Merge remote-tracking branch 'upstream/master'

.travis.yml

@@ -1,5 +1,8 @@
 language: java
 
+jdk:
+  - oraclejdk8
+
 cache:
     directories:
         - $HOME/.m2
@@ -7,4 +10,10 @@ cache:
 before_cache:
   - rm -rf $HOME/.m2/repository/org/keycloak
 
+install: mvn install -Pdistribution -DskipTests=true -B -V
+
+script:
+  - mvn test -B
+  - mvn -file testsuite/integration-arquillian test -B
+
 sudo: false

distribution/adapters/as7-eap6-adapter/as7-adapter-zip/assembly.xml

@@ -27,4 +27,10 @@
             <outputDirectory>modules</outputDirectory>
         </fileSet>
     </fileSets>
+    <files>
+        <file>
+             <source>../../shared-cli/adapter-install.cli</source>
+             <outputDirectory>bin</outputDirectory>
+        </file>
+    </files>
 </assembly>

distribution/adapters/as7-eap6-adapter/eap6-adapter-zip/assembly.xml

@@ -27,4 +27,10 @@
             <outputDirectory>modules/system/layers/base</outputDirectory>
         </fileSet>
     </fileSets>
+    <files>
+        <file>
+             <source>../../shared-cli/adapter-install.cli</source>
+             <outputDirectory>bin</outputDirectory>
+        </file>
+    </files>
 </assembly>

distribution/adapters/shared-cli/adapter-install.cli

@@ -0,0 +1,4 @@
+/subsystem=security/security-domain=keycloak/:add
+/subsystem=security/security-domain=keycloak/authentication=classic/:add(login-modules=[{ "code" => "org.keycloak.adapters.jboss.KeycloakLoginModule","flag" => "required"}])
+/extension=org.keycloak.keycloak-adapter-subsystem/:add(module=org.keycloak.keycloak-adapter-subsystem)
+/subsystem=keycloak:add

distribution/adapters/wf8-adapter/wf8-adapter-zip/assembly.xml

@@ -28,4 +28,10 @@
             <outputDirectory>modules/system/layers/base</outputDirectory>
         </fileSet>
     </fileSets>
+    <files>
+        <file>
+             <source>../../shared-cli/adapter-install.cli</source>
+             <outputDirectory>bin</outputDirectory>
+        </file>
+    </files>
 </assembly>

distribution/adapters/wf9-adapter/wf9-adapter-zip/assembly.xml

@@ -27,4 +27,10 @@
             <outputDirectory>modules/system/layers/base</outputDirectory>
         </fileSet>
     </fileSets>
+    <files>
+        <file>
+             <source>../../shared-cli/adapter-install.cli</source>
+             <outputDirectory>bin</outputDirectory>
+        </file>
+    </files>
 </assembly>

distribution/server-overlay/eap6/eap6-server-overlay/assembly.xml

@@ -40,6 +40,14 @@
             <source>src/main/providers/README.txt</source>
             <outputDirectory>standalone/configuration/providers</outputDirectory>
         </file>
+        <file>
+            <source>cli/keycloak-prepare.cli</source>
+            <outputDirectory>bin</outputDirectory>
+        </file>
+        <file>
+            <source>cli/keycloak-install.cli</source>
+            <outputDirectory>bin</outputDirectory>
+        </file>
     </files>
 
 </assembly>

distribution/server-overlay/eap6/eap6-server-overlay/cli/keycloak-install.cli

@@ -0,0 +1,2 @@
+/extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem)
+/subsystem=keycloak-server:add(web-context=auth)

distribution/server-overlay/eap6/eap6-server-overlay/cli/keycloak-prepare.cli

@@ -0,0 +1,2 @@
+/subsystem=datasources/data-source=KeycloakDS/:add(connection-url="jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE",driver-name=h2,jndi-name=java:jboss/datasources/KeycloakDS,password=sa,user-name=sa,use-java-context=true,enabled=true)
+/subsystem=logging/logger=org.jboss.resteasy.resteasy_jaxrs.i18n/:add(level=ERROR)

distribution/server-overlay/eap6/eap6-server-overlay/src/main/xslt/standalone.xsl

@@ -44,22 +44,6 @@
         </xsl:copy>
     </xsl:template>
 
-    <xsl:template match="//sec:security-domains">
-        <xsl:copy>
-            <xsl:apply-templates select="node()[name(.)='security-domain']"/>
-            <security-domain name="keycloak">
-                <authentication>
-                    <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
-                </authentication>
-            </security-domain>
-            <security-domain name="sp" cache-type="default">
-                <authentication>
-                    <login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required"/>
-                </authentication>
-            </security-domain>
-        </xsl:copy>
-    </xsl:template>
-
     <xsl:template match="//*[local-name()='subsystem' and starts-with(namespace-uri(), $log)]">
         <xsl:copy>
             <xsl:apply-templates select="node()|@*"/>

distribution/server-overlay/wf9-server-overlay/assembly.xml

@@ -62,6 +62,10 @@
             <source>${project.build.directory}/unpacked/keycloak-${project.version}/standalone/configuration/keycloak-server.json</source>
             <outputDirectory>standalone/configuration</outputDirectory>
         </file>
+        <file>
+            <source>cli/keycloak-install.cli</source>
+            <outputDirectory>bin</outputDirectory>
+        </file>
     </files>
 
 </assembly>

distribution/server-overlay/wf9-server-overlay/cli/keycloak-install.cli

@@ -0,0 +1,3 @@
+/subsystem=datasources/data-source=KeycloakDS/:add(connection-url="jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE",driver-name=h2,jndi-name=java:jboss/datasources/KeycloakDS,password=sa,user-name=sa,use-java-context=true)
+/extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem)
+/subsystem=keycloak-server:add(web-context=auth)

docbook/reference/en/en-US/modules/jboss-adapter.xml

@@ -48,6 +48,15 @@ $ unzip keycloak-as7-adapter-dist.zip
         After adding the Keycloak modules, you must then enable the Keycloak Subsystem within your app server's server configuration:
         <literal>domain.xml</literal> or <literal>standalone.xml</literal>.
     </para>
+    <para>
+        There is a CLI script that will help you modify your server configuration.  Start the server and run the script 
+        from the server's bin directory:
+<programlisting>
+$ cd $JBOSS_HOME/bin
+$ jboss-cli.sh -c --file=adapter-install.cli
+</programlisting>
+        The script will add the extension, subsystem, and optional security-domain as described below.
+    </para>
     <para>
 <programlisting><![CDATA[
 <server xmlns="urn:jboss:domain:1.4">
@@ -65,8 +74,7 @@ $ unzip keycloak-as7-adapter-dist.zip
 </programlisting>
     </para>
         <para>
-            Finally, you must specify a shared keycloak security domain.
+            The keycloak security domain should be used with EJBs and other components when you need the security context created
-            This security domain should be used with EJBs and other components when you need the security context created
             in the secured web tier to be propagated to the EJBs (other EE component) you are invoking.  Otherwise
             this configuration is optional.
         </para>

