libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

refactor security page flow

Browse source
This commit is contained in:
Bill Burke 2014-09-23 11:05:10 -04:00
parent bf42227224
commit 66d58476d0
6 changed files with 48 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java
View file

@ -282,11 +282,11 @@ public class RequiredActionsService {
ClientModel client = realm.findClient(clientId);
if (client == null) {
return Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager).forwardToSecurityFailure(
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo,
"Unknown login requester.");
}
if (!client.isEnabled()) {
return Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager).forwardToSecurityFailure(
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo,
"Login requester not enabled.");
}

18
services/src/main/java/org/keycloak/services/resources/SocialResource.java
View file

@ -132,7 +132,7 @@ public class SocialResource {
if (!realm.isEnabled()) {
event.error(Errors.REALM_DISABLED);
return oauth.forwardToSecurityFailure("Realm not enabled.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled.");
}
String clientId = initialRequest.get(OAuth2Constants.CLIENT_ID);
@ -146,11 +146,11 @@ public class SocialResource {
ClientModel client = realm.findClient(clientId);
if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND);
return oauth.forwardToSecurityFailure("Unknown login requester.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
}
if (!client.isEnabled()) {
event.error(Errors.CLIENT_DISABLED);
return oauth.forwardToSecurityFailure("Login requester not enabled.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
}
String key = realm.getSocialConfig().get(provider.getId() + ".key");
@ -178,7 +178,7 @@ public class SocialResource {
return Flows.forms(session, realm, client, uriInfo).setQueryParams(queryParms).setWarning("Access denied").createLogin();
} catch (SocialProviderException e) {
logger.error("Failed to process social callback", e);
return oauth.forwardToSecurityFailure("Failed to process social callback");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Failed to process social callback");
}
event.detail(Details.USERNAME, socialUser.getId() + "@" + provider.getId());
@ -196,22 +196,22 @@ public class SocialResource {
if (user != null) {
event.error(Errors.SOCIAL_ID_IN_USE);
return oauth.forwardToSecurityFailure("This social account is already linked to other user");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "This social account is already linked to other user");
}
if (!authenticatedUser.isEnabled()) {
event.error(Errors.USER_DISABLED);
return oauth.forwardToSecurityFailure("User is disabled");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "User is disabled");
}
if (!authenticatedUser.hasRole(realm.getApplicationByName(Constants.ACCOUNT_MANAGEMENT_APP).getRole(AccountRoles.MANAGE_ACCOUNT))) {
event.error(Errors.NOT_ALLOWED);
return oauth.forwardToSecurityFailure("Insufficient permissions to link social account");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Insufficient permissions to link social account");
}
if (redirectUri == null) {
event.error(Errors.INVALID_REDIRECT_URI);
return oauth.forwardToSecurityFailure("Unknown redirectUri");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown redirectUri");
}
session.users().addSocialLink(realm, authenticatedUser, socialLink);
@ -245,7 +245,7 @@ public class SocialResource {
if (!user.isEnabled()) {
event.error(Errors.USER_DISABLED);
return oauth.forwardToSecurityFailure("Your account is not enabled.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Your account is not enabled.");
}
String username = socialLink.getSocialUserId() + "@" + socialLink.getSocialProvider();

54
services/src/main/java/org/keycloak/services/resources/TokenService.java
View file

