From 7c97e02715177fbc34fd8dabb5bb6b0dcd0fc36e Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Mon, 11 Aug 2014 17:45:01 -0400 Subject: [PATCH] X-Frame-Options, Content-Security-Policy --- .../idm/RealmRepresentation.java | 9 +++++ .../freemarker/FreeMarkerAccountProvider.java | 5 ++- .../BrowserSecurityHeaderSetup.java | 23 ++++++++++++ .../theme/admin/base/resources/js/app.js | 33 +++++++++++------ .../base/resources/js/controllers/realm.js | 12 ++++--- ...sion-brute-force.html => brute-force.html} | 10 ++---- .../resources/partials/defense-headers.html | 36 +++++++++++++++++++ .../base/resources/partials/realm-detail.html | 3 +- .../base/resources/partials/realm-menu.html | 1 + .../resources/partials/session-realm.html | 1 - .../FreeMarkerLoginFormsProvider.java | 5 ++- .../models/BrowserSecurityHeaders.java | 27 ++++++++++++++ .../java/org/keycloak/models/RealmModel.java | 3 ++ .../keycloak/models/entities/RealmEntity.java | 9 +++++ .../models/utils/ModelToRepresentation.java | 1 + .../models/utils/RepresentationToModel.java | 11 ++++++ .../keycloak/models/cache/RealmAdapter.java | 13 +++++++ .../models/cache/entities/CachedRealm.java | 6 ++++ .../org/keycloak/models/jpa/RealmAdapter.java | 22 ++++++++++++ .../mongo/keycloak/adapters/RealmAdapter.java | 11 ++++++ .../services/managers/RealmManager.java | 3 ++ .../resources/admin/AdminConsole.java | 5 ++- .../testsuite/account/AccountTest.java | 5 +-- .../testsuite/admin/AdminAPITest.java | 3 ++ .../keycloak/testsuite/forms/LoginTest.java | 20 +++++++++++ 25 files changed, 246 insertions(+), 31 deletions(-) create mode 100755 forms/common-freemarker/src/main/java/org/keycloak/freemarker/BrowserSecurityHeaderSetup.java rename forms/common-themes/src/main/resources/theme/admin/base/resources/partials/{session-brute-force.html => brute-force.html} (91%) create mode 100755 forms/common-themes/src/main/resources/theme/admin/base/resources/partials/defense-headers.html create mode 100755 model/api/src/main/java/org/keycloak/models/BrowserSecurityHeaders.java diff --git a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java index 3bb7e836ef..dad5eac635 100755 --- a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java +++ b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java @@ -52,6 +52,7 @@ public class RealmRepresentation { protected Map> applicationScopeMappings; protected List applications; protected List oauthClients; + protected Map browserSecurityHeaders; protected Map socialProviders; protected Map smtpServer; protected List userFederationProviders; @@ -291,6 +292,14 @@ public class RealmRepresentation { this.updateProfileOnInitialSocialLogin = updateProfileOnInitialSocialLogin; } + public Map getBrowserSecurityHeaders() { + return browserSecurityHeaders; + } + + public void setBrowserSecurityHeaders(Map browserSecurityHeaders) { + this.browserSecurityHeaders = browserSecurityHeaders; + } + public Map getSocialProviders() { return socialProviders; } diff --git a/forms/account-freemarker/src/main/java/org/keycloak/account/freemarker/FreeMarkerAccountProvider.java b/forms/account-freemarker/src/main/java/org/keycloak/account/freemarker/FreeMarkerAccountProvider.java index 3e89af8ea1..6ec3416205 100755 --- a/forms/account-freemarker/src/main/java/org/keycloak/account/freemarker/FreeMarkerAccountProvider.java +++ b/forms/account-freemarker/src/main/java/org/keycloak/account/freemarker/FreeMarkerAccountProvider.java @@ -13,6 +13,7 @@ import org.keycloak.account.freemarker.model.SessionsBean; import org.keycloak.account.freemarker.model.TotpBean; import org.keycloak.account.freemarker.model.UrlBean; import org.keycloak.audit.Event; +import org.keycloak.freemarker.BrowserSecurityHeaderSetup; import org.keycloak.freemarker.FreeMarkerException; import org.keycloak.freemarker.FreeMarkerUtil; import org.keycloak.freemarker.Theme; @@ -136,7 +137,9 @@ public class FreeMarkerAccountProvider implements AccountProvider { try { String result = freeMarker.processTemplate(attributes, Templates.getTemplate(page), theme); - return Response.status(status).type(MediaType.TEXT_HTML).entity(result).build(); + Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML).entity(result); + BrowserSecurityHeaderSetup.headers(builder, realm); + return