Merge pull request #649 from stianst/master
KEYCLOAK-531 Reduce info level logging
This commit is contained in:
commit
49fb452a79
20 changed files with 67 additions and 143 deletions
|
@ -206,7 +206,6 @@ public class RSAVerifierTest {
|
|||
v = verifySkeletonKeyToken(encoded);
|
||||
Assert.fail();
|
||||
} catch (VerificationException ignored) {
|
||||
System.out.println(ignored.getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -225,7 +224,6 @@ public class RSAVerifierTest {
|
|||
try {
|
||||
v = verifySkeletonKeyToken(encoded);
|
||||
} catch (VerificationException ignored) {
|
||||
System.out.println(ignored.getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -24,8 +24,6 @@ public class SkeletonKeyTokenTest {
|
|||
token.addAccess("bar").addRole("user");
|
||||
|
||||
String json = JsonSerialization.writeValueAsString(token);
|
||||
System.out.println(json);
|
||||
|
||||
token = JsonSerialization.readValue(json, AccessToken.class);
|
||||
Assert.assertEquals("111", token.getId());
|
||||
AccessToken.Access foo = token.getResourceAccess("foo");
|
||||
|
@ -47,8 +45,6 @@ public class SkeletonKeyTokenTest {
|
|||
.jsonContent(token)
|
||||
.rsa256(keyPair.getPrivate());
|
||||
|
||||
System.out.println(encoded);
|
||||
|
||||
JWSInput input = new JWSInput(encoded);
|
||||
|
||||
token = input.readJsonContent(AccessToken.class);
|
||||
|
|
|
@ -1,5 +1,12 @@
|
|||
<chapter id="Migration_from_older_versions">
|
||||
<title>Migration from older versions</title>
|
||||
<sect1>
|
||||
<title>Migrating from 1.0 RC-1 to RC-2</title>
|
||||
<itemizedlist>
|
||||
<listitem>A lot of info level logging has been changed to debug. Also, a realm no longer has the jboss-logging audit listener by default.
|
||||
If you want log output when users login, logout, change passwords, etc. enable the jboss-logging audit listener through the admin console.</listitem>
|
||||
</itemizedlist>
|
||||
</sect1>
|
||||
<sect1>
|
||||
<title>Migrating from 1.0 Beta 4 to RC-1</title>
|
||||
<itemizedlist>
|
||||
|
|
|
@ -74,7 +74,7 @@ public class KeycloakServletExtension implements ServletExtension {
|
|||
if (is == null) {
|
||||
String path = context.getInitParameter("keycloak.config.file");
|
||||
if (path == null) {
|
||||
log.info("**** using /WEB-INF/keycloak.json");
|
||||
log.debug("using /WEB-INF/keycloak.json");
|
||||
is = context.getResourceAsStream("/WEB-INF/keycloak.json");
|
||||
} else {
|
||||
try {
|
||||
|
@ -91,10 +91,10 @@ public class KeycloakServletExtension implements ServletExtension {
|
|||
@Override
|
||||
public void handleDeployment(DeploymentInfo deploymentInfo, ServletContext servletContext) {
|
||||
if (!isAuthenticationMechanismPresent(deploymentInfo, "KEYCLOAK")) {
|
||||
log.info("auth-method is not keycloak!");
|
||||
log.debug("auth-method is not keycloak!");
|
||||
return;
|
||||
}
|
||||
log.info("KeycloakServletException initialization");
|
||||
log.debug("KeycloakServletException initialization");
|
||||
InputStream is = getConfigInputStream(servletContext);
|
||||
KeycloakDeployment deployment = null;
|
||||
if (is == null) {
|
||||
|
@ -139,14 +139,14 @@ public class KeycloakServletExtension implements ServletExtension {
|
|||
}
|
||||
});
|
||||
|
||||
log.info("Setting jsession cookie path to: " + deploymentInfo.getContextPath());
|
||||
log.debug("Setting jsession cookie path to: " + deploymentInfo.getContextPath());
|
||||
ServletSessionConfig cookieConfig = new ServletSessionConfig();
|
||||
cookieConfig.setPath(deploymentInfo.getContextPath());
|
||||
deploymentInfo.setServletSessionConfig(cookieConfig);
|
||||
}
|
||||
|
||||
protected ServletKeycloakAuthMech createAuthenticationMechanism(DeploymentInfo deploymentInfo, AdapterDeploymentContext deploymentContext, UndertowUserSessionManagement userSessionManagement) {
|
||||
log.info("creating ServletKeycloakAuthMech");
|
||||
log.debug("creating ServletKeycloakAuthMech");
|
||||
return new ServletKeycloakAuthMech(deploymentContext, userSessionManagement, deploymentInfo.getConfidentialPortManager());
|
||||
}
|
||||
}
|
||||
|
|
|
@ -397,7 +397,7 @@ public class RepresentationToModel {
|
|||
if (resourceRep.getRedirectUris() != null) {
|
||||
Set<String> origins = new HashSet<String>();
|
||||
for (String redirectUri : resourceRep.getRedirectUris()) {
|
||||
logger.info("add redirectUri to origin: " + redirectUri);
|
||||
logger.debugv("add redirect-uri to origin: {0}", redirectUri);
|
||||
if (redirectUri.startsWith("http:")) {
|
||||
URI uri = URI.create(redirectUri);
|
||||
String origin = uri.getScheme() + "://" + uri.getHost();
|
||||
|
|
|
@ -38,7 +38,7 @@ public class DefaultKeycloakSessionFactory implements KeycloakSessionFactory {
|
|||
|
||||
factories.put(factory.getId(), factory);
|
||||
|
||||
log.info("Loaded SPI " + spi.getName() + " (provider = " + provider + ")");
|
||||
log.debugv("Loaded SPI {0} (provider = {1})", spi.getName(), provider);
|
||||
} else {
|
||||
for (ProviderFactory factory : ServiceLoader.load(spi.getProviderFactoryClass())) {
|
||||
Config.Scope scope = Config.scope(spi.getName(), factory.getId());
|
||||
|
@ -51,9 +51,9 @@ public class DefaultKeycloakSessionFactory implements KeycloakSessionFactory {
|
|||
provider = factories.values().iterator().next().getId();
|
||||
this.provider.put(spi.getProviderClass(), provider);
|
||||
|
||||
log.info("Loaded SPI " + spi.getName() + " (provider = " + provider + ")");
|
||||
log.debugv("Loaded SPI {0} (provider = {1})", spi.getName(), provider);
|
||||
} else {
|
||||
log.info("Loaded SPI " + spi.getName() + " (providers = " + factories.keySet() + ")");
|
||||
log.debugv("Loaded SPI {0} (providers = {1})", spi.getName(), factories.keySet());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -60,8 +60,6 @@ public class ApplianceBootstrap {
|
|||
realm.setRegistrationAllowed(false);
|
||||
KeycloakModelUtils.generateRealmKeys(realm);
|
||||
|
||||
realm.setAuditListeners(Collections.singleton("jboss-logging"));
|
||||
|
||||
UserModel adminUser = session.users().addUser(realm, "admin");
|
||||
adminUser.setEnabled(true);
|
||||
UserCredentialModel password = new UserCredentialModel();
|
||||
|
|
|
@ -55,26 +55,19 @@ public class AuthenticationManager {
|
|||
|
||||
public static boolean isSessionValid(RealmModel realm, UserSessionModel userSession) {
|
||||
if (userSession == null) {
|
||||
logger.info("userSession was null");
|
||||
logger.debug("No user session");
|
||||
return false;
|
||||
}
|
||||
int currentTime = Time.currentTime();
|
||||
int max = userSession.getStarted() + realm.getSsoSessionMaxLifespan();
|
||||
boolean valid = userSession != null && userSession.getLastSessionRefresh() + realm.getSsoSessionIdleTimeout() > currentTime && max > currentTime;
|
||||
if (!valid) {
|
||||
logger.info("userSession.getLastSessionRefresh(): " + userSession.getLastSessionRefresh());
|
||||
logger.info("realm.getSsoSessionIdleTimeout(): " + realm.getSsoSessionIdleTimeout());
|
||||
logger.info("currentTime: " + currentTime);
|
||||
logger.info("max: " + max);
|
||||
}
|
||||
return valid;
|
||||
return userSession != null && userSession.getLastSessionRefresh() + realm.getSsoSessionIdleTimeout() > currentTime && max > currentTime;
|
||||
}
|
||||
|
||||
public static void logout(KeycloakSession session, RealmModel realm, UserSessionModel userSession, UriInfo uriInfo, ClientConnection connection) {
|
||||
if (userSession == null) return;
|
||||
UserModel user = userSession.getUser();
|
||||
|
||||
logger.infov("Logging out: {0} ({1})", user.getUsername(), userSession.getId());
|
||||
logger.debugv("Logging out: {0} ({1})", user.getUsername(), userSession.getId());
|
||||
|
||||
session.sessions().removeUserSession(realm, userSession);
|
||||
expireIdentityCookie(realm, uriInfo, connection);
|
||||
|
@ -86,7 +79,6 @@ public class AuthenticationManager {
|
|||
|
||||
|
||||
public AccessToken createIdentityToken(RealmModel realm, UserModel user, UserSessionModel session) {
|
||||
logger.info("createIdentityToken");
|
||||
AccessToken token = new AccessToken();
|
||||
token.id(KeycloakModelUtils.generateId());
|
||||
token.issuedNow();
|
||||
|
@ -102,17 +94,15 @@ public class AuthenticationManager {
|
|||
}
|
||||
|
||||
public void createLoginCookie(RealmModel realm, UserModel user, UserSessionModel session, UriInfo uriInfo, ClientConnection connection) {
|
||||
logger.info("createLoginCookie");
|
||||
String cookiePath = getIdentityCookiePath(realm, uriInfo);
|
||||
AccessToken identityToken = createIdentityToken(realm, user, session);
|
||||
String encoded = encodeToken(realm, identityToken);
|
||||
boolean secureOnly = realm.getSslRequired().isRequired(connection);
|
||||
logger.debugv("creatingLoginCookie - name: {0} path: {1}", KEYCLOAK_IDENTITY_COOKIE, cookiePath);
|
||||
int maxAge = NewCookie.DEFAULT_MAX_AGE;
|
||||
if (session.isRememberMe()) {
|
||||
maxAge = realm.getSsoSessionIdleTimeout();
|
||||
logger.info("createLoginCookie maxAge: " + maxAge);
|
||||
}
|
||||
logger.debugv("Create login cookie - name: {0}, path: {1}, max-age: {2}", KEYCLOAK_IDENTITY_COOKIE, cookiePath, maxAge);
|
||||
CookieHelper.addCookie(KEYCLOAK_IDENTITY_COOKIE, encoded, cookiePath, null, null, maxAge, secureOnly, true);
|
||||
//builder.cookie(new NewCookie(cookieName, encoded, cookiePath, null, null, maxAge, secureOnly));// todo httponly , true);
|
||||
|
||||
|
@ -171,10 +161,9 @@ public class AuthenticationManager {
|
|||
}
|
||||
|
||||
public AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers, boolean checkActive) {
|
||||
logger.info("authenticateIdentityCookie");
|
||||
Cookie cookie = headers.getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
|
||||
if (cookie == null || "".equals(cookie.getValue())) {
|
||||
logger.infov("authenticateCookie could not find cookie: {0}", KEYCLOAK_IDENTITY_COOKIE);
|
||||
logger.debugv("Could not find cookie: {0}", KEYCLOAK_IDENTITY_COOKIE);
|
||||
return null;
|
||||
}
|
||||
|
||||
|
@ -191,35 +180,31 @@ public class AuthenticationManager {
|
|||
protected AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, String tokenString) {
|
||||
try {
|
||||
AccessToken token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), realm.getName(), checkActive);
|
||||
logger.info("identity token verified");
|
||||
if (checkActive) {
|
||||
