KEYCLOAK-2443

This commit is contained in:
Bill Burke 2016-02-03 17:31:50 -05:00
parent a899d86ac0
commit c4c99d5f81
6 changed files with 26 additions and 4 deletions

View file

@ -102,6 +102,8 @@ public class KeycloakOIDCFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
log.fine("Keycloak OIDC Filter");
//System.err.println("Keycloak OIDC Filter: " + ((HttpServletRequest)req).getRequestURL().toString());
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
OIDCServletHttpFacade facade = new OIDCServletHttpFacade(request, response);
@ -122,7 +124,10 @@ public class KeycloakOIDCFilter implements Filter {
@Override
public void logoutHttpSessions(List<String> ids) {
log.fine("**************** logoutHttpSessions");
//System.err.println("**************** logoutHttpSessions");
for (String id : ids) {
log.finest("removed idMapper: " + id);
idMapper.removeSession(id);
}
@ -130,6 +135,7 @@ public class KeycloakOIDCFilter implements Filter {
}, deploymentContext, facade);
if (preActions.handleRequest()) {
//System.err.println("**************** preActions.handleRequest happened!");
return;
}

View file

@ -112,6 +112,8 @@ public class OIDCFilterSessionStore extends FilterSessionStore implements Adapte
}
if (idMapper != null && !idMapper.hasSession(httpSession.getId())) {
log.fine("idMapper does not have session: " + httpSession.getId());
//System.err.println("idMapper does not have session: " + httpSession.getId());
cleanSession(httpSession);
return false;
}

View file

@ -46,11 +46,20 @@
</filter>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/*</url-pattern>
<url-pattern>/keycloak/*</url-pattern>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
</web-app>
]]>
</programlisting>
<para>
If you notice above, there are two url-patterns. <literal>/protected/*</literal> are just the files we want protected.
<literal>/keycloak/*</literal> url-pattern will handle callback from the keycloak server.
Note that you should configure your client in the Keycloak Admin Console
with an Admin URL that points to a secured section covered by the filter's url-pattern.
The Admin URL will make callbacks to the Admin URL to do things like backchannel logout. So, the Admin URL in this example should
be <literal>http[s]://hostname/{context-root}/keycloak</literal>. There is an example of this in the distribution.
</para>
<para>
The Keycloak filter has the same configuration parameters available as the other adapters except you must define
them as filter init params instead of context params.

View file

@ -64,9 +64,13 @@
</para>
<warning>
<para>
You must have a filter mapping for <literal>/saml</literal>
You must have a filter mapping that covers <literal>/saml</literal>. This mapping covers all server callbacks.
</para>
</warning>
<para>
When registering SPs with an IDP, you must register <literal>http[s]://hostname/{context-root}/saml</literal> as
your Assert Consumer Service URL and Single Logout Service URL.
</para>
<para>
To use this filter, include this maven artifact in your WAR poms
</para>

View file

@ -29,7 +29,8 @@
</filter>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/customers/*</url-pattern>
<url-pattern>/keycloak/*</url-pattern> <!-- this is so keycloak server can send events like backchannel logout -->
<url-pattern>/customers/*</url-pattern> <!-- this secures things -->
</filter-mapping>
</web-app>

View file

@ -123,7 +123,7 @@
{
"clientId": "customer-portal-filter",
"enabled": true,
"adminUrl": "/customer-portal-filter",
"adminUrl": "/customer-portal-filter/keycloak",
"baseUrl": "/customer-portal-filter",
"redirectUris": [
"/customer-portal-filter/*"