Merge pull request #2172 from patriot1burke/master

KEYCLOAK-2444  	KEYCLOAK-2443

adapters/oidc/as7-eap6/as7-subsystem/src/main/java/org/keycloak/subsystem/as7/KeycloakSubsystemParser.java

@@ -243,7 +243,7 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
             String credName = credential.getName();
             String credValue = credential.getValue().get(CredentialDefinition.VALUE.getName()).asString();
 
-            if (credName.contains("")) {
+            if (credName.indexOf('.') > -1) {
                 String[] parts = credName.split("\\.");
                 String provider = parts[0];
                 String propKey = parts[1];

adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java

@@ -102,6 +102,8 @@ public class KeycloakOIDCFilter implements Filter {
 
     @Override
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
+        log.fine("Keycloak OIDC Filter");
+        //System.err.println("Keycloak OIDC Filter: " + ((HttpServletRequest)req).getRequestURL().toString());
         HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;
         OIDCServletHttpFacade facade = new OIDCServletHttpFacade(request, response);
@@ -122,7 +124,10 @@ public class KeycloakOIDCFilter implements Filter {
 
             @Override
             public void logoutHttpSessions(List<String> ids) {
+                log.fine("**************** logoutHttpSessions");
+                //System.err.println("**************** logoutHttpSessions");
                 for (String id : ids) {
+                    log.finest("removed idMapper: " + id);
                     idMapper.removeSession(id);
                 }
 
@@ -130,6 +135,7 @@ public class KeycloakOIDCFilter implements Filter {
         }, deploymentContext, facade);
 
         if (preActions.handleRequest()) {
+            //System.err.println("**************** preActions.handleRequest happened!");
             return;
         }
 

adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java

@@ -112,6 +112,8 @@ public class OIDCFilterSessionStore extends FilterSessionStore implements Adapte
         }
 
         if (idMapper != null && !idMapper.hasSession(httpSession.getId())) {
+            log.fine("idMapper does not have session: " + httpSession.getId());
+            //System.err.println("idMapper does not have session: " + httpSession.getId());
             cleanSession(httpSession);
             return false;
         }

docbook/auth-server-docs/reference/en/en-US/modules/servlet-filter-adapter.xml

@@ -46,11 +46,20 @@
     </filter>
     <filter-mapping>
         <filter-name>Keycloak Filter</filter-name>
-        <url-pattern>/*</url-pattern>
+        <url-pattern>/keycloak/*</url-pattern>
+        <url-pattern>/protected/*</url-pattern>
     </filter-mapping>
 </web-app>
 ]]>
     </programlisting>
+    <para>
+        If you notice above, there are two url-patterns.  <literal>/protected/*</literal> are just the files we want protected.
+        <literal>/keycloak/*</literal> url-pattern will handle callback from the keycloak server.
+        Note that you should configure your client in the Keycloak Admin Console
+        with an Admin URL that points to a secured section covered by the filter's url-pattern.
+        The Admin URL will make callbacks to the Admin URL to do things like backchannel logout.  So, the Admin URL in this example should
+        be <literal>http[s]://hostname/{context-root}/keycloak</literal>.  There is an example of this in the distribution.
+    </para>
     <para>
         The Keycloak filter has the same configuration parameters available as the other adapters except you must define
         them as filter init params instead of context params.

docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml

@@ -64,9 +64,13 @@
     </para>
     <warning>
         <para>
-            You must have a filter mapping for <literal>/saml</literal>
+            You must have a filter mapping that covers <literal>/saml</literal>.  This mapping covers all server callbacks.
         </para>
     </warning>
+    <para>
+        When registering SPs with an IDP, you must register <literal>http[s]://hostname/{context-root}/saml</literal> as
+        your Assert Consumer Service URL and Single Logout Service URL.
+    </para>
     <para>
         To use this filter, include this maven artifact in your WAR poms
     </para>

examples/demo-template/customer-app-filter/src/main/webapp/WEB-INF/web.xml

@@ -29,7 +29,8 @@
     </filter>
     <filter-mapping>
         <filter-name>Keycloak Filter</filter-name>
-        <url-pattern>/customers/*</url-pattern>
+        <url-pattern>/keycloak/*</url-pattern> <!-- this is so keycloak server can send events like backchannel logout -->
+        <url-pattern>/customers/*</url-pattern> <!-- this secures things -->
     </filter-mapping>
 
 </web-app>

examples/demo-template/testrealm.json

@@ -123,7 +123,7 @@
         {
             "clientId": "customer-portal-filter",
             "enabled": true,
-            "adminUrl": "/customer-portal-filter",
+            "adminUrl": "/customer-portal-filter/keycloak",
             "baseUrl": "/customer-portal-filter",
             "redirectUris": [
                 "/customer-portal-filter/*"