builder.build(); } catch (FreeMarkerException e) { logger.error("Failed to process template", e); return Response.serverError().build(); diff --git a/forms/common-freemarker/src/main/java/org/keycloak/freemarker/BrowserSecurityHeaderSetup.java b/forms/common-freemarker/src/main/java/org/keycloak/freemarker/BrowserSecurityHeaderSetup.java new file mode 100755 index 0000000000..da8fc5d0a6 --- /dev/null +++ b/forms/common-freemarker/src/main/java/org/keycloak/freemarker/BrowserSecurityHeaderSetup.java @@ -0,0 +1,23 @@ +package org.keycloak.freemarker; + +import org.keycloak.models.BrowserSecurityHeaders; +import org.keycloak.models.RealmModel; + +import javax.ws.rs.core.Response; +import java.util.Map; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class BrowserSecurityHeaderSetup { + + public static Response.ResponseBuilder headers(Response.ResponseBuilder builder, RealmModel realm) { + for (Map.Entry entry : realm.getBrowserSecurityHeaders().entrySet()) { + String headerName = BrowserSecurityHeaders.headerAttributeMap.get(entry.getKey()); + if (headerName == null) continue; + builder.header(headerName, entry.getValue()); + } + return builder; + } +} diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/js/app.js b/forms/common-themes/src/main/resources/theme/admin/base/resources/js/app.js index 4f7b83ac4b..4c434c2a14 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/js/app.js +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/js/app.js @@ -675,16 +675,7 @@ module.config([ '$routeProvider', function($routeProvider) { }, controller : 'RealmRevocationCtrl' }) - .when('/realms/:realm/sessions/brute-force', { - templateUrl : 'partials/session-brute-force.html', - resolve : { - realm : function(RealmLoader) { - return RealmLoader(); - } - }, - controller : 'RealmBruteForceCtrl' - }) - .when('/realms/:realm/sessions/realm', { + .when('/realms/:realm/sessions/realm', { templateUrl : 'partials/session-realm.html', resolve : { realm : function(RealmLoader) { @@ -761,6 +752,28 @@ module.config([ '$routeProvider', function($routeProvider) { }, controller : 'GenericUserFederationCtrl' }) + .when('/realms/:realm/defense/headers', { + templateUrl : 'partials/defense-headers.html', + resolve : { + realm : function(RealmLoader) { + return RealmLoader(); + }, + serverInfo : function(ServerInfoLoader) { + return ServerInfoLoader(); + } + + }, + controller : 'DefenseHeadersCtrl' + }) + .when('/realms/:realm/defense/brute-force', { + templateUrl : 'partials/brute-force.html', + resolve : { + realm : function(RealmLoader) { + return RealmLoader(); + } + }, + controller : 'RealmBruteForceCtrl' + }) .when('/logout', { templateUrl : 'partials/home.html', controller : 'LogoutCtrl' diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/realm.js b/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/realm.js index e89401d747..8ce2c34ba3 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/realm.js +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/realm.js @@ -340,8 +340,6 @@ function genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $l var oldCopy = angular.copy($scope.realm); - - $scope.changed = false; $scope.$watch('realm', function() { @@ -384,16 +382,20 @@ function genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $l } +module.controller('DefenseHeadersCtrl', function($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications) { + genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/defense/headers"); +}); + module.controller('RealmLoginSettingsCtrl', function($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications) { - genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/login-settings") + genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/login-settings"); }); module.controller('RealmThemeCtrl', function($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications) { - genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/theme-settings") + genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/theme-settings"); }); module.controller('RealmCacheCtrl', function($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications) { - genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/cache-settings") + genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/cache-settings"); }); module.controller('RealmRequiredCredentialsCtrl', function($scope, Realm, realm, $http, $location, Dialog, Notifications, PasswordPolicy) { diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/session-brute-force.html