Merge pull request #2326 from stianst/KEYCLOAK-2592

Keycloak 2592
2016-03-07 06:12:17 +01:00 · 2016-03-07 06:12:17 +01:00 · 4f047565fb
commit 4f047565fb
parent b709ca96b1 57b6ddbace
3 changed files with 12 additions and 3 deletions
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
@ -206,7 +206,7 @@ public class OAuthRequestAuthenticator {
                tokenStore.saveRequest();
                log.debug("Sending redirect to login page: " + redirect);
                exchange.getResponse().setStatus(302);
-                exchange.getResponse().setCookie(deployment.getStateCookieName(), state, /* need to set path? */ null, null, -1, deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()), false);
+                exchange.getResponse().setCookie(deployment.getStateCookieName(), state, /* need to set path? */ null, null, -1, deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()), true);
                exchange.getResponse().setHeader("Location", redirect);
                return true;
            }
--- a/core/src/main/java/org/keycloak/AbstractOAuthClient.java
+++ b/core/src/main/java/org/keycloak/AbstractOAuthClient.java
@ -110,6 +110,14 @@ public class AbstractOAuthClient {
        this.publicClient = publicClient;
    }

+    public boolean isSecure() {
+        return isSecure;
+    }
+
+    public void setSecure(boolean secure) {
+        isSecure = secure;
+    }
+
    public RelativeUrlsUsed getRelativeUrlsUsed() {
        return relativeUrlsUsed;
    }
--- a/services/src/main/java/org/keycloak/services/resources/AbstractSecuredLocalService.java
+++ b/services/src/main/java/org/keycloak/services/resources/AbstractSecuredLocalService.java
@ -177,6 +177,8 @@ public abstract class AbstractSecuredLocalService {

        oauth.setClientId(client.getClientId());

+        oauth.setSecure(realm.getSslRequired().isRequired(clientConnection));
+
        UriBuilder uriBuilder = UriBuilder.fromUri(getBaseRedirectUri()).path("login-redirect");

        if (path != null) {
@ -247,8 +249,7 @@ public abstract class AbstractSecuredLocalService {

            URI url = uriBuilder.build();

-            // todo httpOnly!
-            NewCookie cookie = new NewCookie(getStateCookieName(), state, getStateCookiePath(uriInfo), null, null, -1, isSecure);
+            NewCookie cookie = new NewCookie(getStateCookieName(), state, getStateCookiePath(uriInfo), null, null, -1, isSecure, true);
            logger.debug("NewCookie: " + cookie.toString());
            logger.debug("Oauth Redirect to: " + url);
            return Response.status(302)