@ -493,27 +493,27 @@ public class TokenService {
OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
if (!checkSsl()) {
return oauth.forwardToSecurityFailure("HTTPS required");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required");
}
if (!realm.isEnabled()) {
event.error(Errors.REALM_DISABLED);
return oauth.forwardToSecurityFailure("Realm not enabled.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled.");
}
ClientModel client = realm.findClient(clientId);
if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND);
return oauth.forwardToSecurityFailure("Unknown login requester.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
}
if (!client.isEnabled()) {
event.error(Errors.CLIENT_NOT_FOUND);
return oauth.forwardToSecurityFailure("Login requester not enabled.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
}
redirect = verifyRedirectUri(uriInfo, redirect, realm, client);
if (redirect == null) {
event.error(Errors.INVALID_REDIRECT_URI);
return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri.");
}
if (formData.containsKey("cancel")) {
@ -603,28 +603,28 @@ public class TokenService {
if (!realm.isEnabled()) {
event.error(Errors.REALM_DISABLED);
return oauth.forwardToSecurityFailure("Realm not enabled");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled");
}
ClientModel client = realm.findClient(clientId);
if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND);
return oauth.forwardToSecurityFailure("Unknown login requester.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
}
if (!client.isEnabled()) {
event.error(Errors.CLIENT_DISABLED);
return oauth.forwardToSecurityFailure("Login requester not enabled.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
}
redirect = verifyRedirectUri(uriInfo, redirect, realm, client);
if (redirect == null) {
event.error(Errors.INVALID_REDIRECT_URI);
return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri.");
}
if (!realm.isRegistrationAllowed()) {
event.error(Errors.REGISTRATION_DISABLED);
return oauth.forwardToSecurityFailure("Registration not allowed");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Registration not allowed");
}
List<String> requiredCredentialTypes = new LinkedList<String>();
@ -917,35 +917,35 @@ public class TokenService {
OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
if (!checkSsl()) {
return oauth.forwardToSecurityFailure("HTTPS required");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required");
}
if (!realm.isEnabled()) {
event.error(Errors.REALM_DISABLED);
return oauth.forwardToSecurityFailure("Realm not enabled");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled");
}
ClientModel client = realm.findClient(clientId);
if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND);
return oauth.forwardToSecurityFailure("Unknown login requester.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
}
if (!client.isEnabled()) {
event.error(Errors.CLIENT_DISABLED);
return oauth.forwardToSecurityFailure("Login requester not enabled.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
}
if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
event.error(Errors.NOT_ALLOWED);
return oauth.forwardToSecurityFailure("Bearer-only applications are not allowed to initiate browser login");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Bearer-only applications are not allowed to initiate browser login");
}
if (client.isDirectGrantsOnly()) {
event.error(Errors.NOT_ALLOWED);
return oauth.forwardToSecurityFailure("direct-grants-only clients are not allowed to initiate browser login");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "direct-grants-only clients are not allowed to initiate browser login");
}
redirect = verifyRedirectUri(uriInfo, redirect, realm, client);
if (redirect == null) {
event.error(Errors.INVALID_REDIRECT_URI);
return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri.");
}
AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, uriInfo, clientConnection, headers);
@ -1007,33 +1007,33 @@ public class TokenService {
OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
if (!checkSsl()) {
return oauth.forwardToSecurityFailure("HTTPS required");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required");
}
if (!realm.isEnabled()) {
event.error(Errors.REALM_DISABLED);
return oauth.forwardToSecurityFailure("Realm not enabled");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled");
}
ClientModel client = realm.findClient(clientId);
if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND);
return oauth.forwardToSecurityFailure("Unknown login requester.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
}
if (!client.isEnabled()) {
event.error(Errors.CLIENT_DISABLED);
return oauth.forwardToSecurityFailure("Login requester not enabled.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
}
redirect = verifyRedirectUri(uriInfo, redirect, realm, client);
if (redirect == null) {
event.error(Errors.INVALID_REDIRECT_URI);
return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri.");
}
if (!realm.isRegistrationAllowed()) {
event.error(Errors.REGISTRATION_DISABLED);
return oauth.forwardToSecurityFailure("Registration not allowed");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Registration not allowed");
}
authManager.expireIdentityCookie(realm, uriInfo, clientConnection);
@ -1065,7 +1065,7 @@ public class TokenService {
String validatedRedirect = verifyRealmRedirectUri(uriInfo, redirectUri, realm);
if (validatedRedirect == null) {
OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
return oauth.forwardToSecurityFailure("Invalid redirect uri.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect uri.");
}
return Response.status(302).location(UriBuilder.fromUri(validatedRedirect).build()).build();
} else {
@ -1145,7 +1145,7 @@ public class TokenService {
OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
if (!checkSsl()) {
return oauth.forwardToSecurityFailure("HTTPS required");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required");
}
String code = formData.getFirst(OAuth2Constants.CODE);
@ -1153,7 +1153,7 @@ public class TokenService {
AccessCode accessCode = AccessCode.parse(code, session, realm);
if (accessCode == null || !accessCode.isValid(ClientSessionModel.Action.OAUTH_GRANT)) {
event.error(Errors.INVALID_CODE);
return oauth.forwardToSecurityFailure("Invalid access code.");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid access code.");
}
event.detail(Details.CODE_ID, accessCode.getCodeId());
@ -1177,7 +1177,7 @@ public class TokenService {
if (!AuthenticationManager.isSessionValid(realm, userSession)) {
AuthenticationManager.logout(session, realm, userSession, uriInfo, clientConnection);
event.error(Errors.INVALID_CODE);
return oauth.forwardToSecurityFailure("Session not active");
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Session not active");
}
event.session(userSession);

2
services/src/main/java/org/keycloak/services/resources/flows/ErrorFlows.java Normal file → Executable file
View file

@ -22,4 +22,6 @@ public class ErrorFlows {
return Response.status(status).entity(error).type(MediaType.APPLICATION_JSON).build();
}
}

6
services/src/main/java/org/keycloak/services/resources/flows/Flows.java
View file

@ -31,6 +31,7 @@ import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.social.SocialProvider;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
/**
@ -58,4 +59,9 @@ public class Flows {
return new ErrorFlows();
}
public static Response forwardToSecurityFailurePage(KeycloakSession session, RealmModel realm, UriInfo uriInfo, String message) {
return Flows.forms(session, realm, null, uriInfo).setError(message).createErrorPage();
}
}

2
services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java
View file

@ -179,9 +179,11 @@ public class OAuthFlows {
}
}
/*
public Response forwardToSecurityFailure(String message) {
return Flows.forms(session, realm, null, uriInfo).setError(message).createErrorPage();
}
*/
private void isTotpConfigurationRequired(UserModel user) {
for (RequiredCredentialModel c : realm.getRequiredCredentials()) {