KEYCLOAK-4952: Header information disclosure
This commit is contained in:
parent
34451d159b
commit
6082e49252
8 changed files with 98 additions and 14 deletions
|
@ -37,7 +37,7 @@
|
|||
<subsystem>security.xml</subsystem>
|
||||
<subsystem>security-manager.xml</subsystem>
|
||||
<subsystem>transactions.xml</subsystem>
|
||||
<subsystem>undertow.xml</subsystem>
|
||||
<subsystem>keycloak-undertow.xml</subsystem>
|
||||
<subsystem>keycloak-server.xml</subsystem>
|
||||
</subsystems>
|
||||
<subsystems name="auth-server-clustered">
|
||||
|
@ -64,7 +64,7 @@
|
|||
<subsystem>security.xml</subsystem>
|
||||
<subsystem>security-manager.xml</subsystem>
|
||||
<subsystem>transactions.xml</subsystem>
|
||||
<subsystem supplement="ha">undertow.xml</subsystem>
|
||||
<subsystem supplement="ha">keycloak-undertow.xml</subsystem>
|
||||
<subsystem>keycloak-server.xml</subsystem>
|
||||
</subsystems>
|
||||
<subsystems name="load-balancer">
|
||||
|
|
|
@ -41,7 +41,7 @@
|
|||
<subsystem supplement="standalone-wildfly">elytron.xml</subsystem>
|
||||
<subsystem>security.xml</subsystem>
|
||||
<subsystem>transactions.xml</subsystem>
|
||||
<subsystem supplement="ha">undertow.xml</subsystem>
|
||||
<subsystem supplement="ha">keycloak-undertow.xml</subsystem>
|
||||
<subsystem>keycloak-server.xml</subsystem>
|
||||
</subsystems>
|
||||
</config>
|
|
@ -39,7 +39,7 @@
|
|||
<subsystem supplement="standalone-wildfly">elytron.xml</subsystem>
|
||||
<subsystem>security.xml</subsystem>
|
||||
<subsystem>transactions.xml</subsystem>
|
||||
<subsystem>undertow.xml</subsystem>
|
||||
<subsystem>keycloak-undertow.xml</subsystem>
|
||||
<subsystem>keycloak-server.xml</subsystem>
|
||||
</subsystems>
|
||||
</config>
|
||||
|
|
|
@ -54,11 +54,12 @@ end-if
|
|||
set persistenceProvider=jpa
|
||||
|
||||
# Migrate from 2.1.0 to 2.2.0
|
||||
if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
|
||||
echo Additing distributed-cache=authorization
|
||||
/profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
|
||||
echo
|
||||
end-if
|
||||
# Do not add distributed-cache=authorization. This is now removed.
|
||||
#if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
|
||||
# echo Additing distributed-cache=authorization
|
||||
# /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
|
||||
# echo
|
||||
#end-if
|
||||
if (result == update) of /profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema)
|
||||
echo Updating connectionsJpa default properties...
|
||||
/profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema)
|
||||
|
@ -225,4 +226,13 @@ if (outcome == success) of /profile=$clusteredProfile/subsystem=infinispan/cache
|
|||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.2.0 to 3.4.0
|
||||
if (outcome == success) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
|
||||
echo Removing X-Powered-By and Server headers from Keycloak responses...
|
||||
/profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
|
||||
/profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
|
||||
/profile=$clusteredProfile/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
|
||||
/profile=$clusteredProfile/subsystem=undertow/configuration=filter/response-header=server-header/:remove
|
||||
end-if
|
||||
|
||||
echo *** End Migration of /profile=$clusteredProfile ***
|
|
@ -205,4 +205,13 @@ if (outcome == failed) of /profile=$standaloneProfile/subsystem=infinispan/cache
|
|||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.2.0 to 3.4.0
|
||||
if (outcome == success) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
|
||||
echo Removing X-Powered-By and Server headers from Keycloak responses...
