libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-4952: Header information disclosure

Browse source
This commit is contained in:
Stan Silvert 2017-10-06 16:04:39 -04:00
parent 34451d159b
commit 6082e49252
8 changed files with 98 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml
View file

@ -37,7 +37,7 @@
<subsystem>security.xml</subsystem> <subsystem>security.xml</subsystem>
<subsystem>security-manager.xml</subsystem> <subsystem>security-manager.xml</subsystem>
<subsystem>transactions.xml</subsystem> <subsystem>transactions.xml</subsystem>
<subsystem>undertow.xml</subsystem> <subsystem>keycloak-undertow.xml</subsystem>
<subsystem>keycloak-server.xml</subsystem> <subsystem>keycloak-server.xml</subsystem>
</subsystems> </subsystems>
<subsystems name="auth-server-clustered"> <subsystems name="auth-server-clustered">
@ -64,7 +64,7 @@
<subsystem>security.xml</subsystem> <subsystem>security.xml</subsystem>
<subsystem>security-manager.xml</subsystem> <subsystem>security-manager.xml</subsystem>
<subsystem>transactions.xml</subsystem> <subsystem>transactions.xml</subsystem>
<subsystem supplement="ha">undertow.xml</subsystem> <subsystem supplement="ha">keycloak-undertow.xml</subsystem>
<subsystem>keycloak-server.xml</subsystem> <subsystem>keycloak-server.xml</subsystem>
</subsystems> </subsystems>
<subsystems name="load-balancer"> <subsystems name="load-balancer">

2
distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml
View file

@ -41,7 +41,7 @@
<subsystem supplement="standalone-wildfly">elytron.xml</subsystem> <subsystem supplement="standalone-wildfly">elytron.xml</subsystem>
<subsystem>security.xml</subsystem> <subsystem>security.xml</subsystem>
<subsystem>transactions.xml</subsystem> <subsystem>transactions.xml</subsystem>
<subsystem supplement="ha">undertow.xml</subsystem> <subsystem supplement="ha">keycloak-undertow.xml</subsystem>
<subsystem>keycloak-server.xml</subsystem> <subsystem>keycloak-server.xml</subsystem>
</subsystems> </subsystems>
</config> </config>

2
distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml
View file

@ -39,7 +39,7 @@
<subsystem supplement="standalone-wildfly">elytron.xml</subsystem> <subsystem supplement="standalone-wildfly">elytron.xml</subsystem>
<subsystem>security.xml</subsystem> <subsystem>security.xml</subsystem>
<subsystem>transactions.xml</subsystem> <subsystem>transactions.xml</subsystem>
<subsystem>undertow.xml</subsystem> <subsystem>keycloak-undertow.xml</subsystem>
<subsystem>keycloak-server.xml</subsystem> <subsystem>keycloak-server.xml</subsystem>
</subsystems> </subsystems>
</config> </config>

20
distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli
View file

@ -54,11 +54,12 @@ end-if
set persistenceProvider=jpa set persistenceProvider=jpa
# Migrate from 2.1.0 to 2.2.0 # Migrate from 2.1.0 to 2.2.0
if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource # Do not add distributed-cache=authorization. This is now removed.
echo Additing distributed-cache=authorization #if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
/profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1) # echo Additing distributed-cache=authorization
echo # /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
end-if # echo
#end-if
if (result == update) of /profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema) if (result == update) of /profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema)
echo Updating connectionsJpa default properties... echo Updating connectionsJpa default properties...
/profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema) /profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema)
@ -225,4 +226,13 @@ if (outcome == success) of /profile=$clusteredProfile/subsystem=infinispan/cache
echo echo
end-if end-if
# Migrate from 3.2.0 to 3.4.0
if (outcome == success) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
echo Removing X-Powered-By and Server headers from Keycloak responses...
/profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
/profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
/profile=$clusteredProfile/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
/profile=$clusteredProfile/subsystem=undertow/configuration=filter/response-header=server-header/:remove
end-if
echo *** End Migration of /profile=$clusteredProfile *** echo *** End Migration of /profile=$clusteredProfile ***

9
distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli
View file

@ -205,4 +205,13 @@ if (outcome == failed) of /profile=$standaloneProfile/subsystem=infinispan/cache
echo echo
end-if end-if
# Migrate from 3.2.0 to 3.4.0
if (outcome == success) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
echo Removing X-Powered-By and Server headers from Keycloak responses...
/profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
/profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
/profile=$standaloneProfile/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
/profile=$standaloneProfile/subsystem=undertow/configuration=filter/response-header=server-header/:remove
end-if
echo *** End Migration of /profile=$standaloneProfile *** echo *** End Migration of /profile=$standaloneProfile ***

20
distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli
View file

@ -60,11 +60,12 @@ if (outcome == failed) of /subsystem=deployment-scanner/scanner=default/:read-re
/subsystem=deployment-scanner/scanner=default/:add(path=deployments,relative-to=jboss.server.base.dir,runtime-failure-causes-rollback=${jboss.deployment.scanner.rollback.on.failure:false},scan-interval=5000) /subsystem=deployment-scanner/scanner=default/:add(path=deployments,relative-to=jboss.server.base.dir,runtime-failure-causes-rollback=${jboss.deployment.scanner.rollback.on.failure:false},scan-interval=5000)
echo echo
end-if end-if
if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource # Do not add. This is now removed.
echo Additing distributed-cache=authorization #if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1) # echo Adding distributed-cache=authorization
echo # /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
end-if # echo
#end-if
if (result == update) of /subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema) if (result == update) of /subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema)
echo Updating connectionsJpa default properties... echo Updating connectionsJpa default properties...
/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema) /subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema)
@ -230,4 +231,13 @@ if (outcome == success) of /subsystem=infinispan/cache-container=keycloak/distri
echo echo
end-if end-if
# Migrate from 3.2.0 to 3.4.0
if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
echo Removing X-Powered-By and Server headers from Keycloak responses...
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
/subsystem=undertow/configuration=filter/response-header=server-header/:remove
end-if
echo *** End Migration *** echo *** End Migration ***

8
distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli
View file

@ -213,4 +213,12 @@ if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-c
echo echo
end-if end-if
# Migrate from 3.2.0 to 3.4.0
if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
echo Removing X-Powered-By and Server headers from Keycloak responses...
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
/subsystem=undertow/configuration=filter/response-header=server-header/:remove
end-if
echo *** End Migration *** echo *** End Migration ***

47
wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-undertow.xml Normal file
View file

@ -0,0 +1,47 @@
<?xml version='1.0' encoding='UTF-8'?>
<!--
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
~ and other contributors as indicated by the @author tags.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<config>
<extension-module>org.wildfly.extension.undertow</extension-module>
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default" />
<server name="default-server">
<?AJP?>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" />
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" />
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" />
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content" />
</handlers>
</subsystem>
<supplement name="ha">
<replacement placeholder="AJP">
<ajp-listener name="ajp" socket-binding="ajp" />
</replacement>
</supplement>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
</config>