b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/brute-force.html similarity index 91% rename from forms/common-themes/src/main/resources/theme/admin/base/resources/partials/session-brute-force.html rename to forms/common-themes/src/main/resources/theme/admin/base/resources/partials/brute-force.html index 3f9bd9a813..d02d7d0499 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/session-brute-force.html +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/brute-force.html @@ -1,16 +1,10 @@
-
    -
  1. {{realm.realm}}
    2. -
  2. Brute Force
    3. -

{{realm.realm}} Brute Force Protection Settings

diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/defense-headers.html b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/defense-headers.html new file mode 100755 index 0000000000..734efa91cf --- /dev/null +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/defense-headers.html @@ -0,0 +1,36 @@ +
+
+ +
+
+

{{realm.realm}} Browser Security Headers

+ +
+
+ +
+ +
+
+
+ +
+ +
+
+
+
+ + +
+ +
+
+

{{realm.realm}}

+
+ +
+
\ No newline at end of file diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/realm-detail.html b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/realm-detail.html index f9c1e3be15..ac43458061 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/realm-detail.html +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/realm-detail.html @@ -15,17 +15,16 @@
-
+
-
diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/realm-menu.html b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/realm-menu.html index 1bc9c6bbda..b5dca73be5 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/realm-menu.html +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/realm-menu.html @@ -9,5 +9,6 @@
  • Applications
  • OAuth Clients
  • Sessions and Tokens
    • +
  • Security Defenses
  • Audit
    • \ No newline at end of file diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/session-realm.html b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/session-realm.html index 866b2f7c65..f5f164a317 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/session-realm.html +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/session-realm.html @@ -4,7 +4,6 @@
  • Realm Sessions
  • Timeout Settings
  • Revocation
    • -
  • Brute Force Protection
      • diff --git a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginFormsProvider.java b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginFormsProvider.java index fcabeb131d..34168cda67 100755 --- a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginFormsProvider.java +++ b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginFormsProvider.java @@ -4,6 +4,7 @@ import org.jboss.logging.Logger; import org.keycloak.OAuth2Constants; import org.keycloak.email.EmailException; import org.keycloak.email.EmailProvider; +import org.keycloak.freemarker.BrowserSecurityHeaderSetup; import org.keycloak.freemarker.FreeMarkerException; import org.keycloak.freemarker.FreeMarkerUtil; import org.keycloak.freemarker.Theme; @@ -216,7 +217,9 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { try { String result = freeMarker.processTemplate(attributes, Templates.getTemplate(page), theme); - return Response.status(status).type(MediaType.TEXT_HTML).entity(result).build(); + Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML).entity(result); + BrowserSecurityHeaderSetup.headers(builder, realm); + return builder.build(); } catch (FreeMarkerException e) { logger.error("Failed to process template", e); return Response.serverError().build(); diff --git a/model/api/src/main/java/org/keycloak/models/BrowserSecurityHeaders.java b/model/api/src/main/java/org/keycloak/models/BrowserSecurityHeaders.java new file mode 100755 index 0000000000..e7d479f4c1 --- /dev/null +++ b/model/api/src/main/java/org/keycloak/models/BrowserSecurityHeaders.java @@ -0,0 +1,27 @@ +package org.keycloak.models; + +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class BrowserSecurityHeaders { + public static final Map headerAttributeMap; + public static final Map defaultHeaders; + + static { + Map headerMap = new HashMap(); + headerMap.put("xFrameOptions", "X-Frame-Options"); + headerMap.put("contentSecurityPolicy", "Content-Security-Policy"); + + Map dh = new HashMap(); + dh.put("xFrameOptions", "SAMEORIGIN"); + dh.put("contentSecurityPolicy", "frame-src 'self'"); + + defaultHeaders = Collections.unmodifiableMap(dh); + headerAttributeMap = Collections.unmodifiableMap(headerMap); + } +} diff --git a/model/api/src/main/java/org/keycloak/models/RealmModel.java b/model/api/src/main/java/org/keycloak/models/RealmModel.java index 4ae280f76b..b863e32fc1 100755 --- a/model/api/src/main/java/org/keycloak/models/RealmModel.java +++ b/model/api/src/main/java/org/keycloak/models/RealmModel.java @@ -151,6 +151,9 @@ public interface RealmModel extends RoleContainerModel { List getOAuthClients(); + Map getBrowserSecurityHeaders(); + void setBrowserSecurityHeaders(Map headers); + Map getSmtpConfig(); void setSmtpConfig(Map smtpConfig); diff --git a/model/api/src/main/java/org/keycloak/models/entities/RealmEntity.java b/model/api/src/main/java/org/keycloak/models/entities/RealmEntity.java index 8d3779b54e..fdba16a8a3 100755 --- a/model/api/src/main/java/org/keycloak/models/entities/RealmEntity.java +++ b/model/api/src/main/java/org/keycloak/models/entities/RealmEntity.java @@ -52,6 +52,7 @@ public class RealmEntity extends AbstractIdentifiableEntity { private List requiredCredentials = new ArrayList(); private List userFederationProviders = new ArrayList(); + private Map browserSecurityHeaders = new HashMap(); private Map smtpConfig = new HashMap(); private Map socialConfig = new HashMap(); @@ -317,6 +318,14 @@ public class RealmEntity extends AbstractIdentifiableEntity { this.requiredCredentials = requiredCredentials; } + public Map getBrowserSecurityHeaders() { + return browserSecurityHeaders; + } + + public void setBrowserSecurityHeaders(Map browserSecurityHeaders) { + this.browserSecurityHeaders = browserSecurityHeaders; + } + public Map getSmtpConfig() { return smtpConfig; } diff --git a/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java b/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java index 44994651b7..8e34e1545b 100755 --- a/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java +++ b/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java @@ -105,6 +105,7 @@ public class ModelToRepresentation { rep.setAccessCodeLifespanUserAction(realm.getAccessCodeLifespanUserAction()); rep.setSmtpServer(realm.getSmtpConfig()); rep.setSocialProviders(realm.getSocialConfig()); + rep.setBrowserSecurityHeaders(realm.getBrowserSecurityHeaders()); rep.setAccountTheme(realm.getAccountTheme()); rep.setLoginTheme(realm.getLoginTheme()); rep.setAdminTheme(realm.getAdminTheme()); diff --git a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java index c7d7c263f7..b79d6c2b7f 100755 --- a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java +++ b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java @@ -4,6 +4,7 @@ import net.iharder.Base64; import org.jboss.logging.Logger; import org.keycloak.enums.SslRequired; import org.keycloak.models.ApplicationModel; +import org.keycloak.models.BrowserSecurityHeaders; import org.keycloak.models.ClaimMask; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; @@ -199,6 +200,12 @@ public class RepresentationToModel { newRealm.setSmtpConfig(new HashMap(rep.getSmtpServer())); } + if (rep.getBrowserSecurityHeaders() != null) { + newRealm.setBrowserSecurityHeaders(rep.getBrowserSecurityHeaders()); + } else { + newRealm.setBrowserSecurityHeaders(BrowserSecurityHeaders.defaultHeaders); + } + if (rep.getSocialProviders() != null) { newRealm.setSocialConfig(new HashMap(rep.getSocialProviders())); } @@ -266,6 +273,10 @@ public class RepresentationToModel { realm.setSocialConfig(new HashMap(rep.getSocialProviders())); } + if (rep.getBrowserSecurityHeaders() != null) { + realm.setBrowserSecurityHeaders(rep.getBrowserSecurityHeaders()); + } + if (rep.getUserFederationProviders() != null) { List providerModels = convertFederationProviders(rep.getUserFederationProviders()); realm.setUserFederationProviders(providerModels); diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/RealmAdapter.