false);
|
||||||
propagateKeycloakContext(account);
|
propagateKeycloakContext(account);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected boolean isCached() {
|
protected boolean isCached() {
|
||||||
|
Session session = Sessions.getSession(exchange);
|
||||||
|
if (session == null) {
|
||||||
|
log.info("session was null, returning null");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
KeycloakUndertowAccount account = (KeycloakUndertowAccount)session.getAttribute(KeycloakUndertowAccount.class.getName());
|
||||||
|
if (account == null) {
|
||||||
|
log.info("Account was not in session, returning null");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
account.setDeployment(deployment);
|
||||||
|
if (account.isActive()) {
|
||||||
|
log.info("Cached account found");
|
||||||
|
securityContext.authenticationComplete(account, "KEYCLOAK", false);
|
||||||
|
propagateKeycloakContext( account);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
log.info("Account was not active, returning false");
|
||||||
|
session.removeAttribute(KeycloakUndertowAccount.class.getName());
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Subclasses need to be able to create their own version of the KeycloakUndertowAccount
|
||||||
|
* @return The account
|
||||||
|
*/
|
||||||
|
protected abstract KeycloakUndertowAccount createAccount(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,3 +1,19 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
|
||||||
|
* as indicated by the @author tags. All rights reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
* use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
* License for the specific language governing permissions and limitations under
|
||||||
|
* the License.
|
||||||
|
*/
|
||||||
package org.keycloak.adapters.undertow;
|
package org.keycloak.adapters.undertow;
|
||||||
|
|
||||||
import io.undertow.security.api.AuthenticatedSessionManager;
|
import io.undertow.security.api.AuthenticatedSessionManager;
|
||||||
|
|
Loading…
Reference in a new issue