[KEYCLOAK-3830] - Only enforce permissions when there is a KeycloakSecurityContext.

2016-11-17 21:03:54 +00:00 · 2016-11-17 21:03:54 +00:00 · 44ee53b0d8
commit 44ee53b0d8
parent 5e496fb9bb
2 changed files with 45 additions and 33 deletions
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
@ -142,9 +142,13 @@ public class AuthenticatedActionsHandler {
            AuthorizationContext authorizationContext = policyEnforcer.enforce(facade);
            RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) facade.getSecurityContext();

-            session.setAuthorizationContext(authorizationContext);
+            if (session != null) {
+                session.setAuthorizationContext(authorizationContext);

-            return  authorizationContext.isGranted();
+                return authorizationContext.isGranted();
+            }
+
+            return true;
        } catch (Exception e) {
            throw new RuntimeException("Failed to enforce policy decisions.", e);
        }
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
@ -19,6 +19,7 @@ package org.keycloak.adapters.authorization;

 import org.jboss.logging.Logger;
 import org.keycloak.AuthorizationContext;
+import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.adapters.OIDCHttpFacade;
 import org.keycloak.adapters.spi.HttpFacade.Request;
 import org.keycloak.adapters.spi.HttpFacade.Response;
@ -66,40 +67,47 @@ public abstract class AbstractPolicyEnforcer {
            return createEmptyAuthorizationContext(true);
        }

-        AccessToken accessToken = httpFacade.getSecurityContext().getToken();
-        Request request = httpFacade.getRequest();
-        Response response = httpFacade.getResponse();
-        String pathInfo = URI.create(request.getURI()).getPath().substring(1);
-        String path = pathInfo.substring(pathInfo.indexOf('/'), pathInfo.length());
-        PathConfig pathConfig = this.pathMatcher.matches(path, this.paths);
+        KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();

-        LOGGER.debugf("Checking permissions for path [%s] with config [%s].", request.getURI(), pathConfig);
+        if (securityContext != null) {
+            AccessToken accessToken = securityContext.getToken();

-        if (pathConfig == null) {
-            if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
-                return createAuthorizationContext(accessToken);
+            if (accessToken != null) {
+                Request request = httpFacade.getRequest();
+                Response response = httpFacade.getResponse();
+                String pathInfo = URI.create(request.getURI()).getPath().substring(1);
+                String path = pathInfo.substring(pathInfo.indexOf('/'), pathInfo.length());
+                PathConfig pathConfig = this.pathMatcher.matches(path, this.paths);
+
+                LOGGER.debugf("Checking permissions for path [%s] with config [%s].", request.getURI(), pathConfig);
+
+                if (pathConfig == null) {
+                    if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
+                        return createAuthorizationContext(accessToken);
+                    }
+
+                    LOGGER.debugf("Could not find a configuration for path [%s]", path);
+                    response.sendError(403, "Could not find a configuration for path [" + path + "].");
+
+                    return createEmptyAuthorizationContext(false);
+                }
+
+                PathConfig actualPathConfig = resolvePathConfig(pathConfig, request);
+                Set<String> requiredScopes = getRequiredScopes(actualPathConfig, request);
+
+                if (isAuthorized(actualPathConfig, requiredScopes, accessToken, httpFacade)) {
+                    try {
+                        return createAuthorizationContext(accessToken);
+                    } catch (Exception e) {
+                        throw new RuntimeException("Error processing path [" + actualPathConfig.getPath() + "].", e);
+                    }
+                }
+
+                if (!challenge(actualPathConfig, requiredScopes, httpFacade)) {
+                    LOGGER.debugf("Sending challenge to the client. Path [%s]", pathConfig);
+                    response.sendError(403, "Authorization failed.");
+                }
            }
-
-            LOGGER.debugf("Could not find a configuration for path [%s]", path);
-            response.sendError(403, "Could not find a configuration for path [" + path + "].");
-
-            return createEmptyAuthorizationContext(false);
-        }
-
-        PathConfig actualPathConfig = resolvePathConfig(pathConfig, request);
-        Set<String> requiredScopes = getRequiredScopes(actualPathConfig, request);
-
-        if (isAuthorized(actualPathConfig, requiredScopes, accessToken, httpFacade)) {
-            try {
-                return createAuthorizationContext(accessToken);
-            } catch (Exception e) {
-                throw new RuntimeException("Error processing path [" + actualPathConfig.getPath() + "].", e);
-            }
-        }
-
-        if (!challenge(actualPathConfig, requiredScopes, httpFacade)) {
-            LOGGER.debugf("Sending challenge to the client. Path [%s]", pathConfig);
-            response.sendError(403, "Authorization failed.");
        }

        return createEmptyAuthorizationContext(false);