[KEYCLOAK-3830] - Only enforce permissions when there is a KeycloakSecurityContext.

2016-11-17 21:03:54 +00:00 · 2016-11-17 21:03:54 +00:00 · 44ee53b0d8
commit 44ee53b0d8
parent 5e496fb9bb
2 changed files with 45 additions and 33 deletions
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
@ -142,9 +142,13 @@ public class AuthenticatedActionsHandler {
            AuthorizationContext authorizationContext = policyEnforcer.enforce(facade);
            RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) facade.getSecurityContext();

+            if (session != null) {
                session.setAuthorizationContext(authorizationContext);

                return authorizationContext.isGranted();
+            }
+
+            return true;
        } catch (Exception e) {
            throw new RuntimeException("Failed to enforce policy decisions.", e);
        }
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
@ -19,6 +19,7 @@ package org.keycloak.adapters.authorization;

 import org.jboss.logging.Logger;
 import org.keycloak.AuthorizationContext;
+import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.adapters.OIDCHttpFacade;
 import org.keycloak.adapters.spi.HttpFacade.Request;
 import org.keycloak.adapters.spi.HttpFacade.Response;
@ -66,7 +67,12 @@ public abstract class AbstractPolicyEnforcer {
            return createEmptyAuthorizationContext(true);
        }

-        AccessToken accessToken = httpFacade.getSecurityContext().getToken();
+        KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();
+
+        if (securityContext != null) {
+            AccessToken accessToken = securityContext.getToken();
+
+            if (accessToken != null) {
                Request request = httpFacade.getRequest();
                Response response = httpFacade.getResponse();
                String pathInfo = URI.create(request.getURI()).getPath().substring(1);
@ -101,6 +107,8 @@ public abstract class AbstractPolicyEnforcer {
                    LOGGER.debugf("Sending challenge to the client. Path [%s]", pathConfig);
                    response.sendError(403, "Authorization failed.");
                }
+            }
+        }

        return createEmptyAuthorizationContext(false);
    }