Honor turnOffChangeSessionIdOnLogin in SAML adapter (#185)
Closes keycloak/keycloak-private#183 Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
parent
75973157aa
commit
9c780e9190
3 changed files with 10 additions and 6 deletions
|
@ -31,13 +31,9 @@ import org.keycloak.adapters.saml.SamlUtil;
|
||||||
import org.keycloak.adapters.spi.SessionIdMapper;
|
import org.keycloak.adapters.spi.SessionIdMapper;
|
||||||
import org.keycloak.adapters.spi.SessionIdMapperUpdater;
|
import org.keycloak.adapters.spi.SessionIdMapperUpdater;
|
||||||
import org.keycloak.common.util.KeycloakUriBuilder;
|
import org.keycloak.common.util.KeycloakUriBuilder;
|
||||||
import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
|
|
||||||
import org.wildfly.security.http.HttpScope;
|
import org.wildfly.security.http.HttpScope;
|
||||||
import org.wildfly.security.http.Scope;
|
import org.wildfly.security.http.Scope;
|
||||||
|
|
||||||
import javax.xml.datatype.DatatypeConstants;
|
|
||||||
import javax.xml.datatype.XMLGregorianCalendar;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||||
* @version $Revision: 1 $
|
* @version $Revision: 1 $
|
||||||
|
@ -174,8 +170,12 @@ public class ElytronSamlSessionStore implements SamlSessionStore, ElytronTokeSto
|
||||||
}
|
}
|
||||||
|
|
||||||
protected String changeSessionId(HttpScope session) {
|
protected String changeSessionId(HttpScope session) {
|
||||||
if (!deployment.turnOffChangeSessionIdOnLogin()) return session.getID();
|
if (!deployment.turnOffChangeSessionIdOnLogin()) {
|
||||||
else return session.getID();
|
if (!session.supportsChangeID() || !session.changeID()) {
|
||||||
|
log.debug("Session ID cannot be changed although turnOffChangeSessionIdOnLogin is set to false");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return session.getID();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -40,6 +40,7 @@ public class InputServlet extends HttpServlet {
|
||||||
String appBase = ServletTestUtils.getUrlBase();
|
String appBase = ServletTestUtils.getUrlBase();
|
||||||
String actionUrl = appBase + "/input-portal/secured/post";
|
String actionUrl = appBase + "/input-portal/secured/post";
|
||||||
|
|
||||||
|
req.getSession(true);
|
||||||
if (req.getRequestURI().endsWith("insecure")) {
|
if (req.getRequestURI().endsWith("insecure")) {
|
||||||
if (System.getProperty("insecure.user.principal.unsupported") == null) Assert.assertNotNull(req.getUserPrincipal());
|
if (System.getProperty("insecure.user.principal.unsupported") == null) Assert.assertNotNull(req.getUserPrincipal());
|
||||||
resp.setContentType("text/html");
|
resp.setContentType("text/html");
|
||||||
|
@ -65,6 +66,7 @@ public class InputServlet extends HttpServlet {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||||||
|
req.getSession(true);
|
||||||
if (!FORM_URLENCODED.equals(req.getContentType())) {
|
if (!FORM_URLENCODED.equals(req.getContentType())) {
|
||||||
resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
|
resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
|
||||||
PrintWriter pw = resp.getWriter();
|
PrintWriter pw = resp.getWriter();
|
||||||
|
|
|
@ -1133,6 +1133,7 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest {
|
||||||
public void testSavedPostRequest() {
|
public void testSavedPostRequest() {
|
||||||
inputPortalPage.navigateTo();
|
inputPortalPage.navigateTo();
|
||||||
assertCurrentUrlStartsWith(inputPortalPage);
|
assertCurrentUrlStartsWith(inputPortalPage);
|
||||||
|
String sessionId = driver.manage().getCookieNamed("JSESSIONID").getValue();
|
||||||
inputPortalPage.execute("hello");
|
inputPortalPage.execute("hello");
|
||||||
|
|
||||||
assertCurrentUrlStartsWith(testRealmSAMLPostLoginPage);
|
assertCurrentUrlStartsWith(testRealmSAMLPostLoginPage);
|
||||||
|
@ -1143,6 +1144,7 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest {
|
||||||
// test that user principal and KeycloakSecurityContext available
|
// test that user principal and KeycloakSecurityContext available
|
||||||
driver.navigate().to(inputPortalPage + "/insecure");
|
driver.navigate().to(inputPortalPage + "/insecure");
|
||||||
waitUntilElement(By.xpath("//body")).text().contains("Insecure Page");
|
waitUntilElement(By.xpath("//body")).text().contains("Insecure Page");
|
||||||
|
Assert.assertNotEquals("SessionID has not been changed at login", sessionId, driver.manage().getCookieNamed("JSESSIONID").getValue());
|
||||||
|
|
||||||
if (System.getProperty("insecure.user.principal.unsupported") == null) waitUntilElement(By.xpath("//body")).text().contains("UserPrincipal");
|
if (System.getProperty("insecure.user.principal.unsupported") == null) waitUntilElement(By.xpath("//body")).text().contains("UserPrincipal");
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue