libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Merge pull request #1543 from raehalme/KEYCLOAK-1775

Browse source 
KEYCLOAK-1775 Basic auth no longer redirects on Spring Security
This commit is contained in:
Bill Burke 2015-08-21 21:06:00 -04:00
commit 3a64c4d582
2 changed files with 55 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java
View file

@ -144,17 +144,29 @@ public class KeycloakAuthenticationProcessingFilter extends AbstractAuthenticati
return authValue != null && authValue.startsWith("Bearer"); return authValue != null && authValue.startsWith("Bearer");
} }
/**
* Returns true if the request was made with a Basic authentication authorization header.
*
* @param request the current <code>HttpServletRequest</code>
* @return <code>true</code> if the <code>request</code> was made with a Basic authentication authorization header;
* <code>false</code> otherwise.
*/
protected boolean isBasicAuthRequest(HttpServletRequest request) {
String authValue = request.getHeader(AUTHORIZATION_HEADER);
return authValue != null && authValue.startsWith("Basic");
}
@Override @Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
Authentication authResult) throws IOException, ServletException { Authentication authResult) throws IOException, ServletException {
if (!this.isBearerTokenRequest(request)) { if (!(this.isBearerTokenRequest(request) || this.isBasicAuthRequest(request))) {
super.successfulAuthentication(request, response, chain, authResult); super.successfulAuthentication(request, response, chain, authResult);
return; return;
} }
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Authentication success using bearer token. Updating SecurityContextHolder to contain: {}", authResult); log.debug("Authentication success using bearer token/basic authentication. Updating SecurityContextHolder to contain: {}", authResult);
} }
SecurityContextHolder.getContext().setAuthentication(authResult); SecurityContextHolder.getContext().setAuthentication(authResult);
@ -181,6 +193,11 @@ public class KeycloakAuthenticationProcessingFilter extends AbstractAuthenticati
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Unable to authenticate bearer token"); response.sendError(HttpServletResponse.SC_FORBIDDEN, "Unable to authenticate bearer token");
return; return;
} }
else if (this.isBasicAuthRequest(request)) {
SecurityContextHolder.clearContext();
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Unable to authenticate with basic authentication");
return;
}
super.unsuccessfulAuthentication(request, response, failed); super.unsuccessfulAuthentication(request, response, failed);
} }

40
integration/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilterTest.java
View file

@ -94,10 +94,17 @@ public class KeycloakAuthenticationProcessingFilterTest {
@Test @Test
public void testIsBearerTokenRequest() throws Exception { public void testIsBearerTokenRequest() throws Exception {
assertFalse(filter.isBearerTokenRequest(request)); assertFalse(filter.isBearerTokenRequest(request));
this.setAuthHeader(request); this.setBearerAuthHeader(request);
assertTrue(filter.isBearerTokenRequest(request)); assertTrue(filter.isBearerTokenRequest(request));
} }
@Test
public void testIsBasicAuthRequest() throws Exception {
assertFalse(filter.isBasicAuthRequest(request));
this.setBasicAuthHeader(request);
assertTrue(filter.isBasicAuthRequest(request));
}
@Test @Test
public void testSuccessfulAuthenticationInteractive() throws Exception { public void testSuccessfulAuthenticationInteractive() throws Exception {
Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, authorities); Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, authorities);
@ -110,7 +117,18 @@ public class KeycloakAuthenticationProcessingFilterTest {
@Test @Test
public void testSuccessfulAuthenticationBearer() throws Exception { public void testSuccessfulAuthenticationBearer() throws Exception {
Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, authorities); Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, authorities);
this.setAuthHeader(request); this.setBearerAuthHeader(request);
filter.successfulAuthentication(request, response, chain, authentication);
verify(chain).doFilter(eq(request), eq(response));
verify(successHandler, never()).onAuthenticationSuccess(any(HttpServletRequest.class), any(HttpServletResponse.class),
any(Authentication.class));
}
@Test
public void testSuccessfulAuthenticationBasicAuth() throws Exception {
Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, authorities);
this.setBasicAuthHeader(request);
filter.successfulAuthentication(request, response, chain, authentication); filter.successfulAuthentication(request, response, chain, authentication);
verify(chain).doFilter(eq(request), eq(response)); verify(chain).doFilter(eq(request), eq(response));
@ -128,7 +146,17 @@ public class KeycloakAuthenticationProcessingFilterTest {
@Test @Test
public void testUnsuccessfulAuthenticatioBearer() throws Exception { public void testUnsuccessfulAuthenticatioBearer() throws Exception {
AuthenticationException exception = new BadCredentialsException("OOPS"); AuthenticationException exception = new BadCredentialsException("OOPS");
this.setAuthHeader(request); this.setBearerAuthHeader(request);
filter.unsuccessfulAuthentication(request, response, exception);
verify(response).sendError(eq(HttpServletResponse.SC_FORBIDDEN), anyString());
verify(failureHandler, never()).onAuthenticationFailure(any(HttpServletRequest.class), any(HttpServletResponse.class),
any(AuthenticationException.class));
}
@Test
public void testUnsuccessfulAuthenticatioBasicAuth() throws Exception {
AuthenticationException exception = new BadCredentialsException("OOPS");
this.setBasicAuthHeader(request);
filter.unsuccessfulAuthentication(request, response, exception); filter.unsuccessfulAuthentication(request, response, exception);
verify(response).sendError(eq(HttpServletResponse.SC_FORBIDDEN), anyString()); verify(response).sendError(eq(HttpServletResponse.SC_FORBIDDEN), anyString());
verify(failureHandler, never()).onAuthenticationFailure(any(HttpServletRequest.class), any(HttpServletResponse.class), verify(failureHandler, never()).onAuthenticationFailure(any(HttpServletRequest.class), any(HttpServletResponse.class),
@ -145,8 +173,12 @@ public class KeycloakAuthenticationProcessingFilterTest {
filter.setContinueChainBeforeSuccessfulAuthentication(true); filter.setContinueChainBeforeSuccessfulAuthentication(true);
} }
private void setAuthHeader(MockHttpServletRequest request) { private void setBearerAuthHeader(MockHttpServletRequest request) {
request.addHeader(KeycloakAuthenticationProcessingFilter.AUTHORIZATION_HEADER, "Bearer " + UUID.randomUUID().toString()); request.addHeader(KeycloakAuthenticationProcessingFilter.AUTHORIZATION_HEADER, "Bearer " + UUID.randomUUID().toString());
} }
private void setBasicAuthHeader(MockHttpServletRequest request) {
request.addHeader(KeycloakAuthenticationProcessingFilter.AUTHORIZATION_HEADER, "Basic " + UUID.randomUUID().toString());
}
} }