KEYCLOAK-5270 Realm cookie path for IE<=11 users (#5106)

This commit is contained in:
Martin Kanis 2018-04-06 09:26:29 +02:00 committed by Stian Thorgersen
parent 943bd9e48e
commit a67da7bc59
2 changed files with 84 additions and 1 deletions

View file

@ -629,7 +629,8 @@ public class AuthenticationManager {
public static String getRealmCookiePath(RealmModel realm, UriInfo uriInfo) {
URI uri = RealmsResource.realmBaseUrl(uriInfo).build(realm.getName());
return uri.getRawPath();
// KEYCLOAK-5270
return uri.getRawPath() + "/";
}
public static String getAccountCookiePath(RealmModel realm, UriInfo uriInfo) {

View file

@ -0,0 +1,82 @@
package org.keycloak.testsuite.cookies;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.Constants;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.URLUtils;
import org.keycloak.testsuite.util.UserBuilder;
import org.openqa.selenium.Cookie;
import java.util.List;
import java.util.Set;
/**
* @author <a href="mailto:mkanis@redhat.com">Martin Kanis</a>
*/
public class CookiesPathTest extends AbstractKeycloakTest {
@Test
public void testCookiesPath() {
// navigate to "/realms/foo/account" and remove cookies in the browser for the current path
// first access to the path means there are no cookies being sent
// we are redirected to login page and Keycloak sets cookie's path to "/auth/realms/foo/"
deleteAllCookiesForRealm("foo");
Assert.assertTrue("There shouldn't be any cookies sent!", driver.manage().getCookies().isEmpty());
// refresh the page and cookies are sent within the request
driver.navigate().refresh();
Set<Cookie> cookies = driver.manage().getCookies();
Assert.assertTrue("There should be cookies sent!", cookies.size() > 0);
// check cookie's path, for some reason IE adds extra slash to the beginning of the path
cookies.stream().forEach(cookie -> Assert.assertThat(cookie.getPath(), Matchers.endsWith("/auth/realms/foo/")));
// now navigate to realm which name overlaps the first realm and delete cookies for that realm (foobar)
//
deleteAllCookiesForRealm("foobar");
// cookies shouldn't be sent for the first access to /realms/foobar/account
// At this moment IE would sent cookies for /auth/realms/foo without the fix
cookies = driver.manage().getCookies();
Assert.assertTrue("There shouldn't be any cookies sent!", cookies.isEmpty());
// refresh the page and check if correct cookies were sent
driver.navigate().refresh();
cookies = driver.manage().getCookies();
Assert.assertTrue("There should be cookies sent!", cookies.size() > 0);
// check cookie's path, for some reason IE adds extra slash to the beginning of the path
cookies.stream().forEach(cookie -> Assert.assertThat(cookie.getPath(), Matchers.endsWith("/auth/realms/foobar/")));
// lets back to "/realms/foo/account" to test the cookies for "foo" realm are still there and haven't been (correctly) sent to "foobar"
URLUtils.navigateToUri( oauth.AUTH_SERVER_ROOT + "/realms/foo/account", true);
cookies = driver.manage().getCookies();
Assert.assertTrue("There should be cookies sent!", cookies.size() > 0);
cookies.stream().forEach(cookie -> Assert.assertThat(cookie.getPath(), Matchers.endsWith("/auth/realms/foo/")));
}
/**
* Add two realms which names are overlapping i.e foo and foobar
* @param testRealms
*/
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
RealmBuilder foo = RealmBuilder.create().name("foo").testEventListener();
foo.client(ClientBuilder.create().clientId("myclient").publicClient().directAccessGrants());
foo.user(UserBuilder.create().username("foo").password("password").role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.REALM_ADMIN));
testRealms.add(foo.build());
RealmBuilder foobar = RealmBuilder.create().name("foobar").testEventListener();
foobar.client(ClientBuilder.create().clientId("myclient").publicClient().directAccessGrants());
foobar.user(UserBuilder.create().username("foobar").password("password").role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.REALM_ADMIN));
testRealms.add(foobar.build());
}
}