Merge remote-tracking branch 'upstream/master'

integration/undertow/src/main/java/org/keycloak/adapters/undertow/KeycloakChallenge.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
 import io.undertow.security.api.AuthenticationMechanism;

integration/undertow/src/main/java/org/keycloak/adapters/undertow/KeycloakServletExtension.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
 import io.undertow.security.api.AuthenticationMechanism;

integration/undertow/src/main/java/org/keycloak/adapters/undertow/KeycloakUndertowAccount.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
 import io.undertow.security.idm.Account;

integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java

@@ -1,21 +1,34 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
-import io.undertow.security.api.AuthenticationMechanism;
 import io.undertow.security.api.SecurityContext;
 import io.undertow.server.HttpServerExchange;
 import io.undertow.servlet.api.ConfidentialPortManager;
-import io.undertow.util.AttachmentKey;
 import org.keycloak.adapters.AdapterDeploymentContext;
-import org.keycloak.adapters.AuthChallenge;
-import org.keycloak.adapters.AuthOutcome;
 import org.keycloak.adapters.KeycloakDeployment;
+import org.keycloak.adapters.RequestAuthenticator;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
  * @version $Revision: 1 $
  */
-public class ServletKeycloakAuthMech implements AuthenticationMechanism {
-    public static final AttachmentKey<AuthChallenge> KEYCLOAK_CHALLENGE_ATTACHMENT_KEY = AttachmentKey.create(AuthChallenge.class);
+public class ServletKeycloakAuthMech extends UndertowKeycloakAuthMech {
 
     protected AdapterDeploymentContext deploymentContext;
     protected UndertowUserSessionManagement userSessionManagement;
@@ -34,23 +47,13 @@ public class ServletKeycloakAuthMech implements AuthenticationMechanism {
         if (!deployment.isConfigured()) {
             return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
         }
-        ServletRequestAuthenticator authenticator = createRequestAuthenticator(deployment, exchange, securityContext, facade);
-        AuthOutcome outcome = authenticator.authenticate();
-        if (outcome == AuthOutcome.AUTHENTICATED) {
-            return AuthenticationMechanismOutcome.AUTHENTICATED;
-        }
-        AuthChallenge challenge = authenticator.getChallenge();
-        if (challenge != null) {
-            exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
+
+        RequestAuthenticator authenticator = createRequestAuthenticator(deployment, exchange, securityContext, facade);
+
+        return super.keycloakAuthenticate(exchange, authenticator);
     }
 
-        if (outcome == AuthOutcome.FAILED) {
-            return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
-        }
-        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
-    }
-
-    protected ServletRequestAuthenticator createRequestAuthenticator(KeycloakDeployment deployment, HttpServerExchange exchange, SecurityContext securityContext, UndertowHttpFacade facade) {
+    protected RequestAuthenticator createRequestAuthenticator(KeycloakDeployment deployment, HttpServerExchange exchange, SecurityContext securityContext, UndertowHttpFacade facade) {
 
         int confidentialPort = getConfidentilPort(exchange);
         return new ServletRequestAuthenticator(facade, deployment,
@@ -67,15 +70,4 @@ public class ServletKeycloakAuthMech implements AuthenticationMechanism {
         return confidentialPort;
     }
 
-    @Override
-    public ChallengeResult sendChallenge(HttpServerExchange exchange, SecurityContext securityContext) {
-        AuthChallenge challenge = exchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
-        if (challenge != null) {
-            UndertowHttpFacade facade = new UndertowHttpFacade(exchange);
-            if (challenge.challenge(facade)) {
-                return new ChallengeResult(true, exchange.getResponseCode());
-            }
-        }
-        return new ChallengeResult(false);
-    }
 }

integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletPreAuthActionsHandler.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
 import io.undertow.server.HandlerWrapper;

integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletRequestAuthenticator.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
 import io.undertow.security.api.SecurityContext;
@@ -10,20 +26,21 @@ import org.keycloak.adapters.KeycloakDeployment;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
+import org.keycloak.KeycloakPrincipal;
+import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
  * @version $Revision: 1 $
  */
 public class ServletRequestAuthenticator extends UndertowRequestAuthenticator {
 