logger.info("Checking if identity token is active");
|
||||
if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) {
|
||||
logger.info("identity cookie expired");
|
||||
logger.debug("identity cookie expired");
|
||||
return null;
|
||||
} else {
|
||||
logger.info("token.isActive() : " + token.isActive());
|
||||
logger.info("token.issuedAt: " + token.getIssuedAt());
|
||||
logger.info("real.notbefore: " + realm.getNotBefore());
|
||||
logger.debugv("token not active - active: {0}, issued-at: {1}, not-before: {2}", token.isActive(), token.getIssuedAt(), realm.getNotBefore());
|
||||
}
|
||||
}
|
||||
|
||||
UserModel user = session.users().getUserById(token.getSubject(), realm);
|
||||
if (user == null || !user.isEnabled() ) {
|
||||
logger.info("Unknown user in identity token");
|
||||
logger.debug("Unknown user in identity token");
|
||||
return null;
|
||||
}
|
||||
|
||||
UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState());
|
||||
if (!isSessionValid(realm, userSession)) {
|
||||
if (userSession != null) logout(session, realm, userSession, uriInfo, connection);
|
||||
logger.info("User session not active");
|
||||
logger.debug("User session not active");
|
||||
return null;
|
||||
}
|
||||
|
||||
return new AuthResult(user, userSession, token);
|
||||
} catch (VerificationException e) {
|
||||
logger.info("Failed to verify identity token", e);
|
||||
logger.debug("Failed to verify identity token", e);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -227,7 +212,7 @@ public class AuthenticationManager {
|
|||
public AuthenticationStatus authenticateForm(KeycloakSession session, ClientConnection clientConnection, RealmModel realm, MultivaluedMap<String, String> formData) {
|
||||
String username = formData.getFirst(FORM_USERNAME);
|
||||
if (username == null) {
|
||||
logger.warn("Username not provided");
|
||||
logger.debug("Username not provided");
|
||||
return AuthenticationStatus.INVALID_USER;
|
||||
}
|
||||
|
||||
|
@ -264,11 +249,11 @@ public class AuthenticationManager {
|
|||
UserModel user = KeycloakModelUtils.findUserByNameOrEmail(session, realm, username);
|
||||
|
||||
if (user == null) {
|
||||
logger.warn("User " + username + " not found");
|
||||
logger.debugv("User {0} not found", username);
|
||||
return AuthenticationStatus.INVALID_USER;
|
||||
}
|
||||
|
||||
if (!checkEnabled(user)) {
|
||||
if (!user.isEnabled()) {
|
||||
return AuthenticationStatus.ACCOUNT_DISABLED;
|
||||
}
|
||||
|
||||
|
@ -282,7 +267,7 @@ public class AuthenticationManager {
|
|||
List<UserCredentialModel> credentials = new LinkedList<UserCredentialModel>();
|
||||
String password = formData.getFirst(CredentialRepresentation.PASSWORD);
|
||||
if (password == null) {
|
||||
logger.warn("Password not provided");
|
||||
logger.debug("Password not provided");
|
||||
return AuthenticationStatus.MISSING_PASSWORD;
|
||||
}
|
||||
credentials.add(UserCredentialModel.password(password));
|
||||
|
@ -290,7 +275,7 @@ public class AuthenticationManager {
|
|||
if (user.isTotp()) {
|
||||
String token = formData.getFirst(CredentialRepresentation.TOTP);
|
||||
if (token == null) {
|
||||
logger.warn("TOTP token not provided");
|
||||
logger.debug("TOTP token not provided");
|
||||
return AuthenticationStatus.MISSING_TOTP;
|
||||
}
|
||||
credentials.add(UserCredentialModel.totp(token));
|
||||
|
@ -311,7 +296,7 @@ public class AuthenticationManager {
|
|||
} else if (types.contains(CredentialRepresentation.SECRET)) {
|
||||
String secret = formData.getFirst(CredentialRepresentation.SECRET);
|
||||
if (secret == null) {
|
||||
logger.warn("Secret not provided");
|
||||
logger.debug("Secret not provided");
|
||||
return AuthenticationStatus.MISSING_PASSWORD;
|
||||
}
|
||||
if (!session.users().validCredentials(realm, user, UserCredentialModel.secret(secret))) {
|
||||
|
@ -328,15 +313,6 @@ public class AuthenticationManager {
|
|||
}
|
||||
}
|
||||
|
||||
private boolean checkEnabled(UserModel user) {
|
||||
if (!user.isEnabled()) {
|
||||
logger.warn("AccountProvider is disabled, contact admin. " + user.getUsername());
|
||||
return false;
|
||||
} else {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
public enum AuthenticationStatus {
|
||||
SUCCESS, ACCOUNT_TEMPORARILY_DISABLED, ACCOUNT_DISABLED, ACTIONS_REQUIRED, INVALID_USER, INVALID_CREDENTIALS, MISSING_PASSWORD, MISSING_TOTP, FAILED
|
||||
}
|
||||
|
|
|
@ -86,8 +86,6 @@ public class RealmManager {
|
|||
setupAccountManagement(realm);
|
||||
setupAdminConsole(realm);
|
||||
|
||||
realm.setAuditListeners(Collections.singleton("jboss-logging"));
|
||||
|
||||
return realm;
|
||||
}
|
||||
|
||||
|
@ -226,11 +224,6 @@ public class RealmManager {
|
|||
|
||||
RepresentationToModel.importRealm(session, rep, realm);
|
||||
|
||||
|
||||
if (realm.getAuditListeners().size() == 0) {
|
||||
realm.setAuditListeners(Collections.singleton("jboss-logging"));
|
||||
}
|
||||
|
||||
// Refresh periodic sync tasks for configured federationProviders
|
||||
List<UserFederationProviderModel> federationProviders = realm.getUserFederationProviders();
|
||||
UsersSyncManager usersSyncManager = new UsersSyncManager();
|
||||
|
|
|
@ -59,7 +59,7 @@ public class ResourceAdminManager {
|
|||
SessionStatsAction adminAction = new SessionStatsAction(TokenIdGenerator.generateId(), Time.currentTime() + 30, application.getName());
|
||||
adminAction.setListUsers(users);
|
||||
String token = new TokenManager().encodeToken(realm, adminAction);
|
||||
logger.infov("session stats for application: {0} url: {1}", application.getName(), managementUrl);
|
||||
logger.debugv("session stats for application: {0} url: {1}", application.getName(), managementUrl);
|
||||
ClientRequest request = client.createRequest(UriBuilder.fromUri(managementUrl).path(AdapterConstants.K_GET_SESSION_STATS).build().toString());
|
||||
ClientResponse<SessionStats> response = null;
|
||||
try {
|
||||
|
@ -90,7 +90,7 @@ public class ResourceAdminManager {
|
|||
response.releaseConnection();
|
||||
}
|
||||
} else {
|
||||
logger.info("no management url.");
|
||||
logger.debug("no management url.");
|
||||
return null;
|
||||
}
|
||||
|
||||
|
@ -121,7 +121,7 @@ public class ResourceAdminManager {
|
|||
if (managementUrl != null) {
|
||||
UserStatsAction adminAction = new UserStatsAction(TokenIdGenerator.generateId(), Time.currentTime() + 30, application.getName(), user.getId());
|
||||
String token = new TokenManager().encodeToken(realm, adminAction);
|
||||
logger.infov("session stats for application: {0} url: {1}", application.getName(), managementUrl);
|
||||
logger.debugv("session stats for application: {0} url: {1}", application.getName(), managementUrl);
|
||||
ClientRequest request = client.createRequest(UriBuilder.fromUri(managementUrl).path(AdapterConstants.K_GET_USER_STATS).build().toString());
|
||||
ClientResponse<UserStats> response = null;
|
||||
try {
|
||||
|
@ -141,7 +141,7 @@ public class ResourceAdminManager {
|
|||
response.releaseConnection();
|
||||
}
|
||||
} else {
|
||||
logger.info("no management url.");
|
||||
logger.debug("no management url.");
|
||||
return null;
|
||||
}
|
||||
|
||||
|
@ -210,7 +210,7 @@ public class ResourceAdminManager {
|
|||
if (managementUrl != null) {
|
||||
LogoutAction adminAction = new LogoutAction(TokenIdGenerator.generateId(), Time.currentTime() + 30, resource.getName(), user, session, notBefore);
|
||||
String token = new TokenManager().encodeToken(realm, adminAction);
|
||||
logger.infov("logout user: {0} resource: {1} url: {2}", user, resource.getName(), managementUrl);
|
||||
logger.debugv("logout user: {0} resource: {1} url: {2}", user, resource.getName(), managementUrl);
|
||||
ClientRequest request = client.createRequest(UriBuilder.fromUri(managementUrl).path(AdapterConstants.K_LOGOUT).build().toString());
|
||||
ClientResponse response;
|
||||
try {
|
||||
|
@ -220,13 +220,13 @@ public class ResourceAdminManager {
|
|||
}
|
||||
try {
|
||||
boolean success = response.getStatus() == 204;
|
||||
logger.info("logout success.");
|
||||
logger.debug("logout success.");
|
||||
return success;
|
||||
} finally {
|
||||
response.releaseConnection();
|
||||
}
|
||||
} else {
|
||||
logger.info("Can't logout " + resource.getName() + " no mgmt url.");
|
||||
logger.debugv("Can't logout {0}: no management url", resource.getName());
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
@ -260,7 +260,7 @@ public class ResourceAdminManager {
|
|||
if (managementUrl != null) {
|
||||
PushNotBeforeAction adminAction = new PushNotBeforeAction(TokenIdGenerator.generateId(), Time.currentTime() + 30, resource.getName(), notBefore);
|
||||
String token = new TokenManager().encodeToken(realm, adminAction);
|
||||
logger.infov("pushRevocation resource: {0} url: {1}", resource.getName(), managementUrl);
|
||||
logger.debugv("pushRevocation resource: {0} url: {1}", resource.getName(), managementUrl);
|
||||
ClientRequest request = client.createRequest(UriBuilder.fromUri(managementUrl).path(AdapterConstants.K_PUSH_NOT_BEFORE).build().toString());
|
||||
ClientResponse response = null;
|
||||
try {
|
||||
|
@ -271,13 +271,13 @@ public class ResourceAdminManager {
|
|||
|
||||
try {
|
||||
boolean success = response.getStatus() == 204;
|
||||
logger.info("pushRevocation success.");
|
||||
logger.debug("pushRevocation success.");
|
||||
return success;
|
||||
} finally {
|
||||
response.releaseConnection();
|
||||
}
|
||||
} else {
|
||||
logger.info("no management URL for application: " + resource.getName());
|
||||
logger.debug("no management URL for application: " + resource.getName());
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
@ -586,7 +586,7 @@ public class AccountService {
|
|||
if (session.users().getSocialLinks(user, realm).size() > 1 || user.getFederationLink() != null) {
|
||||
session.users().removeSocialLink(realm, user, providerId);
|
||||
|
||||
logger.debug("Social provider " + providerId + " removed successfully from user " + user.getUsername());
|
||||
logger.debugv("Social provider {0} removed successfully from user {1}", providerId, user.getUsername());
|
||||
|
||||
audit.event(EventType.REMOVE_SOCIAL_LINK).client(auth.getClient()).user(auth.getUser())
|
||||
.detail(Details.USERNAME, link.getSocialUserId() + "@" + link.getSocialProvider())
|
||||
|
@ -603,9 +603,7 @@ public class AccountService {
|
|||
return account.setError(Messages.SOCIAL_LINK_NOT_ACTIVE).createResponse(AccountPages.SOCIAL);
|
||||
}
|
||||
default:
|
||||
// Shouldn't happen
|
||||
logger.warn("Action is null!");
|
||||
return null;
|
||||
throw new IllegalArgumentException();
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -129,18 +129,17 @@ public class Cors {
|
|||
return builder.build();
|
||||
}
|
||||
public void build(HttpResponse response) {
|
||||
logger.info("build CORS");
|
||||
String origin = request.getHttpHeaders().getRequestHeaders().getFirst(ORIGIN_HEADER);
|
||||
if (origin == null) {
|
||||
logger.info("No origin returning");
|
||||
logger.debug("No origin returning");
|
||||
return;
|
||||
}
|
||||
|
||||
if (!preflight && (allowedOrigins == null || !allowedOrigins.contains(origin))) {
|
||||
logger.info("!preflight and no origin");
|
||||
logger.debug("!preflight and no origin");
|
||||
return;
|
||||
}
|
||||
logger.info("build CORS headers and return");
|
||||
logger.debug("build CORS headers and return");
|
||||
response.getOutputHeaders().add(ACCESS_CONTROL_ALLOW_ORIGIN, origin);
|
||||
|
||||
if (allowedMethods != null) {
|
||||
|
|
|
@ -92,10 +92,8 @@ public class RealmsResource {
|
|||
public String getLoginStatusIframe(final @PathParam("realm") String name,
|
||||
@QueryParam("client_id") String client_id,
|
||||
@QueryParam("origin") String origin) {
|
||||
logger.info("getLoginStatusIframe");
|
||||
AuthenticationManager auth = new AuthenticationManager();
|
||||
|
||||
//logger.info("getting login-status-iframe.html for client_id: " + client_id);
|
||||
RealmManager realmManager = new RealmManager(session);
|
||||
RealmModel realm = locateRealm(name, realmManager);
|
||||
ClientModel client = realm.findClient(client_id);
|
||||
|
|
|
@ -69,6 +69,7 @@ import java.util.concurrent.TimeUnit;
|
|||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
*/
|
||||
public class RequiredActionsService {
|
||||
|
||||
protected static final Logger logger = Logger.getLogger(RequiredActionsService.class);
|
||||
|
||||
private RealmModel realm;
|
||||
|
@ -180,13 +181,10 @@ public class RequiredActionsService {
|
|||
@POST
|
||||
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
|
||||
public Response updatePassword(final MultivaluedMap<String, String> formData) {
|
||||
logger.debug("updatePassword");
|
||||
AccessCode accessCode = getAccessCodeEntry(RequiredAction.UPDATE_PASSWORD);
|
||||
if (accessCode == null) {
|
||||
logger.debug("updatePassword access code is null");
|
||||
return unauthorized();
|
||||
}
|
||||
logger.debug("updatePassword has access code");
|
||||
|
||||
UserModel user = getUser(accessCode);
|
||||
|
||||
|
@ -208,8 +206,6 @@ public class RequiredActionsService {
|
|||
return loginForms.setError(ape.getMessage()).createResponse(RequiredAction.UPDATE_PASSWORD);
|
||||
}
|
||||
|
||||
logger.debug("updatePassword updated credential");
|
||||
|
||||
user.removeRequiredAction(RequiredAction.UPDATE_PASSWORD);
|
||||
|
||||
audit.clone().event(EventType.UPDATE_PASSWORD).success();
|
||||
|
@ -306,7 +302,6 @@ public class RequiredActionsService {
|
|||
}
|
||||
|
||||
if (user == null) {
|
||||
logger.warn("Failed to send password reset email: user not found");
|
||||
audit.error(Errors.USER_NOT_FOUND);
|
||||
} else {
|
||||
UserSessionModel userSession = session.sessions().createUserSession(realm, user, username, clientConnection.getRemoteAddr(), "form", false);
|
||||
|
@ -337,19 +332,18 @@ public class RequiredActionsService {
|
|||
private AccessCode getAccessCodeEntry(RequiredAction requiredAction) {
|
||||
String code = uriInfo.getQueryParameters().getFirst(OAuth2Constants.CODE);
|
||||
if (code == null) {
|
||||
logger.debug("getAccessCodeEntry code as not in query param");
|
||||
logger.debug("Code query param not found");
|
||||
return null;
|
||||
}
|
||||
|
||||
AccessCode accessCode = AccessCode.parse(code, session, realm);
|
||||
if (accessCode == null) {
|
||||
logger.debug("getAccessCodeEntry access code entry null");
|
||||
logger.debug("Access code not found");
|
||||
return null;
|
||||
}
|
||||
|
||||
if (!accessCode.isValid(requiredAction)) {
|
||||
logger.debugv("getAccessCodeEntry: access code id: {0}", accessCode.getCodeId());
|
||||
logger.debugv("getAccessCodeEntry access code not valid");
|
||||
logger.debugv("Invalid access code");
|
||||
return null;
|
||||
}
|
||||
|
||||
|
@ -371,7 +365,7 @@ public class RequiredActionsService {
|
|||
return Flows.forms(session, realm, null, uriInfo).setAccessCode(accessCode.getCode()).setUser(user)
|
||||
.createResponse(requiredActions.iterator().next());
|
||||
} else {
|
||||
logger.debugv("redirectOauth: redirecting to: {0}", accessCode.getRedirectUri());
|
||||
logger.debugv("Redirecting to: {0}", accessCode.getRedirectUri());
|
||||
accessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN);
|
||||
|
||||
AuthenticationManager authManager = new AuthenticationManager();
|
||||
|
|
|
@ -70,7 +70,6 @@ import javax.ws.rs.core.Response;
|
|||
import javax.ws.rs.core.UriBuilder;
|
||||
import javax.ws.rs.core.UriInfo;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