|
||||
/profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
|
||||
/profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
|
||||
/profile=$standaloneProfile/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
|
||||
/profile=$standaloneProfile/subsystem=undertow/configuration=filter/response-header=server-header/:remove
|
||||
end-if
|
||||
|
||||
echo *** End Migration of /profile=$standaloneProfile ***
|
|
@ -60,11 +60,12 @@ if (outcome == failed) of /subsystem=deployment-scanner/scanner=default/:read-re
|
|||
/subsystem=deployment-scanner/scanner=default/:add(path=deployments,relative-to=jboss.server.base.dir,runtime-failure-causes-rollback=${jboss.deployment.scanner.rollback.on.failure:false},scan-interval=5000)
|
||||
echo
|
||||
end-if
|
||||
if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
|
||||
echo Additing distributed-cache=authorization
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
|
||||
echo
|
||||
end-if
|
||||
# Do not add. This is now removed.
|
||||
#if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
|
||||
# echo Adding distributed-cache=authorization
|
||||
# /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
|
||||
# echo
|
||||
#end-if
|
||||
if (result == update) of /subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema)
|
||||
echo Updating connectionsJpa default properties...
|
||||
/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema)
|
||||
|
@ -230,4 +231,13 @@ if (outcome == success) of /subsystem=infinispan/cache-container=keycloak/distri
|
|||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.2.0 to 3.4.0
|
||||
if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
|
||||
echo Removing X-Powered-By and Server headers from Keycloak responses...
|
||||
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
|
||||
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
|
||||
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
|
||||
/subsystem=undertow/configuration=filter/response-header=server-header/:remove
|
||||
end-if
|
||||
|
||||
echo *** End Migration ***
|
|
@ -213,4 +213,12 @@ if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-c
|
|||
echo
|
||||
end-if
|
||||
|
||||
# Migrate from 3.2.0 to 3.4.0
|
||||
if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
|
||||
echo Removing X-Powered-By and Server headers from Keycloak responses...
|
||||
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
|
||||
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
|
||||
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
|
||||
/subsystem=undertow/configuration=filter/response-header=server-header/:remove
|
||||
end-if
|
||||
echo *** End Migration ***
|
|
@ -0,0 +1,47 @@
|
|||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<!--
|
||||
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
~ and other contributors as indicated by the @author tags.
|
||||
~
|
||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~ you may not use this file except in compliance with the License.
|
||||
~ You may obtain a copy of the License at
|
||||
~
|
||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing, software
|
||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~ See the License for the specific language governing permissions and
|
||||
~ limitations under the License.
|
||||
-->
|
||||
<config>
|
||||
<extension-module>org.wildfly.extension.undertow</extension-module>
|
||||
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
|
||||
<buffer-cache name="default" />
|
||||
<server name="default-server">
|
||||
<?AJP?>
|
||||
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" />
|
||||
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" />
|
||||
<host name="default-host" alias="localhost">
|
||||
<location name="/" handler="welcome-content" />
|
||||
<http-invoker security-realm="ApplicationRealm"/>
|
||||
</host>
|
||||
</server>
|
||||
<servlet-container name="default">
|
||||
<jsp-config/>
|
||||
<websockets/>
|
||||
</servlet-container>
|
||||
<handlers>
|
||||
<file name="welcome-content" path="${jboss.home.dir}/welcome-content" />
|
||||
</handlers>
|
||||
</subsystem>
|
||||
<supplement name="ha">
|
||||
<replacement placeholder="AJP">
|
||||
<ajp-listener name="ajp" socket-binding="ajp" />
|
||||
</replacement>
|
||||
</supplement>
|
||||
<socket-binding name="http" port="${jboss.http.port:8080}"/>
|
||||
<socket-binding name="https" port="${jboss.https.port:8443}"/>
|
||||
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
|
||||
</config>
|
Loading…
Reference in a new issue