diff --git a/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java b/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java index 2b9526c9f6..9ce4f94689 100755 --- a/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java @@ -90,7 +90,7 @@ public class RequiredActionsService { public Response updateProfile(final MultivaluedMap formData) { AccessCodeEntry accessCode = getAccessCodeEntry(RequiredAction.UPDATE_PROFILE); if (accessCode == null) { - return forwardToErrorPage(); + return unauthorized(); } UserModel user = getUser(accessCode); @@ -116,7 +116,7 @@ public class RequiredActionsService { public Response updateTotp(final MultivaluedMap formData) { AccessCodeEntry accessCode = getAccessCodeEntry(RequiredAction.CONFIGURE_TOTP); if (accessCode == null) { - return forwardToErrorPage(); + return unauthorized(); } UserModel user = getUser(accessCode); @@ -152,7 +152,7 @@ public class RequiredActionsService { AccessCodeEntry accessCode = getAccessCodeEntry(RequiredAction.UPDATE_PASSWORD); if (accessCode == null) { logger.debug("updatePassword access code is null"); - return forwardToErrorPage(); + return unauthorized(); } logger.debug("updatePassword has access code"); @@ -196,7 +196,7 @@ public class RequiredActionsService { AccessCodeEntry accessCode = tokenManager.getAccessCode(uriInfo.getQueryParameters().getFirst("key")); if (accessCode == null || accessCode.isExpired() || !accessCode.getRequiredActions().contains(RequiredAction.VERIFY_EMAIL)) { - return forwardToErrorPage(); + return unauthorized(); } UserModel user = getUser(accessCode); @@ -209,7 +209,7 @@ public class RequiredActionsService { } else { AccessCodeEntry accessCode = getAccessCodeEntry(RequiredAction.VERIFY_EMAIL); if (accessCode == null) { - return forwardToErrorPage(); + return unauthorized(); } return Flows.forms(realm, request, uriInfo).setAccessCode(accessCode).setUser(accessCode.getUser()) @@ -224,7 +224,7 @@ public class RequiredActionsService { AccessCodeEntry accessCode = tokenManager.getAccessCode(uriInfo.getQueryParameters().getFirst("key")); if (accessCode == null || accessCode.isExpired() || !accessCode.getRequiredActions().contains(RequiredAction.UPDATE_PASSWORD)) { - return forwardToErrorPage(); + return unauthorized(); } return Flows.forms(realm, request, uriInfo).setAccessCode(accessCode).forwardToAction(RequiredAction.UPDATE_PASSWORD); } else { @@ -378,8 +378,8 @@ public class RequiredActionsService { } } - private Response forwardToErrorPage() { - return Flows.forms(realm, request, uriInfo).forwardToErrorPage(); + private Response unauthorized() { + return Flows.forms(realm, request, uriInfo).setError("Unauthorized request").forwardToErrorPage(); } } diff --git a/services/src/main/java/org/keycloak/services/resources/TokenService.java b/services/src/main/java/org/keycloak/services/resources/TokenService.java index b40e10e0f7..a9cdb62891 100755 --- a/services/src/main/java/org/keycloak/services/resources/TokenService.java +++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java @@ -489,23 +489,17 @@ public class TokenService { if (!realm.isEnabled()) { logger.warn("Realm not enabled"); - oauth.forwardToSecurityFailure("Realm not enabled"); - return null; + return oauth.forwardToSecurityFailure("Realm not enabled"); } UserModel client = realm.getUser(clientId); if (client == null) { logger.warn("Unknown login requester: " + clientId); - oauth.forwardToSecurityFailure("Unknown login requester."); - transaction.rollback(); - return null; + return oauth.forwardToSecurityFailure("Unknown login requester."); } if (!client.isEnabled()) { logger.warn("Login requester not enabled."); - oauth.forwardToSecurityFailure("Login requester not enabled."); - transaction.rollback(); - session.close(); - return null; + return oauth.forwardToSecurityFailure("Login requester not enabled."); } redirect = verifyRedirectUri(redirect, client); if (redirect == null) { @@ -518,10 +512,7 @@ public class TokenService { boolean isResource = realm.hasRole(client, resourceRole); if (!isResource && !realm.hasRole(client, identityRequestRole)) { logger.warn("Login requester not allowed to request login."); - oauth.forwardToSecurityFailure("Login requester not allowed to request login."); - transaction.rollback(); - session.close(); - return null; + return oauth.forwardToSecurityFailure("Login requester not allowed to request login."); } logger.info("Checking cookie..."); UserModel user = authManager.authenticateIdentityCookie(realm, uriInfo, headers); diff --git a/services/src/main/java/org/keycloak/services/resources/flows/FormFlows.java b/services/src/main/java/org/keycloak/services/resources/flows/FormFlows.java index 20594097f4..f55b7fb2cc 100755 --- a/services/src/main/java/org/keycloak/services/resources/flows/FormFlows.java +++ b/services/src/main/java/org/keycloak/services/resources/flows/FormFlows.java @@ -105,7 +105,7 @@ public class FormFlows { return forwardToForm(Pages.ACCOUNT); } - private Response forwardToForm(String template, FormService.FormServiceDataBean formDataBean) { + private Response forwardToForm(String template, FormService.FormServiceDataBean formDataBean, Response.Status status) { // Getting URI needed by form processing service ResteasyUriInfo uriInfo = request.getUri(); @@ -142,10 +142,10 @@ public class FormFlows { while (itr.hasNext()) { FormService provider = itr.next(); if (provider.getId().equals("FormServiceId")) - return Response.status(200).type(MediaType.TEXT_HTML).entity(provider.process(template, formDataBean)).build(); + return Response.status(status).type(MediaType.TEXT_HTML).entity(provider.process(template, formDataBean)).build(); } - return Response.status(200).entity("form provider not found").build(); + return Response.status(status).entity("form provider not found").build(); } public Response forwardToForm(String template) { @@ -153,7 +153,15 @@ public class FormFlows { FormService.FormServiceDataBean formDataBean = new FormService.FormServiceDataBean(realm, userModel, formData, queryParams, message); formDataBean.setMessageType(messageType); - return forwardToForm(template, formDataBean); + return forwardToForm(template, formDataBean, Response.Status.OK); + } + + public Response forwardToForm(String template, Response.Status status) { + + FormService.FormServiceDataBean formDataBean = new FormService.FormServiceDataBean(realm, userModel, formData, queryParams, message); + formDataBean.setMessageType(messageType); + + return forwardToForm(template, formDataBean, status); } private Response forwardToActionForm(String template, String warningSummary) { @@ -201,7 +209,7 @@ public class FormFlows { } public Response forwardToErrorPage() { - return forwardToForm(Pages.ERROR); + return forwardToForm(Pages.ERROR, Response.Status.INTERNAL_SERVER_ERROR); } public Response forwardToOAuthGrant(){ @@ -214,7 +222,7 @@ public class FormFlows { formDataBean.setOAuthCode((String)request.getAttribute("code")); formDataBean.setOAuthAction((String)request.getAttribute("action")); - return forwardToForm(Pages.OAUTH_GRANT, formDataBean); + return forwardToForm(Pages.OAUTH_GRANT, formDataBean, Response.Status.OK); } public FormFlows setAccessCode(AccessCodeEntry accessCode) {