diff --git a/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/CatalinaRequestAuthenticator.java b/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/CatalinaRequestAuthenticator.java index 27a003dd25..8b7bac542a 100755 --- a/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/CatalinaRequestAuthenticator.java +++ b/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/CatalinaRequestAuthenticator.java @@ -54,7 +54,8 @@ public class CatalinaRequestAuthenticator extends RequestAuthenticator { @Override protected void completeOAuthAuthentication(KeycloakPrincipal skp, RefreshableKeycloakSecurityContext securityContext) { - Set roles = getRolesFromToken(securityContext); + request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext); + Set roles = getRolesFromToken(securityContext); GenericPrincipal principal = new CatalinaSecurityContextHelper().createPrincipal(request.getContext().getRealm(), skp, roles, securityContext); Session session = request.getSessionInternal(true); session.setPrincipal(principal); diff --git a/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/CatalinaSecurityContextHelper.java b/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/CatalinaSecurityContextHelper.java index b4e9a59c3f..d79bab610f 100755 --- a/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/CatalinaSecurityContextHelper.java +++ b/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/CatalinaSecurityContextHelper.java @@ -60,6 +60,17 @@ public class CatalinaSecurityContextHelper { subjectGroup.addMember(role); } } + + // add the CallerPrincipal group if none has been added in getRoleSets +// Group callerGroup = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP); +// callerGroup.addMember(identity); +// principals.add(callerGroup); +// SecurityContext sc = SecurityContextAssociation.getSecurityContext(); +// Principal userPrincipal = getPrincipal(subject); +// sc.getUtil().createSubjectInfo(userPrincipal, account, subject); +// List rolesAsStringList = new ArrayList(); +// rolesAsStringList.addAll(roleSet); +// Principal userPrincipal = getPrincipal(subject); List rolesAsStringList = new ArrayList(); rolesAsStringList.addAll(roleSet); diff --git a/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/KeycloakAuthenticatorValve.java b/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/KeycloakAuthenticatorValve.java index 5ce3050d5c..21e08db3d6 100755 --- a/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/KeycloakAuthenticatorValve.java +++ b/integration/tomcat7/adapter/src/main/java/org/keycloak/adapters/tomcat7/KeycloakAuthenticatorValve.java @@ -16,6 +16,7 @@ import org.apache.catalina.Lifecycle; import org.apache.catalina.LifecycleEvent; import org.apache.catalina.LifecycleException; import org.apache.catalina.LifecycleListener; +import org.apache.catalina.Session; import org.apache.catalina.authenticator.FormAuthenticator; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; @@ -31,13 +32,13 @@ import org.keycloak.adapters.KeycloakDeployment; import org.keycloak.adapters.KeycloakDeploymentBuilder; import org.keycloak.adapters.PreAuthActionsHandler; import org.keycloak.adapters.RefreshableKeycloakSecurityContext; +import org.keycloak.adapters.ServerRequest; /** - * Web deployment whose security is managed by a remote OAuth Skeleton Key - * authentication server + * Web deployment whose security is managed by a remote OAuth Skeleton Key authentication server *

- * Redirects browser to remote authentication server if not logged in. Also - * allows OAuth Bearer Token requests that contain a Skeleton Key bearer tokens. + * Redirects browser to remote authentication server if not logged in. Also allows OAuth Bearer Token requests + * that contain a Skeleton Key bearer tokens. * * @author Davide Ungari * @version $Revision: 1 $ @@ -53,9 +54,29 @@ public class KeycloakAuthenticatorValve extends FormAuthenticator implements Lif try { startDeployment(); } catch (LifecycleException e) { - e.printStackTrace(); + log.severe("Error starting deployment. " + e.getMessage()); } } + + if (event.getType() == Lifecycle.AFTER_START_EVENT) initInternal(); + } + + @Override + public void logout(Request request) throws ServletException { + KeycloakSecurityContext ksc = (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName()); + if (ksc != null) { + request.removeAttribute(KeycloakSecurityContext.class.getName()); + Session session = request.getSessionInternal(false); + if (session != null) { + session.removeNote(KeycloakSecurityContext.class.getName()); + try { + ServerRequest.invokeLogout(deploymentContext.getDeployment(), ksc.getToken().getSessionState()); + } catch (Exception e) { + log.severe("failed to invoke remote logout. " + e.getMessage()); + } + } + } + super.logout(request); } public void startDeployment() throws LifecycleException { @@ -152,7 +173,7 @@ public class KeycloakAuthenticatorValve extends FormAuthenticator implements Lif * @param request */ protected void checkKeycloakSession(Request request, HttpFacade facade) { - if (request.getSessionInternal(false) == null || request.getSessionInternal().getPrincipal() == null) return; + if (request.getSessionInternal(false) == null || request.getPrincipal() == null) return; RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) request.getSessionInternal().getNote(KeycloakSecurityContext.class.getName()); if (session == null) return; // just in case session got serialized