Honor turnOffChangeSessionIdOnLogin in SAML adapter (#185)

Closes keycloak/keycloak-private#183

Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
Ricardo Martin 2024-08-20 09:35:52 +02:00 committed by Marek Posolda
parent 75973157aa
commit 9c780e9190
3 changed files with 10 additions and 6 deletions

View file

@ -31,13 +31,9 @@ import org.keycloak.adapters.saml.SamlUtil;
import org.keycloak.adapters.spi.SessionIdMapper; import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.spi.SessionIdMapperUpdater; import org.keycloak.adapters.spi.SessionIdMapperUpdater;
import org.keycloak.common.util.KeycloakUriBuilder; import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
import org.wildfly.security.http.HttpScope; import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.Scope; import org.wildfly.security.http.Scope;
import javax.xml.datatype.DatatypeConstants;
import javax.xml.datatype.XMLGregorianCalendar;
/** /**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
@ -174,8 +170,12 @@ public class ElytronSamlSessionStore implements SamlSessionStore, ElytronTokeSto
} }
protected String changeSessionId(HttpScope session) { protected String changeSessionId(HttpScope session) {
if (!deployment.turnOffChangeSessionIdOnLogin()) return session.getID(); if (!deployment.turnOffChangeSessionIdOnLogin()) {
else return session.getID(); if (!session.supportsChangeID() || !session.changeID()) {
log.debug("Session ID cannot be changed although turnOffChangeSessionIdOnLogin is set to false");
}
}
return session.getID();
} }
@Override @Override

View file

@ -40,6 +40,7 @@ public class InputServlet extends HttpServlet {
String appBase = ServletTestUtils.getUrlBase(); String appBase = ServletTestUtils.getUrlBase();
String actionUrl = appBase + "/input-portal/secured/post"; String actionUrl = appBase + "/input-portal/secured/post";
req.getSession(true);
if (req.getRequestURI().endsWith("insecure")) { if (req.getRequestURI().endsWith("insecure")) {
if (System.getProperty("insecure.user.principal.unsupported") == null) Assert.assertNotNull(req.getUserPrincipal()); if (System.getProperty("insecure.user.principal.unsupported") == null) Assert.assertNotNull(req.getUserPrincipal());
resp.setContentType("text/html"); resp.setContentType("text/html");
@ -65,6 +66,7 @@ public class InputServlet extends HttpServlet {
@Override @Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
req.getSession(true);
if (!FORM_URLENCODED.equals(req.getContentType())) { if (!FORM_URLENCODED.equals(req.getContentType())) {
resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
PrintWriter pw = resp.getWriter(); PrintWriter pw = resp.getWriter();

View file

@ -1133,6 +1133,7 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest {
public void testSavedPostRequest() { public void testSavedPostRequest() {
inputPortalPage.navigateTo(); inputPortalPage.navigateTo();
assertCurrentUrlStartsWith(inputPortalPage); assertCurrentUrlStartsWith(inputPortalPage);
String sessionId = driver.manage().getCookieNamed("JSESSIONID").getValue();
inputPortalPage.execute("hello"); inputPortalPage.execute("hello");
assertCurrentUrlStartsWith(testRealmSAMLPostLoginPage); assertCurrentUrlStartsWith(testRealmSAMLPostLoginPage);
@ -1143,6 +1144,7 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest {
// test that user principal and KeycloakSecurityContext available // test that user principal and KeycloakSecurityContext available
driver.navigate().to(inputPortalPage + "/insecure"); driver.navigate().to(inputPortalPage + "/insecure");
waitUntilElement(By.xpath("//body")).text().contains("Insecure Page"); waitUntilElement(By.xpath("//body")).text().contains("Insecure Page");
Assert.assertNotEquals("SessionID has not been changed at login", sessionId, driver.manage().getCookieNamed("JSESSIONID").getValue());
if (System.getProperty("insecure.user.principal.unsupported") == null) waitUntilElement(By.xpath("//body")).text().contains("UserPrincipal"); if (System.getProperty("insecure.user.principal.unsupported") == null) waitUntilElement(By.xpath("//body")).text().contains("UserPrincipal");