From c4c99d5f81a5d8ffb966872d008dd3dedfb2f840 Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Wed, 3 Feb 2016 17:31:50 -0500 Subject: [PATCH] KEYCLOAK-2443 --- .../keycloak/adapters/servlet/KeycloakOIDCFilter.java | 6 ++++++ .../adapters/servlet/OIDCFilterSessionStore.java | 2 ++ .../en/en-US/modules/servlet-filter-adapter.xml | 11 ++++++++++- .../en/en-US/modules/servlet-filter-adapter.xml | 6 +++++- .../src/main/webapp/WEB-INF/web.xml | 3 ++- examples/demo-template/testrealm.json | 2 +- 6 files changed, 26 insertions(+), 4 deletions(-) diff --git a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java index ddd755234d..dab75015a6 100755 --- a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java +++ b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java @@ -102,6 +102,8 @@ public class KeycloakOIDCFilter implements Filter { @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { + log.fine("Keycloak OIDC Filter"); + //System.err.println("Keycloak OIDC Filter: " + ((HttpServletRequest)req).getRequestURL().toString()); HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; OIDCServletHttpFacade facade = new OIDCServletHttpFacade(request, response); @@ -122,7 +124,10 @@ public class KeycloakOIDCFilter implements Filter { @Override public void logoutHttpSessions(List ids) { + log.fine("**************** logoutHttpSessions"); + //System.err.println("**************** logoutHttpSessions"); for (String id : ids) { + log.finest("removed idMapper: " + id); idMapper.removeSession(id); } @@ -130,6 +135,7 @@ public class KeycloakOIDCFilter implements Filter { }, deploymentContext, facade); if (preActions.handleRequest()) { + //System.err.println("**************** preActions.handleRequest happened!"); return; } diff --git a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java index 086ef50d97..8a3010ddd9 100755 --- a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java +++ b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java @@ -112,6 +112,8 @@ public class OIDCFilterSessionStore extends FilterSessionStore implements Adapte } if (idMapper != null && !idMapper.hasSession(httpSession.getId())) { + log.fine("idMapper does not have session: " + httpSession.getId()); + //System.err.println("idMapper does not have session: " + httpSession.getId()); cleanSession(httpSession); return false; } diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/servlet-filter-adapter.xml b/docbook/auth-server-docs/reference/en/en-US/modules/servlet-filter-adapter.xml index 91425d46eb..45ed993f33 100755 --- a/docbook/auth-server-docs/reference/en/en-US/modules/servlet-filter-adapter.xml +++ b/docbook/auth-server-docs/reference/en/en-US/modules/servlet-filter-adapter.xml @@ -46,11 +46,20 @@ Keycloak Filter - /* + /keycloak/* + /protected/* ]]> + + If you notice above, there are two url-patterns. /protected/* are just the files we want protected. + /keycloak/* url-pattern will handle callback from the keycloak server. + Note that you should configure your client in the Keycloak Admin Console + with an Admin URL that points to a secured section covered by the filter's url-pattern. + The Admin URL will make callbacks to the Admin URL to do things like backchannel logout. So, the Admin URL in this example should + be http[s]://hostname/{context-root}/keycloak. There is an example of this in the distribution. + The Keycloak filter has the same configuration parameters available as the other adapters except you must define them as filter init params instead of context params. diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml index 68b7daa04c..ff6d377353 100755 --- a/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml +++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml @@ -64,9 +64,13 @@ - You must have a filter mapping for /saml + You must have a filter mapping that covers /saml. This mapping covers all server callbacks. + + When registering SPs with an IDP, you must register http[s]://hostname/{context-root}/saml as + your Assert Consumer Service URL and Single Logout Service URL. + To use this filter, include this maven artifact in your WAR poms diff --git a/examples/demo-template/customer-app-filter/src/main/webapp/WEB-INF/web.xml b/examples/demo-template/customer-app-filter/src/main/webapp/WEB-INF/web.xml index d724aa2f8e..b5098acb75 100755 --- a/examples/demo-template/customer-app-filter/src/main/webapp/WEB-INF/web.xml +++ b/examples/demo-template/customer-app-filter/src/main/webapp/WEB-INF/web.xml @@ -29,7 +29,8 @@ Keycloak Filter - /customers/* + /keycloak/* + /customers/* diff --git a/examples/demo-template/testrealm.json b/examples/demo-template/testrealm.json index e1d07bab47..20cd6150ed 100755 --- a/examples/demo-template/testrealm.json +++ b/examples/demo-template/testrealm.json @@ -123,7 +123,7 @@ { "clientId": "customer-portal-filter", "enabled": true, - "adminUrl": "/customer-portal-filter", + "adminUrl": "/customer-portal-filter/keycloak", "baseUrl": "/customer-portal-filter", "redirectUris": [ "/customer-portal-filter/*"