KEYCLOAK-2828: LoginStatusIframeEndpoint now sets the P3P header.

IE requires a P3P header to be present in <iframe /> response. Otherwise cookies are forbidden. The value of the header does not seem to matter.
2016-04-15 15:48:56 +03:00 · 2016-04-15 15:48:56 +03:00 · cd1094c3ad
commit cd1094c3ad
parent 069d362778
2 changed files with 30 additions and 2 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
@ -17,13 +17,19 @@

 package org.keycloak.protocol.oidc.endpoints;

+import org.jboss.logging.Logger;
 import org.jboss.resteasy.spi.NotFoundException;
 import org.keycloak.Config;
 import org.keycloak.models.ClientModel;
+import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.oidc.utils.RedirectUtils;
 import org.keycloak.common.util.StreamUtil;
 import org.keycloak.common.util.UriUtils;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.services.validation.Validation;
+import org.keycloak.theme.Theme;
+import org.keycloak.theme.ThemeProvider;

 import javax.ws.rs.GET;
 import javax.ws.rs.Produces;
@ -41,10 +47,14 @@ import java.io.InputStream;
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
 */
 public class LoginStatusIframeEndpoint {
+    private static final Logger logger = Logger.getLogger(LoginStatusIframeEndpoint.class);

    @Context
    private UriInfo uriInfo;

+    @Context
+    protected KeycloakSession session;
+
    private RealmModel realm;

    public LoginStatusIframeEndpoint(RealmModel realm) {
@ -95,15 +105,32 @@ public class LoginStatusIframeEndpoint {
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }

+        ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
+        Theme theme;
+        try {
+            theme = themeProvider.getTheme(realm.getLoginTheme(), Theme.Type.LOGIN);
+        } catch (IOException e) {
+            logger.error("Failed to create theme", e);
+            return Response.serverError().build();
+        }
+
        try {
            String file = StreamUtil.readString(is);
            file = file.replace("ORIGIN", origin);

+            Response.ResponseBuilder response = Response.ok(file);
+
+            String p3pValue = theme.getProperties().getProperty("sessionIframeP3P");
+            if (!Validation.isBlank(p3pValue)) {
+                // This header is required by IE, see KEYCLOAK-2828 for details.
+                response.header("P3P", p3pValue);
+            }
+
            CacheControl cacheControl = new CacheControl();
            cacheControl.setNoTransform(false);
            cacheControl.setMaxAge(Config.scope("theme").getInt("staticMaxAge", -1));

-            return Response.ok(file).cacheControl(cacheControl).build();
+            return response.cacheControl(cacheControl).build();
        } catch (IOException e) {
            throw new WebApplicationException(e, Response.Status.BAD_REQUEST);
        }
--- a/themes/src/main/resources/theme/base/login/theme.properties
+++ b/themes/src/main/resources/theme/base/login/theme.properties
@ -1 +1,2 @@
-locales=ca,de,en,es,fr,it,pt-BR
+locales=ca,de,en,es,fr,it,pt-BR
+sessionIframeP3P=CP="This is not a P3P policy!"