configurable header names, documentation
This commit is contained in:
Sebastian Rose
parent
7659b1aa18
commit
a6eface8bc
6 changed files with 135 additions and 77 deletions
|
|
@ -182,106 +182,162 @@ $ java -jar bin/launcher.jar [your-config.json]
|
|||
</section>
|
||||
<section>
|
||||
<title>Application Config</title>
|
||||
<para>
|
||||
Next under the <literal>applications</literal> array attribute, you can define one or more applications per host you are proxying.
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>base-path</term>
|
||||
<listitem>
|
||||
<para>
|
||||
The base context root for the application. Must start with '/' <emphasis>REQUIRED.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>error-page</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If the proxy has an error, it will display the target application's error page relative URL <emphasis>OPTIONAL.</emphasis>.
|
||||
This is a relative path to the base-path. In the example above it would be <literal>/customer-portal/error.html</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>adapter-config</term>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>REQUIRED.</emphasis>. Same configuration as any other keycloak adapter. See <link linkend='adapter-config'>Adapter Config</link>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
<para>
|
||||
Next under the <literal>applications</literal> array attribute, you can define one or more applications per host you are proxying.
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>base-path</term>
|
||||
<listitem>
|
||||
<para>
|
||||
The base context root for the application. Must start with '/' <emphasis>REQUIRED.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>error-page</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If the proxy has an error, it will display the target application's error page relative URL <emphasis>OPTIONAL.</emphasis>.
|
||||
This is a relative path to the base-path. In the example above it would be <literal>/customer-portal/error.html</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>adapter-config</term>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>REQUIRED.</emphasis>. Same configuration as any other keycloak adapter. See <link linkend='adapter-config'>Adapter Config</link>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
<section>
|
||||
<title>Constraint Config</title>
|
||||
|
||||
<para>
|
||||
Next under each application you can define one or more constraints in the <literal>constraints</literal> array attribute.
|
||||
A constraint defines a URL pattern relative to the base-path. You can deny, permit, or require authentication for
|
||||
a specific URL pattern. You can specify roles allowed for that path as well. More specific constraints will take
|
||||
precedence over more general ones.
|
||||
<para>
|
||||
Next under each application you can define one or more constraints in the <literal>constraints</literal> array attribute.
|
||||
A constraint defines a URL pattern relative to the base-path. You can deny, permit, or require authentication for
|
||||
a specific URL pattern. You can specify roles allowed for that path as well. More specific constraints will take
|
||||
precedence over more general ones.
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>pattern</term>
|
||||
<listitem>
|
||||
<para>
|
||||
URL pattern to match relative to the base-path of the application. Must start with '/' <emphasis>REQUIRED.</emphasis>.
|
||||
You may only have one wildcard and it must come at the end of the pattern. Valid <literal>/foo/bar/*</literal> and <literal>/foo/*.txt</literal>
|
||||
Not valid: <literal>/*/foo/*</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>roles-allowed</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Array of strings of roles allowed to access this url pattern. <emphasis>OPTIONAL.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>methods</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Array of strings of HTTP methods that will exclusively match this pattern and HTTP request. <emphasis>OPTIONAL.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>excluded-methods</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Array of strings of HTTP methods that will be ignored when match this pattern. <emphasis>OPTIONAL.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>deny</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Deny all access to this URL pattern. <emphasis>OPTIONAL.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>permit</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Permit all access without requiring authentication or a role mapping. <emphasis>OPTIONAL.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>permit-and-inject</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Permit all access, but inject the headers, if user is already authenticated.<emphasis>OPTIONAL.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>authenticate</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Require authentication for this pattern, but no role mapping. <emphasis>OPTIONAL.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</section>
|
||||
</section>
|
||||
<section>
|
||||
<title>Header Names Config</title>
|
||||
<para>
|
||||
Next under the list of applications you can override the defaults for the names of the header fields injected by the proxy (see Keycloak Identity Headers).
|
||||
This mapping is optional.
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>pattern</term>
|
||||
<term>keycloak-subject</term>
|
||||
<listitem>
|
||||
<para>
|
||||
URL pattern to match relative to the base-path of the application. Must start with '/' <emphasis>REQUIRED.</emphasis>.
|
||||
You may only have one wildcard and it must come at the end of the pattern. Valid <literal>/foo/bar/*</literal> and <literal>/foo/*.txt</literal>
|
||||
Not valid: <literal>/*/foo/*</literal>.
|
||||
e.g. MYAPP_USER_ID
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>roles-allowed</term>
|
||||
<term>kkeycloak-username</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Array of strings of roles allowed to access this url pattern. <emphasis>OPTIONAL.</emphasis>.
|
||||
e.g. MYAPP_USER_NAME
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>methods</term>
|
||||
<term>keycloak-email</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Array of strings of HTTP methods that will exclusively match this pattern and HTTP request. <emphasis>OPTIONAL.</emphasis>.
|
||||
e.g. MYAPP_USER_EMAIL
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>excluded-methods</term>
|
||||
<term>keycloak-name</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Array of strings of HTTP methods that will be ignored when match this pattern. <emphasis>OPTIONAL.</emphasis>.
|
||||
e.g. MYAPP_USER_ID
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>deny</term>
|
||||
<term>keycloak-access-token</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Deny all access to this URL pattern. <emphasis>OPTIONAL.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>permit</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Permit all access without requiring authentication or a role mapping. <emphasis>OPTIONAL.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>authenticate</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Require authentication for this pattern, but no role mapping. <emphasis>OPTIONAL.</emphasis>.
|
||||
e.g. MYAPP_ACCESS_TOKEN
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</section>
|
||||
</para>
|
||||
</section>
|
||||
</section>
|
||||
<section>
|
||||
|
|
@ -333,6 +389,7 @@ $ java -jar bin/launcher.jar [your-config.json]
|
|||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
Header field names can be configured using a map of <term>header-names</term> in configuration file.
|
||||
</para>
|
||||
</section>
|
||||
</chapter>
|
||||
|
|
@ -45,7 +45,7 @@ public class ConstraintAuthorizationHandler implements HttpHandler {
|
|||
}
|
||||
|
||||
if (match != null) {
|
||||
if(SecurityInfo.EmptyRoleSemantic.INJECT_IF_AUTHENTICATED.equals(match.getEmptyRoleSemantic())) {
|
||||
if(SecurityInfo.EmptyRoleSemantic.PERMIT_AND_INJECT_IF_AUTHENTICATED.equals(match.getEmptyRoleSemantic())) {
|
||||
authenticatedRequest(account, exchange);
|
||||
return;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -49,7 +49,8 @@ public class ConstraintMatcherHandler implements HttpHandler {
|
|||
return;
|
||||
}
|
||||
|
||||
if (match.getRequiredRoles().isEmpty() && match.getEmptyRoleSemantic() == SecurityInfo.EmptyRoleSemantic.INJECT_IF_AUTHENTICATED) {
|
||||
if (match.getRequiredRoles().isEmpty()
|
||||
&& match.getEmptyRoleSemantic() == SecurityInfo.EmptyRoleSemantic.PERMIT_AND_INJECT_IF_AUTHENTICATED) {
|
||||
|
||||
boolean successfulAuthenticatedMethodFound = isSuccessfulAuthenticatedMethodFound(exchange);
|
||||
|
||||
|
|
|
|||
|
|
@ -219,8 +219,8 @@ public class ProxyConfig {
|
|||
protected boolean permit;
|
||||
@JsonProperty("authenticate")
|
||||
protected boolean authenticate;
|
||||
@JsonProperty("inject-if-authenticated")
|
||||
protected boolean injectIfAuthenticated;
|
||||
@JsonProperty("permit-and-inject")
|
||||
protected boolean permitAndInject;
|
||||
|
||||
public String getPattern() {
|
||||
return pattern;
|
||||
|
|
@ -262,12 +262,12 @@ public class ProxyConfig {
|
|||
this.authenticate = authenticate;
|
||||
}
|
||||
|
||||
public boolean isInjectIfAuthenticated() {
|
||||
return injectIfAuthenticated;
|
||||
public boolean isPermitAndInject() {
|
||||
return permitAndInject;
|
||||
}
|
||||
|
||||
public void setInjectIfAuthenticated(boolean injectIfAuthenticated) {
|
||||
this.injectIfAuthenticated = injectIfAuthenticated;
|
||||
public void setPermitAndInject(boolean permitAndInject) {
|
||||
this.permitAndInject = permitAndInject;
|
||||
}
|
||||
|
||||
public Set<String> getMethods() {
|
||||
|
|
|
|||
|
|
@ -175,7 +175,7 @@ public class ProxyServerBuilder {
|
|||
}
|
||||
|
||||
public ConstraintBuilder injectIfAuthenticated() {
|
||||
semantic = SecurityInfo.EmptyRoleSemantic.INJECT_IF_AUTHENTICATED;
|
||||
semantic = SecurityInfo.EmptyRoleSemantic.PERMIT_AND_INJECT_IF_AUTHENTICATED;
|
||||
return this;
|
||||
}
|
||||
|
||||
|
|
@ -383,7 +383,7 @@ public class ProxyServerBuilder {
|
|||
if (constraint.isDeny()) constraintBuilder.deny();
|
||||
if (constraint.isPermit()) constraintBuilder.permit();
|
||||
if (constraint.isAuthenticate()) constraintBuilder.authenticate();
|
||||
if (constraint.isInjectIfAuthenticated()) constraintBuilder.injectIfAuthenticated();
|
||||
if (constraint.isPermitAndInject()) constraintBuilder.injectIfAuthenticated();
|
||||
constraintBuilder.add();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@ public class SecurityInfo<T extends SecurityInfo> implements Cloneable {
|
|||
/**
|
||||
* Permit access in any case, but provide authorization info only if authorized.
|
||||
*/
|
||||
INJECT_IF_AUTHENTICATED;
|
||||
PERMIT_AND_INJECT_IF_AUTHENTICATED;
|
||||
}
|
||||
|
||||
private volatile EmptyRoleSemantic emptyRoleSemantic = EmptyRoleSemantic.DENY;
|
||||
|
|
|
|||
Loading…
Reference in a new issue