This commit is contained in:
Davide Ungari 2014-07-26 11:25:27 +02:00
parent 4cbc423d67
commit 73ed22c52c
3 changed files with 40 additions and 7 deletions

View file

@ -54,6 +54,7 @@ public class CatalinaRequestAuthenticator extends RequestAuthenticator {
@Override @Override
protected void completeOAuthAuthentication(KeycloakPrincipal skp, RefreshableKeycloakSecurityContext securityContext) { protected void completeOAuthAuthentication(KeycloakPrincipal skp, RefreshableKeycloakSecurityContext securityContext) {
request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext);
Set<String> roles = getRolesFromToken(securityContext); Set<String> roles = getRolesFromToken(securityContext);
GenericPrincipal principal = new CatalinaSecurityContextHelper().createPrincipal(request.getContext().getRealm(), skp, roles, securityContext); GenericPrincipal principal = new CatalinaSecurityContextHelper().createPrincipal(request.getContext().getRealm(), skp, roles, securityContext);
Session session = request.getSessionInternal(true); Session session = request.getSessionInternal(true);

View file

@ -60,6 +60,17 @@ public class CatalinaSecurityContextHelper {
subjectGroup.addMember(role); subjectGroup.addMember(role);
} }
} }
// add the CallerPrincipal group if none has been added in getRoleSets
// Group callerGroup = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP);
// callerGroup.addMember(identity);
// principals.add(callerGroup);
// SecurityContext sc = SecurityContextAssociation.getSecurityContext();
// Principal userPrincipal = getPrincipal(subject);
// sc.getUtil().createSubjectInfo(userPrincipal, account, subject);
// List<String> rolesAsStringList = new ArrayList<String>();
// rolesAsStringList.addAll(roleSet);
//
Principal userPrincipal = getPrincipal(subject); Principal userPrincipal = getPrincipal(subject);
List<String> rolesAsStringList = new ArrayList<String>(); List<String> rolesAsStringList = new ArrayList<String>();
rolesAsStringList.addAll(roleSet); rolesAsStringList.addAll(roleSet);

View file

@ -16,6 +16,7 @@ import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent; import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException; import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener; import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.FormAuthenticator; import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response; import org.apache.catalina.connector.Response;
@ -31,13 +32,13 @@ import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder; import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.PreAuthActionsHandler; import org.keycloak.adapters.PreAuthActionsHandler;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext; import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.ServerRequest;
/** /**
* Web deployment whose security is managed by a remote OAuth Skeleton Key * Web deployment whose security is managed by a remote OAuth Skeleton Key authentication server
* authentication server
* <p/> * <p/>
* Redirects browser to remote authentication server if not logged in. Also * Redirects browser to remote authentication server if not logged in. Also allows OAuth Bearer Token requests
* allows OAuth Bearer Token requests that contain a Skeleton Key bearer tokens. * that contain a Skeleton Key bearer tokens.
* *
* @author <a href="mailto:ungarida@gmail.com">Davide Ungari</a> * @author <a href="mailto:ungarida@gmail.com">Davide Ungari</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
@ -53,9 +54,29 @@ public class KeycloakAuthenticatorValve extends FormAuthenticator implements Lif
try { try {
startDeployment(); startDeployment();
} catch (LifecycleException e) { } catch (LifecycleException e) {
e.printStackTrace(); log.severe("Error starting deployment. " + e.getMessage());
} }
} }
if (event.getType() == Lifecycle.AFTER_START_EVENT) initInternal();
}
@Override
public void logout(Request request) throws ServletException {
KeycloakSecurityContext ksc = (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
if (ksc != null) {
request.removeAttribute(KeycloakSecurityContext.class.getName());
Session session = request.getSessionInternal(false);
if (session != null) {
session.removeNote(KeycloakSecurityContext.class.getName());
try {
ServerRequest.invokeLogout(deploymentContext.getDeployment(), ksc.getToken().getSessionState());
} catch (Exception e) {
log.severe("failed to invoke remote logout. " + e.getMessage());
}
}
}
super.logout(request);
} }
public void startDeployment() throws LifecycleException { public void startDeployment() throws LifecycleException {
@ -152,7 +173,7 @@ public class KeycloakAuthenticatorValve extends FormAuthenticator implements Lif
* @param request * @param request
*/ */
protected void checkKeycloakSession(Request request, HttpFacade facade) { protected void checkKeycloakSession(Request request, HttpFacade facade) {
if (request.getSessionInternal(false) == null || request.getSessionInternal().getPrincipal() == null) return; if (request.getSessionInternal(false) == null || request.getPrincipal() == null) return;
RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) request.getSessionInternal().getNote(KeycloakSecurityContext.class.getName()); RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) request.getSessionInternal().getNote(KeycloakSecurityContext.class.getName());
if (session == null) return; if (session == null) return;
// just in case session got serialized // just in case session got serialized