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/RealmAdapter.java index 9fb8a1ee79..fac84105e8 100755 --- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/RealmAdapter.java +++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/RealmAdapter.java @@ -557,6 +557,19 @@ public class RealmAdapter implements RealmModel { return clients; } + @Override + public Map getBrowserSecurityHeaders() { + if (updated != null) return updated.getBrowserSecurityHeaders(); + return cached.getBrowserSecurityHeaders(); + } + + @Override + public void setBrowserSecurityHeaders(Map headers) { + getDelegateForUpdate(); + updated.setBrowserSecurityHeaders(headers); + + } + @Override public Map getSmtpConfig() { if (updated != null) return updated.getSmtpConfig(); diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java index cacc0843c6..a6256b0d5b 100755 --- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java +++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java @@ -66,6 +66,7 @@ public class CachedRealm { private List requiredCredentials = new ArrayList(); private List userFederationProviders = new ArrayList(); + private Map browserSecurityHeaders = new HashMap(); private Map smtpConfig = new HashMap(); private Map socialConfig = new HashMap(); @@ -123,6 +124,7 @@ public class CachedRealm { smtpConfig.putAll(model.getSmtpConfig()); socialConfig.putAll(model.getSocialConfig()); + browserSecurityHeaders.putAll(model.getBrowserSecurityHeaders()); auditEnabled = model.isAuditEnabled(); auditExpiration = model.getAuditExpiration(); @@ -287,6 +289,10 @@ public class CachedRealm { return socialConfig; } + public Map getBrowserSecurityHeaders() { + return browserSecurityHeaders; + } + public String getLoginTheme() { return loginTheme; } diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java index 4b44180354..612d3ec62e 100755 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java @@ -196,6 +196,7 @@ public class RealmAdapter implements RealmModel { } public Map getAttributes() { + // should always return a copy Map result = new HashMap(); for (RealmAttributeEntity attr : realm.getAttributes()) { result.put(attr.getName(), attr.getValue()); @@ -711,6 +712,27 @@ public class RealmAdapter implements RealmModel { return list; } + private static final String BROWSER_HEADER_PREFIX = "_browser_header."; + + @Override + public Map getBrowserSecurityHeaders() { + Map attributes = getAttributes(); + Map headers = new HashMap(); + for (Map.Entry entry : attributes.entrySet()) { + if (entry.getKey().startsWith(BROWSER_HEADER_PREFIX)) { + headers.put(entry.getKey().substring(BROWSER_HEADER_PREFIX.length()), entry.getValue()); + } + } + return headers; + } + + @Override + public void setBrowserSecurityHeaders(Map headers) { + for (Map.Entry entry : headers.entrySet()) { + setAttribute(BROWSER_HEADER_PREFIX + entry.getKey(), entry.getValue()); + } + } + @Override public Map getSmtpConfig() { return realm.getSmtpConfig(); diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java index 893f52e0f9..0c6eda25a2 100755 --- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java +++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java @@ -734,6 +734,17 @@ public class RealmAdapter extends AbstractMongoAdapter impleme return model; } + @Override + public Map getBrowserSecurityHeaders() { + return realm.getBrowserSecurityHeaders(); + } + + @Override + public void setBrowserSecurityHeaders(Map headers) { + realm.setBrowserSecurityHeaders(headers); + updateRealm(); + } + @Override public Map getSmtpConfig() { return realm.getSmtpConfig(); diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java index c8b613cb93..c6ccb76074 100755 --- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java +++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java @@ -7,6 +7,7 @@ import