|
@ -113,7 +112,7 @@ public class SocialResource {
|
|||
try {
|
||||
initialRequest = new JWSInput(encodedState).readJsonContent(State.class);
|
||||
} catch (Throwable t) {
|
||||
logger.warn("Invalid social callback", t);
|
||||
logger.error("Invalid social callback", t);
|
||||
return Flows.forms(session, null, null, uriInfo).setError("Unexpected callback").createErrorPage();
|
||||
}
|
||||
|
||||
|
@ -218,7 +217,7 @@ public class SocialResource {
|
|||
}
|
||||
|
||||
session.users().addSocialLink(realm, authenticatedUser, socialLink);
|
||||
logger.debug("Social provider " + provider.getId() + " linked with user " + authenticatedUser.getUsername());
|
||||
logger.debugv("Social provider {0} linked with user {1}", provider.getId(), authenticatedUser.getUsername());
|
||||
|
||||
audit.success();
|
||||
return Response.status(302).location(UriBuilder.fromUri(redirectUri).build()).build();
|
||||
|
@ -291,13 +290,11 @@ public class SocialResource {
|
|||
ClientModel client = realm.findClient(clientId);
|
||||
if (client == null) {
|
||||
audit.error(Errors.CLIENT_NOT_FOUND);
|
||||
logger.warn("Unknown login requester: " + clientId);
|
||||
return Flows.forms(session, realm, null, uriInfo).setError("Unknown login requester.").createErrorPage();
|
||||
}
|
||||
|
||||
if (!client.isEnabled()) {
|
||||
audit.error(Errors.CLIENT_DISABLED);
|
||||
logger.warn("Login requester not enabled.");
|
||||
return Flows.forms(session, realm, null, uriInfo).setError("Login requester not enabled.").createErrorPage();
|
||||
}
|
||||
redirectUri = TokenService.verifyRedirectUri(uriInfo, redirectUri, realm, client);
|
||||
|
|
|
@ -420,7 +420,6 @@ public class TokenService {
|
|||
@Produces(MediaType.APPLICATION_JSON)
|
||||
public Response refreshAccessToken(final @HeaderParam(HttpHeaders.AUTHORIZATION) String authorizationHeader,
|
||||
final MultivaluedMap<String, String> form) {
|
||||
logger.info("--> refreshAccessToken");
|
||||
if (!checkSsl()) {
|
||||
return createError("https_required", "HTTPS required", Response.Status.FORBIDDEN);
|
||||
}
|
||||
|
@ -434,7 +433,6 @@ public class TokenService {
|
|||
error.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_REQUEST);
|
||||
error.put(OAuth2Constants.ERROR_DESCRIPTION, "No refresh token");
|
||||
audit.error(Errors.INVALID_TOKEN);
|
||||
logger.error("OAuth Error: no refresh token");
|
||||
return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
|
||||
}
|
||||
AccessToken accessToken;
|
||||
|
@ -445,7 +443,6 @@ public class TokenService {
|
|||
error.put(OAuth2Constants.ERROR, e.getError());
|
||||
if (e.getDescription() != null) error.put(OAuth2Constants.ERROR_DESCRIPTION, e.getDescription());
|
||||
audit.error(Errors.INVALID_TOKEN);
|
||||
logger.error("OAuth Error", e);
|
||||
return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
|
||||
}
|
||||
|
||||
|
@ -475,13 +472,10 @@ public class TokenService {
|
|||
public Response processLogin(@QueryParam("client_id") final String clientId, @QueryParam("scope") final String scopeParam,
|
||||
@QueryParam("state") final String state, @QueryParam("redirect_uri") String redirect,
|
||||
final MultivaluedMap<String, String> formData) {
|
||||
logger.debug("TokenService.processLogin");
|
||||
|
||||
String username = formData.getFirst(AuthenticationManager.FORM_USERNAME);
|
||||
|
||||
String rememberMe = formData.getFirst("rememberMe");
|
||||
boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("on");
|
||||
logger.debug("*** Remember me: " + remember);
|
||||
|
||||
audit.event(EventType.LOGIN).client(clientId)
|
||||
.detail(Details.REDIRECT_URI, redirect)
|
||||
|
@ -600,19 +594,16 @@ public class TokenService {
|
|||
OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
|
||||
|
||||
if (!realm.isEnabled()) {
|
||||
logger.warn("Realm not enabled");
|
||||
audit.error(Errors.REALM_DISABLED);
|
||||
return oauth.forwardToSecurityFailure("Realm not enabled");
|
||||
}
|
||||
ClientModel client = realm.findClient(clientId);
|
||||
if (client == null) {
|
||||
logger.warn("Unknown login requester.");
|
||||
audit.error(Errors.CLIENT_NOT_FOUND);
|
||||
return oauth.forwardToSecurityFailure("Unknown login requester.");
|
||||
}
|
||||
|
||||
if (!client.isEnabled()) {
|
||||
logger.warn("Login requester not enabled.");
|
||||
audit.error(Errors.CLIENT_DISABLED);
|
||||
return oauth.forwardToSecurityFailure("Login requester not enabled.");
|
||||
}
|
||||
|
@ -624,7 +615,6 @@ public class TokenService {
|
|||
}
|
||||
|
||||
if (!realm.isRegistrationAllowed()) {
|
||||
logger.warn("Registration not allowed");
|
||||
audit.error(Errors.REGISTRATION_DISABLED);
|
||||
return oauth.forwardToSecurityFailure("Registration not allowed");
|
||||
}
|
||||
|
@ -695,7 +685,9 @@ public class TokenService {
|
|||
@OPTIONS
|
||||
@Produces("application/json")
|
||||
public Response accessCodeToTokenPreflight() {
|
||||
logger.debugv("cors request from: {0}" , request.getHttpHeaders().getRequestHeaders().getFirst("Origin"));
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debugv("cors request from: {0}", request.getHttpHeaders().getRequestHeaders().getFirst("Origin"));
