logout

integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/CatalinaRequestAuthenticator.java

@@ -54,7 +54,8 @@ public class CatalinaRequestAuthenticator extends RequestAuthenticator {
 
     @Override
     protected void completeOAuthAuthentication(KeycloakPrincipal skp, RefreshableKeycloakSecurityContext securityContext) {
-        Set<String> roles = getRolesFromToken(securityContext);
+        request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext);
+    	Set<String> roles = getRolesFromToken(securityContext);
         GenericPrincipal principal = new CatalinaSecurityContextHelper().createPrincipal(request.getContext().getRealm(), skp, roles, securityContext);
         Session session = request.getSessionInternal(true);
         session.setPrincipal(principal);

integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/CatalinaSecurityContextHelper.java

@@ -60,6 +60,17 @@ public class CatalinaSecurityContextHelper {
                 subjectGroup.addMember(role);
             }
         }
+        
+        // add the CallerPrincipal group if none has been added in getRoleSets
+//        Group callerGroup = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP);
+//        callerGroup.addMember(identity);
+//        principals.add(callerGroup);
+//        SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+//        Principal userPrincipal = getPrincipal(subject);
+//        sc.getUtil().createSubjectInfo(userPrincipal, account, subject);
+//        List<String> rolesAsStringList = new ArrayList<String>();
+//        rolesAsStringList.addAll(roleSet);
+//        
         Principal userPrincipal = getPrincipal(subject);
         List<String> rolesAsStringList = new ArrayList<String>();
         rolesAsStringList.addAll(roleSet);

integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/KeycloakAuthenticatorValve.java

@@ -16,6 +16,7 @@ import org.apache.catalina.Lifecycle;
 import org.apache.catalina.LifecycleEvent;
 import org.apache.catalina.LifecycleException;
 import org.apache.catalina.LifecycleListener;
+import org.apache.catalina.Session;
 import org.apache.catalina.authenticator.FormAuthenticator;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
@@ -31,13 +32,13 @@ import org.keycloak.adapters.KeycloakDeployment;
 import org.keycloak.adapters.KeycloakDeploymentBuilder;
 import org.keycloak.adapters.PreAuthActionsHandler;
 import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
+import org.keycloak.adapters.ServerRequest;
 
 /**
- * Web deployment whose security is managed by a remote OAuth Skeleton Key
- * authentication server
+ * Web deployment whose security is managed by a remote OAuth Skeleton Key authentication server
  * <p/>
- * Redirects browser to remote authentication server if not logged in. Also
- * allows OAuth Bearer Token requests that contain a Skeleton Key bearer tokens.
+ * Redirects browser to remote authentication server if not logged in.  Also allows OAuth Bearer Token requests
+ * that contain a Skeleton Key bearer tokens.
  * 
  * @author <a href="mailto:ungarida@gmail.com">Davide Ungari</a>
  * @version $Revision: 1 $
@@ -53,9 +54,29 @@ public class KeycloakAuthenticatorValve extends FormAuthenticator implements Lif
             try {
                 startDeployment();
             } catch (LifecycleException e) {
-                e.printStackTrace();
+            	log.severe("Error starting deployment. " + e.getMessage());
             }
         }
+        
+        if (event.getType() == Lifecycle.AFTER_START_EVENT) initInternal();
+    }
+    
+    @Override
+    public void logout(Request request) throws ServletException {
+        KeycloakSecurityContext ksc = (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
+        if (ksc != null) {
+            request.removeAttribute(KeycloakSecurityContext.class.getName());
+            Session session = request.getSessionInternal(false);
+            if (session != null) {
+                session.removeNote(KeycloakSecurityContext.class.getName());
+                try {
+                    ServerRequest.invokeLogout(deploymentContext.getDeployment(), ksc.getToken().getSessionState());
+                } catch (Exception e) {
+                	log.severe("failed to invoke remote logout. " + e.getMessage());
+                }
+            }
+        }
+        super.logout(request);
     }
 
     public void startDeployment() throws LifecycleException {
@@ -152,7 +173,7 @@ public class KeycloakAuthenticatorValve extends FormAuthenticator implements Lif
      * @param request
      */
     protected void checkKeycloakSession(Request request, HttpFacade facade) {
-        if (request.getSessionInternal(false) == null || request.getSessionInternal().getPrincipal() == null) return;
+        if (request.getSessionInternal(false) == null || request.getPrincipal() == null) return;
         RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) request.getSessionInternal().getNote(KeycloakSecurityContext.class.getName());
         if (session == null) return;
         // just in case session got serialized