org.keycloak.exportimport.util.ImportUtils; import org.keycloak.models.AccountRoles; import org.keycloak.models.AdminRoles; import org.keycloak.models.ApplicationModel; +import org.keycloak.models.BrowserSecurityHeaders; import org.keycloak.models.Constants; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; @@ -117,6 +118,8 @@ public class RealmManager { protected void setupRealmDefaults(RealmModel realm) { + realm.setBrowserSecurityHeaders(BrowserSecurityHeaders.defaultHeaders); + // brute force realm.setBruteForceProtected(false); // default settings off for now todo set it on realm.setMaxFailureWaitSeconds(900); diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java b/services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java index 2d7c0caa40..cce5a0bc4b 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java @@ -8,6 +8,7 @@ import org.jboss.resteasy.spi.HttpResponse; import org.jboss.resteasy.spi.NotFoundException; import org.keycloak.ClientConnection; import org.keycloak.Config; +import org.keycloak.freemarker.BrowserSecurityHeaderSetup; import org.keycloak.freemarker.Theme; import org.keycloak.freemarker.ThemeProvider; import org.keycloak.models.AdminRoles; @@ -325,7 +326,9 @@ public class AdminConsole { cacheControl.setNoTransform(false); cacheControl.setMaxAge(Config.scope("theme").getInt("staticMaxAge", -1)); - return Response.ok(resource).type(contentType).cacheControl(cacheControl).build(); + Response.ResponseBuilder builder = Response.ok(resource).type(contentType).cacheControl(cacheControl); + BrowserSecurityHeaderSetup.headers(builder, realm); + return builder.build(); } else { return Response.status(Response.Status.NOT_FOUND).build(); } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java index 0d0c170302..9ebdaff5d6 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/account/AccountTest.java @@ -25,6 +25,7 @@ import org.junit.After; import org.junit.Assert; import org.junit.Before; import org.junit.ClassRule; +import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.keycloak.audit.Details; @@ -158,12 +159,12 @@ public class AccountTest { }); } - /* + @Ignore @Test public void forever() throws Exception{ while (true) Thread.sleep(5000); } - */ + @Test public void returnToAppFromQueryParam() { diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java index e22c9d1f26..49424112a8 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java @@ -278,6 +278,9 @@ public class AdminAPITest { if (rep.getSocialProviders() != null) { Assert.assertEquals(rep.getSocialProviders(), storedRealm.getSocialProviders()); } + if (rep.getBrowserSecurityHeaders() != null) { + Assert.assertEquals(rep.getBrowserSecurityHeaders(), storedRealm.getBrowserSecurityHeaders()); + } } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java index c406bfb456..4447019c4f 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java @@ -27,6 +27,7 @@ import org.junit.Rule; import org.junit.Test; import org.keycloak.OAuth2Constants; import org.keycloak.audit.Details; +import org.keycloak.models.BrowserSecurityHeaders; import org.keycloak.models.RealmModel; import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserModel; @@ -42,6 +43,11 @@ import org.keycloak.testsuite.rule.WebResource; import org.keycloak.testsuite.rule.WebRule; import org.openqa.selenium.WebDriver; +import javax.ws.rs.client.Client; +import javax.ws.rs.client.ClientBuilder; +import javax.ws.rs.core.Response; +import java.util.Map; + /** * @author Stian Thorgersen */ @@ -85,6 +91,20 @@ public class LoginTest { private static String userId; + @Test + public void testBrowserSecurityHeaders() { + Client client = ClientBuilder.newClient(); + Response response = client.target(oauth.getLoginFormUrl()).request().get(); + Assert.assertEquals(200, response.getStatus()); + for (Map.Entry entry : BrowserSecurityHeaders.defaultHeaders.entrySet()) { + String headerName = BrowserSecurityHeaders.headerAttributeMap.get(entry.getKey()); + String headerValue = response.getHeaderString(headerName); + Assert.assertNotNull(headerValue); + Assert.assertEquals(headerValue, entry.getValue()); + } + response.close(); + } + @Test public void loginInvalidPassword() { loginPage.open();