-    protected UndertowUserSessionManagement userSessionManagement;
 
     public ServletRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort,
                                        SecurityContext securityContext, HttpServerExchange exchange,
                                        UndertowUserSessionManagement userSessionManagement) {
-        super(facade, deployment, sslRedirectPort, securityContext, exchange);
-        this.userSessionManagement = userSessionManagement;
+        super(facade, deployment, sslRedirectPort, securityContext, exchange, userSessionManagement);
     }
 
     @Override
@@ -69,4 +86,9 @@ public class ServletRequestAuthenticator extends UndertowRequestAuthenticator {
         userSessionManagement.login(servletRequestContext.getDeployment().getSessionManager(), session.getId(), account.getPrincipal().getName(), account.getKeycloakSecurityContext().getToken().getSessionState());
 
     }
+
+    @Override
+    protected KeycloakUndertowAccount createAccount(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
+        return new KeycloakUndertowAccount(principal, session, deployment);
+    }
 }

integration/undertow/src/main/java/org/keycloak/adapters/undertow/SessionManagementBridge.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
 import io.undertow.server.session.SessionManager;

integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowAuthenticatedActionsHandler.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
 import io.undertow.server.HandlerWrapper;
@@ -12,6 +28,7 @@ import org.keycloak.adapters.KeycloakDeployment;
  * Bridge for authenticated Keycloak adapter actions
  *
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
  * @version $Revision: 1 $
  */
 public class UndertowAuthenticatedActionsHandler implements HttpHandler {
@@ -33,7 +50,7 @@ public class UndertowAuthenticatedActionsHandler implements HttpHandler {
     }
 
 
-    protected UndertowAuthenticatedActionsHandler(AdapterDeploymentContext deploymentContext, HttpHandler next) {
+    public UndertowAuthenticatedActionsHandler(AdapterDeploymentContext deploymentContext, HttpHandler next) {
         this.deploymentContext = deploymentContext;
         this.next = next;
     }

integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowHttpFacade.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
 import io.undertow.server.HttpServerExchange;

integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowKeycloakAuthMech.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.adapters.undertow;
+
+import io.undertow.security.api.AuthenticationMechanism;
+import io.undertow.security.api.SecurityContext;
+import io.undertow.server.HttpServerExchange;
+import io.undertow.util.AttachmentKey;
+import org.keycloak.adapters.AuthChallenge;
+import org.keycloak.adapters.AuthOutcome;
+import org.keycloak.adapters.RequestAuthenticator;
+import static org.keycloak.adapters.undertow.ServletKeycloakAuthMech.KEYCLOAK_CHALLENGE_ATTACHMENT_KEY;
+
+/**
+ * Abstract base class for a Keycloak-enabled Undertow AuthenticationMechanism.
+ *
+ * @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
+ */
+public abstract class UndertowKeycloakAuthMech implements AuthenticationMechanism {
+    public static final AttachmentKey<AuthChallenge> KEYCLOAK_CHALLENGE_ATTACHMENT_KEY = AttachmentKey.create(AuthChallenge.class);
+
+    @Override
+    public ChallengeResult sendChallenge(HttpServerExchange exchange, SecurityContext securityContext) {
+        AuthChallenge challenge = exchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
+        if (challenge != null) {
+            UndertowHttpFacade facade = new UndertowHttpFacade(exchange);
+            if (challenge.challenge(facade)) {
+                return new ChallengeResult(true, exchange.getResponseCode());
+            }
+        }
+        return new ChallengeResult(false);
+    }
+
+    /**
+     * Call this inside your authenticate method.
+     */
+    protected AuthenticationMechanismOutcome keycloakAuthenticate(HttpServerExchange exchange, RequestAuthenticator authenticator) {
+        AuthOutcome outcome = authenticator.authenticate();
+        if (outcome == AuthOutcome.AUTHENTICATED) {
+            return AuthenticationMechanismOutcome.AUTHENTICATED;
+        }
+        AuthChallenge challenge = authenticator.getChallenge();
+        if (challenge != null) {
+            exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
+        }
+
+        if (outcome == AuthOutcome.FAILED) {
+            return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
+        }
+
+        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
+    }
+
+}

integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowRequestAuthenticator.java

@@ -1,7 +1,25 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
 import io.undertow.security.api.SecurityContext;
 import io.undertow.server.HttpServerExchange;
+import io.undertow.server.session.Session;
+import io.undertow.util.Sessions;
 import org.keycloak.KeycloakPrincipal;
 import org.keycloak.adapters.HttpFacade;
 import org.keycloak.adapters.KeycloakAccount;
@@ -12,17 +30,22 @@ import org.keycloak.adapters.RequestAuthenticator;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
  * @version $Revision: 1 $
  */
-public class UndertowRequestAuthenticator extends RequestAuthenticator {
+public abstract class UndertowRequestAuthenticator extends RequestAuthenticator {
     protected SecurityContext securityContext;
     protected HttpServerExchange exchange;
+    protected UndertowUserSessionManagement userSessionManagement;
 
 
-    public UndertowRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort, SecurityContext securityContext, HttpServerExchange exchange) {
+    public UndertowRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort,
+                                        SecurityContext securityContext, HttpServerExchange exchange,
+                                        UndertowUserSessionManagement userSessionManagement) {
         super(facade, deployment, sslRedirectPort);
         this.securityContext = securityContext;
         this.exchange = exchange;
+        this.userSessionManagement = userSessionManagement;
     }
 
     protected void propagateKeycloakContext(KeycloakUndertowAccount account) {
@@ -41,26 +64,55 @@ public class UndertowRequestAuthenticator extends RequestAuthenticator {
 
     @Override
     protected void completeOAuthAuthentication(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
-        KeycloakUndertowAccount account = new KeycloakUndertowAccount(principal, session, deployment);
+        KeycloakUndertowAccount account = createAccount(principal, session);
         securityContext.authenticationComplete(account, "KEYCLOAK", false);
         propagateKeycloakContext(account);
         login(account);
     }
 
     protected void login(KeycloakAccount account) {
-
+        Session session = Sessions.getOrCreateSession(exchange);
+        session.setAttribute(KeycloakUndertowAccount.class.getName(), account);
+        String username = account.getPrincipal().getName();
+        String keycloakSessionId = account.getKeycloakSecurityContext().getToken().getSessionState();
+        userSessionManagement.login(session.getSessionManager(), session.getId(), username, keycloakSessionId);
     }
 
 
     @Override
     protected void completeBearerAuthentication(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
-        KeycloakUndertowAccount account = new KeycloakUndertowAccount(principal, session, deployment);
+        KeycloakUndertowAccount account = createAccount(principal, session);
         securityContext.authenticationComplete(account, "KEYCLOAK", false);
         propagateKeycloakContext(account);
     }
 
     @Override
     protected boolean isCached() {
+        Session session = Sessions.getSession(exchange);
+        if (session == null) {
+            log.info("session was null, returning null");
             return false;
         }
+        KeycloakUndertowAccount account = (KeycloakUndertowAccount)session.getAttribute(KeycloakUndertowAccount.class.getName());
+        if (account == null) {
+            log.info("Account was not in session, returning null");
+            return false;
+        }
+        account.setDeployment(deployment);
+        if (account.isActive()) {
+            log.info("Cached account found");
+            securityContext.authenticationComplete(account, "KEYCLOAK", false);
+            propagateKeycloakContext( account);
+            return true;
+        }
+        log.info("Account was not active, returning false");
+        session.removeAttribute(KeycloakUndertowAccount.class.getName());
+        return false;
+    }
+
+    /**
+     * Subclasses need to be able to create their own version of the KeycloakUndertowAccount
+     * @return The account
+     */
+    protected abstract KeycloakUndertowAccount createAccount(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session);
 }

integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowUserSessionManagement.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package org.keycloak.adapters.undertow;
 
 import io.undertow.security.api.AuthenticatedSessionManager;