KEYCLOAK-1218 Better security for ServerInfoAdminResource
This commit is contained in:
parent
955967f78a
commit
b5f3efe272
1 changed files with 27 additions and 0 deletions
|
@ -9,11 +9,13 @@ import org.jboss.resteasy.spi.ResteasyProviderFactory;
|
||||||
import org.jboss.resteasy.spi.UnauthorizedException;
|
import org.jboss.resteasy.spi.UnauthorizedException;
|
||||||
import org.keycloak.ClientConnection;
|
import org.keycloak.ClientConnection;
|
||||||
import org.keycloak.jose.jws.JWSInput;
|
import org.keycloak.jose.jws.JWSInput;
|
||||||
|
import org.keycloak.models.AdminRoles;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.protocol.oidc.TokenManager;
|
import org.keycloak.protocol.oidc.TokenManager;
|
||||||
import org.keycloak.representations.AccessToken;
|
import org.keycloak.representations.AccessToken;
|
||||||
|
import org.keycloak.services.ForbiddenException;
|
||||||
import org.keycloak.services.managers.AppAuthManager;
|
import org.keycloak.services.managers.AppAuthManager;
|
||||||
import org.keycloak.services.managers.AuthenticationManager;
|
import org.keycloak.services.managers.AuthenticationManager;
|
||||||
import org.keycloak.services.managers.RealmManager;
|
import org.keycloak.services.managers.RealmManager;
|
||||||
|
@ -200,9 +202,14 @@ public class AdminRoot {
|
||||||
handlePreflightRequest();
|
handlePreflightRequest();
|
||||||
|
|
||||||
AdminAuth auth = authenticateRealmAdminRequest(headers);
|
AdminAuth auth = authenticateRealmAdminRequest(headers);
|
||||||
|
if (!isAdmin(auth)) {
|
||||||
|
throw new ForbiddenException();
|
||||||
|
}
|
||||||
|
|
||||||
if (auth != null) {
|
if (auth != null) {
|
||||||
logger.debug("authenticated admin access for: " + auth.getUser().getUsername());
|
logger.debug("authenticated admin access for: " + auth.getUser().getUsername());
|
||||||
}
|
}
|
||||||
|
|
||||||
Cors.add(request).allowedOrigins(auth.getToken()).allowedMethods("GET", "PUT", "POST", "DELETE").auth().build(response);
|
Cors.add(request).allowedOrigins(auth.getToken()).allowedMethods("GET", "PUT", "POST", "DELETE").auth().build(response);
|
||||||
|
|
||||||
ServerInfoAdminResource adminResource = new ServerInfoAdminResource();
|
ServerInfoAdminResource adminResource = new ServerInfoAdminResource();
|
||||||
|
@ -210,6 +217,26 @@ public class AdminRoot {
|
||||||
return adminResource;
|
return adminResource;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected boolean isAdmin(AdminAuth auth) {
|
||||||
|
if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
RealmManager realmManager = new RealmManager(session);
|
||||||
|
if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
|
||||||
|
for (RealmModel realm : session.realms().getRealms()) {
|
||||||
|
ClientModel client = realm.getMasterAdminClient();
|
||||||
|
if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
} else {
|
||||||
|
ClientModel client = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm()));
|
||||||
|
return auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
protected void handlePreflightRequest() {
|
protected void handlePreflightRequest() {
|
||||||
if (request.getHttpMethod().equalsIgnoreCase("OPTIONS")) {
|
if (request.getHttpMethod().equalsIgnoreCase("OPTIONS")) {
|
||||||
logger.debug("Cors admin pre-flight");
|
logger.debug("Cors admin pre-flight");
|
||||||
|
|
Loading…
Reference in a new issue