docbook/reference/en/en-US/modules/server-installation.xml

@@ -49,9 +49,9 @@
                 <literal>keycloak-overlay-&project.version;.zip</literal> or <literal>keycloak-overlay-&project.version;.tar.gz</literal>.
                 Once downloaded extract into the root directory of your WildFly installation. To start WildFly with Keycloak
                 run:
-                <programlisting>keycloak-&project.version;/bin/standalone.sh --server-config=standalone-keycloak.xml</programlisting>
+                <programlisting>&lt;WILDFLY_HOME&gt;/bin/standalone.sh --server-config=standalone-keycloak.xml</programlisting>
                 or:
-                <programlisting>keycloak-&project.version;/bin/standalone.bat --server-config=standalone-keycloak.xml</programlisting>
+                <programlisting>&lt;WILDFLY_HOME&gt;/bin/standalone.bat --server-config=standalone-keycloak.xml</programlisting>
             </para>
             <para>
                 Once the server is started log into the admin console at
@@ -60,15 +60,9 @@
                 enter in a new password.
             </para>
             <para>
-                To add Keycloak to other sever configurations (standalone.xml, standalone-ha.xml, etc.) open
+                To add Keycloak to other sever configurations (standalone.xml, standalone-ha.xml, etc.) start the server with
-                <literal>standalone/configuration/standalone-keycloak.xml</literal> and the configuration you want to add it
+                the desired server-config.  Then execute the following CLI script:
-                to, for example <literal>standalone/configuration/standalone.xml</literal>. From <literal>standalone-keycloak.xml</literal>
+                <programlisting>&lt;WILDFLY_HOME&gt;/bin/jboss-cli.sh -c --file=keycloak-install.cli</programlisting>
-                you need to copy 3 elements:
-                <itemizedlist>
-                    <listitem><literal>&lt;extension module="org.keycloak.keycloak-server-subsystem"/&gt;</literal></listitem>
-                    <listitem><literal>&lt;datasource jndi-name="java:jboss/datasources/KeycloakDS" ...&gt;</literal></listitem>
-                    <listitem><literal>&lt;subsystem xmlns="urn:jboss:domain:keycloak-server:1.1" ...&gt;</literal></listitem>
-                </itemizedlist>
             </para>
         </section>
         <section>
@@ -76,6 +70,19 @@
             <para>
                 Same procedure as WildFly 9.0.0.Final, but download <literal>keycloak-overlay-eap6-&project.version;.zip</literal> or <literal>keycloak-overlay-eap6-&project.version;.tar.gz</literal>.
             </para>
+            <para>
+                However, for EAP, adding Keycloak to other sever configurations (standalone.xml, standalone-ha.xml, etc.) requires two CLI scripts. Start the server with
+                the desired server-config.  Then execute the following CLI scripts with a restart in between:
+                <orderedlist>
+                    <listitem>
+                        <programlisting>&lt;EAP_HOME&gt;/bin/jboss-cli.sh -c --file=keycloak-prepare.cli</programlisting>
+                    </listitem>
+                    <listitem>Restart the server with the same server-config.</listitem>
+                    <listitem>
+                        <programlisting>&lt;EAP_HOME&gt;/bin/jboss-cli.sh -c --file=keycloak-install.cli</programlisting>
+                    </listitem>
+                </orderedlist>
+            </para>
         </section>
         <section>
             <title id="demo_install">Install Development Bundle</title>

integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/AdapterDeploymentContextBean.java

@@ -9,30 +9,48 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
 import org.springframework.core.io.Resource;
 
-import java.io.InputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
 
 /**
  * Bean holding the {@link KeycloakDeployment} and {@link AdapterDeploymentContext} for this
  * Spring application context. The Keycloak deployment is loaded from the required
- * <code>WEB-INF/keycloak.json</code> file generated by Keycloak.
+ * <code>keycloak.json</code> resource file.
  *
  * @author <a href="mailto:srossillo@smartling.com">Scott Rossillo</a>
  * @version $Revision: 1 $
  */
 public class AdapterDeploymentContextBean implements ApplicationContextAware, InitializingBean {
 
+    private static final String KEYCLOAK_CONFIG_FILE = "keycloak.json";
+    private static final String KEYCLOAK_CONFIG_WEB_RESOURCE = "WEB-INF/" + KEYCLOAK_CONFIG_FILE;
+    private static final String KEYCLOAK_CONFIG_CLASSPATH_RESOURCE = "classpath:" + KEYCLOAK_CONFIG_FILE;
+
     private ApplicationContext applicationContext;
     private AdapterDeploymentContext deploymentContext;
     private KeycloakDeployment deployment;
 
     @Override
     public void afterPropertiesSet() throws Exception {
-        Resource resource = applicationContext.getResource("WEB-INF/keycloak.json");
+        this.deployment = loadKeycloakDeployment();
-        InputStream is = resource.getInputStream();
-        this.deployment = KeycloakDeploymentBuilder.build(is);
         this.deploymentContext = new AdapterDeploymentContext(deployment);
     }
 
+    private KeycloakDeployment loadKeycloakDeployment() throws IOException {
+
+        Resource resource = applicationContext.getResource(KEYCLOAK_CONFIG_WEB_RESOURCE);
+
+        if (!resource.isReadable()) {
+            resource=  applicationContext.getResource(KEYCLOAK_CONFIG_CLASSPATH_RESOURCE);
+        }
+
+        if (!resource.isReadable()) {
+            throw new FileNotFoundException(String.format("Unable to locate Keycloak from %s or %s", KEYCLOAK_CONFIG_WEB_RESOURCE, KEYCLOAK_CONFIG_CLASSPATH_RESOURCE));
+        }
+
+        return KeycloakDeploymentBuilder.build(resource.getInputStream());
+    }
+
     /**
      * Returns the Keycloak {@link AdapterDeploymentContext} for this application context.
      *

services/src/main/java/org/keycloak/services/resources/LoginActionsService.java

@@ -623,6 +623,7 @@ public class LoginActionsService {
         if (clientSession.getAction().equals(ClientSessionModel.Action.RECOVER_PASSWORD.name())) {
             String actionCookieValue = getActionCookie();
             if (actionCookieValue == null || !actionCookieValue.equals(userSession.getId())) {
+                session.sessions().removeClientSession(realm, clientSession);
                 return session.getProvider(LoginFormsProvider.class)
                         .setSuccess(Messages.ACCOUNT_PASSWORD_UPDATED)
                         .createInfoPage();
@@ -657,6 +658,7 @@ public class LoginActionsService {
 
             String actionCookieValue = getActionCookie();
             if (actionCookieValue == null || !actionCookieValue.equals(userSession.getId())) {
+                session.sessions().removeClientSession(realm, clientSession);
                 return session.getProvider(LoginFormsProvider.class)
                         .setSuccess(Messages.EMAIL_VERIFIED)
                         .createInfoPage();

testsuite/integration/src/test/java/org/keycloak/testsuite/MailServer.java

@@ -5,6 +5,7 @@ import com.icegreen.greenmail.util.ServerSetup;
 
 import javax.mail.internet.MimeMessage;
 import javax.mail.internet.MimeMessage.RecipientType;
+import javax.mail.internet.MimeMultipart;
 
 public class MailServer {
 
@@ -22,9 +23,20 @@ public class MailServer {
 
             if (greenMail.waitForIncomingEmail(Long.MAX_VALUE, c + 1)) {
                 MimeMessage message = greenMail.getReceivedMessages()[c++];
+                System.out.println("-------------------------------------------------------");
                 System.out.println("Received mail to " + message.getRecipients(RecipientType.TO)[0]);
-                System.out.println();
+                if (message.getContent() instanceof MimeMultipart) {
-                System.out.println(message.getContent());
+                    MimeMultipart mimeMultipart = (MimeMultipart) message.getContent();
+                    for (int i = 0; i < mimeMultipart.getCount(); i++) {
+                        System.out.println("----");
+                        System.out.println(mimeMultipart.getBodyPart(i).getContentType() + ":");
+                        System.out.println();
+                        System.out.println(mimeMultipart.getBodyPart(i).getContent());
+                    }
+                } else {
+                    System.out.println();
+                    System.out.println(message.getContent());
+                }
                 System.out.println("-------------------------------------------------------");
             }
         }