KEYCLOAK-3881 Fix login status iframe with * origin
This commit is contained in:
parent
3e71aeddf3
commit
7043ecc21b
4 changed files with 39 additions and 7 deletions
|
@ -175,7 +175,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
|
|||
replicationConfigBuilder.clustering().cacheMode(async ? CacheMode.REPL_ASYNC : CacheMode.REPL_SYNC);
|
||||
}
|
||||
|
||||
boolean jdgEnabled = config.getBoolean("remoteStoreEnabled");
|
||||
boolean jdgEnabled = config.getBoolean("remoteStoreEnabled", false);
|
||||
if (jdgEnabled) {
|
||||
configureRemoteCacheStore(replicationConfigBuilder, async);
|
||||
}
|
||||
|
|
|
@ -75,7 +75,7 @@ public class LoginStatusIframeEndpoint {
|
|||
if (client != null) {
|
||||
Set<String> validWebOrigins = WebOriginsUtils.resolveValidWebOrigins(uriInfo, client);
|
||||
validWebOrigins.add(UriUtils.getOrigin(uriInfo.getRequestUri()));
|
||||
if (validWebOrigins.contains(origin)) {
|
||||
if (validWebOrigins.contains("*") || validWebOrigins.contains(origin)) {
|
||||
return Response.noContent().build();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -21,6 +21,7 @@ import org.keycloak.common.util.UriUtils;
|
|||
import org.keycloak.models.ClientModel;
|
||||
|
||||
import javax.ws.rs.core.UriInfo;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
/**
|
||||
|
@ -31,17 +32,20 @@ public class WebOriginsUtils {
|
|||
public static final String INCLUDE_REDIRECTS = "+";
|
||||
|
||||
public static Set<String> resolveValidWebOrigins(UriInfo uriInfo, ClientModel client) {
|
||||
Set<String> webOrigins = client.getWebOrigins();
|
||||
if (webOrigins != null && webOrigins.contains("+")) {
|
||||
webOrigins.remove(INCLUDE_REDIRECTS);
|
||||
Set<String> origins = new HashSet<>();
|
||||
if (client.getWebOrigins() != null) {
|
||||
origins.addAll(client.getWebOrigins());
|
||||
}
|
||||
if (origins.contains("+")) {
|
||||
origins.remove(INCLUDE_REDIRECTS);
|
||||
client.getRedirectUris();
|
||||
for (String redirectUri : RedirectUtils.resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris())) {
|
||||
if (redirectUri.startsWith("http://") || redirectUri.startsWith("https://")) {
|
||||
webOrigins.add(UriUtils.getOrigin(redirectUri));
|
||||
origins.add(UriUtils.getOrigin(redirectUri));
|
||||
}
|
||||
}
|
||||
}
|
||||
return webOrigins;
|
||||
return origins;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -31,12 +31,15 @@ import org.apache.http.impl.client.CloseableHttpClient;
|
|||
import org.apache.http.impl.client.HttpClients;
|
||||
import org.apache.http.message.BasicNameValuePair;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.admin.client.resource.ClientResource;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.testsuite.AbstractKeycloakTest;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URLEncoder;
|
||||
import java.util.Collections;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.regex.Matcher;
|
||||
|
@ -159,6 +162,31 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void checkIframeWildcardOrigin() throws IOException {
|
||||
String id = adminClient.realm("master").clients().findByClientId(Constants.ADMIN_CONSOLE_CLIENT_ID).get(0).getId();
|
||||
ClientResource master = adminClient.realm("master").clients().get(id);
|
||||
ClientRepresentation rep = master.toRepresentation();
|
||||
List<String> org = rep.getWebOrigins();
|
||||
CloseableHttpClient client = HttpClients.createDefault();
|
||||
try {
|
||||
rep.setWebOrigins(Collections.singletonList("*"));
|
||||
master.update(rep);
|
||||
|
||||
HttpGet get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?"
|
||||
+ "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID
|
||||
+ "&origin=" + "http://anything"
|
||||
);
|
||||
CloseableHttpResponse response = client.execute(get);
|
||||
assertEquals(204, response.getStatusLine().getStatusCode());
|
||||
response.close();
|
||||
} finally {
|
||||
rep.setWebOrigins(org);
|
||||
master.update(rep);
|
||||
client.close();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void addTestRealms(List<RealmRepresentation> testRealms) {
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue