libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

httponly, ie keycloak.js fix

Browse source
This commit is contained in:
Bill Burke 2014-05-13 22:06:32 -04:00
parent e8f8829a76
commit b30809d681
6 changed files with 64 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
integration/js/src/main/resources/keycloak.js
View file

@ -89,6 +89,9 @@ var Keycloak = function (config) {
kc.iframe.setAttribute('src', src );
kc.iframe.style.display = "none";
doc.body.appendChild(kc.iframe);
if (!kc.iframe.contentWindow.location.origin) {
kc.iframe.contentWindow.location.origin = kc.iframe.contentWindow.location.protocol + "//" + kc.iframe.contentWindow.location.host;
}
var messageCallback = function(event) {
if (event.origin !== kc.iframe.contentWindow.location.origin) {
@ -114,6 +117,7 @@ var Keycloak = function (config) {
}
kc.checkLoginIframe = function(success, failure) {
var msg = {};
if (!success) {
throw "You must define a success method";
@ -125,7 +129,10 @@ var Keycloak = function (config) {
msg.failureId = createCallbackId();
kc.callbackMap[msg.successId] = success;
kc.callbackMap[msg.failureId] = failure;
kc.iframe.contentWindow.postMessage(msg, kc.iframe.contentWindow.location.origin);
var origin = kc.iframe.contentWindow.location.origin;
console.log('*** origin: ' + origin);
var iframe = kc.iframe;
iframe.contentWindow.postMessage(msg, origin);
}
kc.createLoginUrl = function(options) {

31
services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
View file

@ -21,6 +21,7 @@ import org.keycloak.services.resources.RealmsResource;
import org.keycloak.authentication.AuthProviderStatus;
import org.keycloak.authentication.AuthUser;
import org.keycloak.authentication.AuthenticationProviderManager;
import org.keycloak.services.util.CookieHelper;
import org.keycloak.util.Time;
import javax.ws.rs.core.Cookie;
@ -89,22 +90,24 @@ public class AuthenticationManager {
maxAge = realm.getCentralLoginLifespan();
logger.info("createLoginCookie maxAge: " + maxAge);
}
builder.cookie(new NewCookie(cookieName, encoded, cookiePath, null, null, maxAge, secureOnly));// todo httponly , true);
CookieHelper.addCookie(cookieName, encoded, cookiePath, null, null, maxAge, secureOnly, true);
//builder.cookie(new NewCookie(cookieName, encoded, cookiePath, null, null, maxAge, secureOnly));// todo httponly , true);
String sessionCookieValue = realm.getName() + "-" + user.getId();
if (session != null) {
sessionCookieValue += "-" + session.getId();
}
builder.cookie(new NewCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, maxAge, secureOnly));// todo httponly , true);
// THIS SHOULD NOT BE A HTTPONLY COOKIE! It is used for OpenID Connect Iframe Session support!
builder.cookie(new NewCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, maxAge, secureOnly));
}
public NewCookie createRememberMeCookie(RealmModel realm, UriInfo uriInfo) {
public void createRememberMeCookie(HttpResponse response, RealmModel realm, UriInfo uriInfo) {
String path = getIdentityCookiePath(realm, uriInfo);
boolean secureOnly = !realm.isSslNotRequired();
// remember me cookie should be persistent
NewCookie cookie = new NewCookie(KEYCLOAK_REMEMBER_ME, "true", path, null, null, realm.getCentralLoginLifespan(), secureOnly);// todo httponly , true);
return cookie;
//NewCookie cookie = new NewCookie(KEYCLOAK_REMEMBER_ME, "true", path, null, null, realm.getCentralLoginLifespan(), secureOnly);// todo httponly , true);
CookieHelper.addCookie(KEYCLOAK_REMEMBER_ME, "true", path, null, null, realm.getCentralLoginLifespan(), secureOnly, true);
}
protected String encodeToken(RealmModel realm, Object token) {
@ -117,15 +120,14 @@ public class AuthenticationManager {
public void expireIdentityCookie(RealmModel realm, UriInfo uriInfo) {
logger.debug("Expiring identity cookie");
String path = getIdentityCookiePath(realm, uriInfo);
String cookieName = KEYCLOAK_IDENTITY_COOKIE;
expireCookie(cookieName, path);
expireCookie(KEYCLOAK_SESSION_COOKIE, path);
expireCookie(realm, KEYCLOAK_IDENTITY_COOKIE, path, true);
expireCookie(realm, KEYCLOAK_SESSION_COOKIE, path, false);
}
public void expireRememberMeCookie(RealmModel realm, UriInfo uriInfo) {
logger.debug("Expiring remember me cookie");
String path = getIdentityCookiePath(realm, uriInfo);
String cookieName = KEYCLOAK_REMEMBER_ME;
expireCookie(cookieName, path);
expireCookie(realm, cookieName, path, true);
}
protected String getIdentityCookiePath(RealmModel realm, UriInfo uriInfo) {
@ -133,15 +135,10 @@ public class AuthenticationManager {
return uri.getRawPath();
}
public void expireCookie(String cookieName, String path) {
HttpResponse response = ResteasyProviderFactory.getContextData(HttpResponse.class);
if (response == null) {
logger.debug("can't expire identity cookie, no HttpResponse");
return;
}
public void expireCookie(RealmModel realm, String cookieName, String path, boolean httpOnly) {
logger.debugv("Expiring cookie: {0} path: {1}", cookieName, path);
NewCookie expireIt = new NewCookie(cookieName, "", path, null, "Expiring cookie", 0, false);
response.addNewCookie(expireIt);
boolean secureOnly = !realm.isSslNotRequired();
CookieHelper.addCookie(cookieName, "", path, null, "Expiring cookie", 0, secureOnly, httpOnly);
}
public AuthResult authenticateIdentityCookie(RealmModel realm, UriInfo uriInfo, HttpHeaders headers) {

1
services/src/main/java/org/keycloak/services/resources/RealmsResource.java
View file

@ -99,6 +99,7 @@ public class RealmsResource {
@NoCache
public String getLoginStatusIframe(final @PathParam("realm") String name,
@QueryParam("client_id") String client_id) {
logger.info("getLoginStatusIframe");
AuthenticationManager auth = new AuthenticationManager(providers);
//logger.info("getting login-status-iframe.html for client_id: " + client_id);

3
services/src/main/java/org/keycloak/services/resources/TokenService.java
View file

@ -374,8 +374,7 @@ public class TokenService {
AuthenticationStatus status = authManager.authenticateForm(clientConnection, realm, formData);
if (remember) {
NewCookie cookie = authManager.createRememberMeCookie(realm, uriInfo);
response.addNewCookie(cookie);
authManager.createRememberMeCookie(response, realm, uriInfo);
} else {
authManager.expireRememberMeCookie(realm, uriInfo);
}

1
services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java
View file

@ -258,6 +258,7 @@ public class AdminConsole {
@Path("js/keycloak.js")
@Produces("text/javascript")
public Response getKeycloakJs() {
logger.info("**** getting console keycloak.js");
InputStream inputStream = getClass().getClassLoader().getResourceAsStream("keycloak.js");
if (inputStream != null) {
return Response.ok(inputStream).build();

39
services/src/main/java/org/keycloak/services/util/CookieHelper.java Executable file
View file

@ -0,0 +1,39 @@
package org.keycloak.services.util;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class CookieHelper {
/**
* Set a response cookie. This solely exists because JAX-RS 1.1 does not support setting HttpOnly cookies
*
* @param name
* @param value
* @param path
* @param domain
* @param comment
* @param maxAge
* @param secure
* @param httpOnly
*/
public static void addCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly) {
HttpServletResponse response = ResteasyProviderFactory.getContextData(HttpServletResponse.class);
Cookie cookie = new Cookie(name, value);
if (path != null) cookie.setPath(path);
if (domain != null) cookie.setDomain(domain);
if (comment != null) cookie.setComment(comment);
cookie.setMaxAge(maxAge);
cookie.setSecure(secure);
cookie.setHttpOnly(httpOnly);
response.addCookie(cookie);
}
}