|
||||
}
|
||||
return Cors.add(request, Response.ok()).auth().preflight().build();
|
||||
}
|
||||
|
||||
|
@ -712,8 +704,6 @@ public class TokenService {
|
|||
@POST
|
||||
@Produces("application/json")
|
||||
public Response accessCodeToToken(@HeaderParam(HttpHeaders.AUTHORIZATION) String authorizationHeader, final MultivaluedMap<String, String> formData) {
|
||||
logger.debug("accessRequest <---");
|
||||
|
||||
if (!checkSsl()) {
|
||||
throw new ForbiddenException("HTTPS required");
|
||||
}
|
||||
|
@ -806,8 +796,6 @@ public class TokenService {
|
|||
.build();
|
||||
}
|
||||
|
||||
logger.debug("accessRequest SUCCESS");
|
||||
|
||||
AccessToken token = tokenManager.createClientAccessToken(accessCode.getRequestedRoles(), realm, client, user, userSession);
|
||||
|
||||
try {
|
||||
|
@ -841,7 +829,6 @@ public class TokenService {
|
|||
client_id = usernameSecret[0];
|
||||
clientSecret = usernameSecret[1];
|
||||
} else {
|
||||
logger.info("no authorization header");
|
||||
client_id = formData.getFirst(OAuth2Constants.CLIENT_ID);
|
||||
clientSecret = formData.getFirst("client_secret");
|
||||
}
|
||||
|
@ -911,8 +898,6 @@ public class TokenService {
|
|||
@QueryParam("redirect_uri") String redirect, final @QueryParam("client_id") String clientId,
|
||||
final @QueryParam("scope") String scopeParam, final @QueryParam("state") String state, final @QueryParam("prompt") String prompt,
|
||||
final @QueryParam("login_hint") String loginHint) {
|
||||
logger.info("TokenService.loginPage");
|
||||
|
||||
audit.event(EventType.LOGIN).client(clientId).detail(Details.REDIRECT_URI, redirect).detail(Details.RESPONSE_TYPE, "code");
|
||||
|
||||
OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
|
||||
|
@ -922,19 +907,16 @@ public class TokenService {
|
|||
}
|
||||
|
||||
if (!realm.isEnabled()) {
|
||||
logger.warn("Realm not enabled");
|
||||
audit.error(Errors.REALM_DISABLED);
|
||||
return oauth.forwardToSecurityFailure("Realm not enabled");
|
||||
}
|
||||
ClientModel client = realm.findClient(clientId);
|
||||
if (client == null) {
|
||||
logger.warn("Unknown login requester: " + clientId);
|
||||
audit.error(Errors.CLIENT_NOT_FOUND);
|
||||
return oauth.forwardToSecurityFailure("Unknown login requester.");
|
||||
}
|
||||
|
||||
if (!client.isEnabled()) {
|
||||
logger.warn("Login requester not enabled.");
|
||||
audit.error(Errors.CLIENT_DISABLED);
|
||||
return oauth.forwardToSecurityFailure("Login requester not enabled.");
|
||||
}
|
||||
|
@ -952,13 +934,11 @@ public class TokenService {
|
|||
return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
|
||||
}
|
||||
|
||||
logger.info("Checking cookie...");
|
||||
AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, uriInfo, clientConnection, headers);
|
||||
if (authResult != null) {
|
||||
UserModel user = authResult.getUser();
|
||||
UserSessionModel session = authResult.getSession();
|
||||
|
||||
logger.debug(user.getUsername() + " already logged in.");
|
||||
audit.user(user).session(session).detail(Details.AUTH_METHOD, "sso");
|
||||
return oauth.processAccessCode(scopeParam, state, redirect, client, user, session, audit);
|
||||
}
|
||||
|
@ -994,8 +974,6 @@ public class TokenService {
|
|||
public Response registerPage(final @QueryParam("response_type") String responseType,
|
||||
@QueryParam("redirect_uri") String redirect, final @QueryParam("client_id") String clientId,
|
||||
final @QueryParam("scope") String scopeParam, final @QueryParam("state") String state) {
|
||||
logger.info("**********registerPage()");
|
||||
|
||||
audit.event(EventType.REGISTER).client(clientId).detail(Details.REDIRECT_URI, redirect).detail(Details.RESPONSE_TYPE, "code");
|
||||
|
||||
OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
|
||||
|
@ -1005,19 +983,16 @@ public class TokenService {
|
|||
}
|
||||
|
||||
if (!realm.isEnabled()) {
|
||||
logger.warn("Realm not enabled");
|
||||
audit.error(Errors.REALM_DISABLED);
|
||||
return oauth.forwardToSecurityFailure("Realm not enabled");
|
||||
}
|
||||
ClientModel client = realm.findClient(clientId);
|
||||
if (client == null) {
|
||||
logger.warn("Unknown login requester.");
|
||||
audit.error(Errors.CLIENT_NOT_FOUND);
|
||||
return oauth.forwardToSecurityFailure("Unknown login requester.");
|
||||
}
|
||||
|
||||
if (!client.isEnabled()) {
|
||||
logger.warn("Login requester not enabled.");
|
||||
audit.error(Errors.CLIENT_DISABLED);
|
||||
return oauth.forwardToSecurityFailure("Login requester not enabled.");
|
||||
}
|
||||
|
@ -1029,7 +1004,6 @@ public class TokenService {
|
|||
}
|
||||
|
||||
if (!realm.isRegistrationAllowed()) {
|
||||
logger.warn("Registration not allowed");
|
||||
audit.error(Errors.REGISTRATION_DISABLED);
|
||||
return oauth.forwardToSecurityFailure("Registration not allowed");
|
||||
}
|
||||
|
@ -1092,7 +1066,6 @@ public class TokenService {
|
|||
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
|
||||
public Response logoutToken(final @HeaderParam(HttpHeaders.AUTHORIZATION) String authorizationHeader,
|
||||
final MultivaluedMap<String, String> form) {
|
||||
logger.info("--> logoutToken");
|
||||
if (!checkSsl()) {
|
||||
throw new NotAcceptableException("HTTPS required");
|
||||
}
|
||||
|
@ -1106,7 +1079,6 @@ public class TokenService {
|
|||
error.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_REQUEST);
|
||||
error.put(OAuth2Constants.ERROR_DESCRIPTION, "No refresh token");
|
||||
audit.error(Errors.INVALID_TOKEN);
|
||||
logger.error("OAuth Error: no refresh token");
|
||||
return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
|
||||
}
|
||||
try {
|
||||
|
@ -1120,7 +1092,6 @@ public class TokenService {
|
|||
error.put(OAuth2Constants.ERROR, e.getError());
|
||||
if (e.getDescription() != null) error.put(OAuth2Constants.ERROR_DESCRIPTION, e.getDescription());
|
||||
audit.error(Errors.INVALID_TOKEN);
|
||||
logger.error("OAuth Error", e);
|
||||
return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
|
||||
}
|
||||
return Cors.add(request, Response.noContent()).auth().allowedOrigins(client).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
|
||||
|
@ -1263,13 +1234,12 @@ public class TokenService {
|
|||
}
|
||||
redirectUri = validRedirect;
|
||||
} else if (validRedirects.isEmpty()) {
|
||||
logger.error("No Redirect URIs supplied");
|
||||
logger.debug("No Redirect URIs supplied");
|
||||
redirectUri = null;
|
||||
} else {
|
||||
String r = redirectUri.indexOf('?') != -1 ? redirectUri.substring(0, redirectUri.indexOf('?')) : redirectUri;
|
||||
Set<String> resolveValidRedirects = resolveValidRedirects(uriInfo, validRedirects);
|
||||
|
||||
|
||||
boolean valid = matchesRedirects(resolveValidRedirects, r);
|
||||
|
||||
if (!valid && r.startsWith(Constants.INSTALLED_APP_URL) && r.indexOf(':', Constants.INSTALLED_APP_URL.length()) >= 0) {
|
||||
|
|
|
@ -200,11 +200,11 @@ public class AdminConsole {
|
|||
throw new NotFoundException("No realm found");
|
||||
boolean createRealm = false;
|
||||
if (realm.equals(masterRealm)) {
|
||||
logger.info("setting up realm access for a master realm user");
|
||||
logger.debug("setting up realm access for a master realm user");
|
||||
createRealm = user.hasRole(masterRealm.getRole(AdminRoles.CREATE_REALM));
|
||||
addMasterRealmAccess(realm, user, realmAccess);
|
||||
} else {
|
||||
logger.info("setting up realm access for a realm user");
|
||||
logger.debug("setting up realm access for a realm user");
|
||||
addRealmAccess(realm, user, realmAccess);
|
||||
}
|
||||
if (realmAccess.size() == 0) {
|
||||
|
@ -290,7 +290,6 @@ public class AdminConsole {
|
|||
@Path("js/keycloak.js")
|
||||
@Produces("text/javascript")
|
||||
public Response getKeycloakJs() {
|
||||
//logger.info("**** -> getting console keycloak.js" + " uri: " + uriInfo.getRequestUri().toString());
|
||||
InputStream inputStream = getClass().getClassLoader().getResourceAsStream("keycloak.js");
|
||||
if (inputStream != null) {
|
||||
return Response.ok(inputStream).build();
|
||||
|
|
|
@ -179,14 +179,14 @@ public class AdminRoot {
|
|||
@Path("realms")
|
||||
public RealmsAdminResource getRealmsAdmin(@Context final HttpHeaders headers) {
|
||||
if (request.getHttpMethod().equalsIgnoreCase("OPTIONS")) {
|
||||
logger.info("*** CORS ADMIN PREFLIGHT!!!!");
|
||||
logger.debug("Cors admin pre-flight");
|
||||
Response response = Cors.add(request, Response.ok()).preflight().allowedMethods("GET", "PUT", "POST", "DELETE").auth().build();
|
||||
throw new WebApplicationException(response);
|
||||
}
|
||||
|
||||
AdminAuth auth = authenticateRealmAdminRequest(headers);
|
||||
if (auth != null) {
|
||||
logger.info("authenticated admin access for: " + auth.getUser().getUsername());
|
||||
logger.debug("authenticated admin access for: " + auth.getUser().getUsername());
|
||||
}
|
||||
|
||||
Cors.add(request).allowedOrigins(auth.getToken()).allowedMethods("GET", "PUT", "POST", "DELETE").auth().build(response);
|
||||
|
|
|
@ -7,4 +7,5 @@ log4j.appender.stdout.layout.ConversionPattern=%d{HH:mm:ss,SSS} %-5p [%c] %m%n
|
|||
log4j.logger.org.keycloak=info
|
||||
|
||||
log4j.logger.org.xnio=off
|
||||
log4j.logger.org.hibernate=info
|
||||
log4j.logger.org.hibernate=off
|
||||
log4j.logger.org.jboss.resteasy=warn
|
|
@ -32,11 +32,11 @@ public class BasicTimerProvider implements TimerProvider {
|
|||
|
||||
TimerTask existingTask = factory.putTask(taskName, task);
|
||||
if (existingTask != null) {
|
||||
logger.infof("Existing timer task '%s' found. Cancelling it", taskName);
|
||||
logger.debugf("Existing timer task '%s' found. Cancelling it", taskName);
|
||||
existingTask.cancel();
|
||||
}
|
||||
|
||||
logger.infof("Starting task '%s' with interval '%d'", taskName, interval);
|
||||
logger.debugf("Starting task '%s' with interval '%d'", taskName, interval);
|
||||
timer.schedule(task, interval, interval);
|
||||
}
|
||||
|
||||
|
@ -44,7 +44,7 @@ public class BasicTimerProvider implements TimerProvider {
|
|||
public void cancelTask(String taskName) {
|
||||
TimerTask existingTask = factory.removeTask(taskName);
|
||||
if (existingTask != null) {
|
||||
logger.infof("Cancelling task '%s'", taskName);
|
||||
logger.debugf("Cancelling task '%s'", taskName);
|
||||
existingTask.cancel();
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue