Merge branch 'ungarida-master'

This commit is contained in:
Stian Thorgersen 2014-08-28 14:30:29 +02:00
commit cdc6588ac1
5 changed files with 49 additions and 15 deletions

View file

@ -63,7 +63,7 @@
<dependency> <dependency>
<groupId>org.apache.tomcat</groupId> <groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-catalina</artifactId> <artifactId>tomcat-catalina</artifactId>
<version>7.0.52</version> <version>7.0.54</version>
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>

View file

@ -1,5 +1,11 @@
package org.keycloak.adapters.tomcat7; package org.keycloak.adapters.tomcat7;
import java.io.IOException;
import java.util.logging.Logger;
import javax.management.ObjectName;
import javax.servlet.ServletException;
import org.apache.catalina.Container; import org.apache.catalina.Container;
import org.apache.catalina.Valve; import org.apache.catalina.Valve;
import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Request;
@ -9,11 +15,6 @@ import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AuthenticatedActionsHandler; import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.KeycloakDeployment; import org.keycloak.adapters.KeycloakDeployment;
import javax.management.ObjectName;
import javax.servlet.ServletException;
import java.io.IOException;
import java.util.logging.Logger;
/** /**
* Pre-installed actions that must be authenticated * Pre-installed actions that must be authenticated
* <p/> * <p/>
@ -53,4 +54,4 @@ public class AuthenticatedActionsValve extends ValveBase {
} }
} }

View file

@ -54,7 +54,8 @@ public class CatalinaRequestAuthenticator extends RequestAuthenticator {
@Override @Override
protected void completeOAuthAuthentication(KeycloakPrincipal skp, RefreshableKeycloakSecurityContext securityContext) { protected void completeOAuthAuthentication(KeycloakPrincipal skp, RefreshableKeycloakSecurityContext securityContext) {
Set<String> roles = getRolesFromToken(securityContext); request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext);
Set<String> roles = getRolesFromToken(securityContext);
GenericPrincipal principal = new CatalinaSecurityContextHelper().createPrincipal(request.getContext().getRealm(), skp, roles, securityContext); GenericPrincipal principal = new CatalinaSecurityContextHelper().createPrincipal(request.getContext().getRealm(), skp, roles, securityContext);
Session session = request.getSessionInternal(true); Session session = request.getSessionInternal(true);
session.setPrincipal(principal); session.setPrincipal(principal);

View file

@ -59,6 +59,17 @@ public class CatalinaSecurityContextHelper {
subjectGroup.addMember(role); subjectGroup.addMember(role);
} }
} }
// add the CallerPrincipal group if none has been added in getRoleSets
// Group callerGroup = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP);
// callerGroup.addMember(identity);
// principals.add(callerGroup);
// SecurityContext sc = SecurityContextAssociation.getSecurityContext();
// Principal userPrincipal = getPrincipal(subject);
// sc.getUtil().createSubjectInfo(userPrincipal, account, subject);
// List<String> rolesAsStringList = new ArrayList<String>();
// rolesAsStringList.addAll(roleSet);
//
Principal userPrincipal = getPrincipal(subject); Principal userPrincipal = getPrincipal(subject);
List<String> rolesAsStringList = new ArrayList<String>(); List<String> rolesAsStringList = new ArrayList<String>();
rolesAsStringList.addAll(roleSet); rolesAsStringList.addAll(roleSet);

View file

@ -5,6 +5,7 @@ import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent; import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException; import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener; import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.FormAuthenticator; import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response; import org.apache.catalina.connector.Response;
@ -20,6 +21,7 @@ import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder; import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.PreAuthActionsHandler; import org.keycloak.adapters.PreAuthActionsHandler;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext; import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.ServerRequest;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import javax.servlet.ServletException; import javax.servlet.ServletException;
@ -32,11 +34,10 @@ import java.io.InputStream;
import java.util.logging.Logger; import java.util.logging.Logger;
/** /**
* Web deployment whose security is managed by a remote OAuth Skeleton Key * Web deployment whose security is managed by a remote OAuth Skeleton Key authentication server
* authentication server
* <p/> * <p/>
* Redirects browser to remote authentication server if not logged in. Also * Redirects browser to remote authentication server if not logged in. Also allows OAuth Bearer Token requests
* allows OAuth Bearer Token requests that contain a Skeleton Key bearer tokens. * that contain a Skeleton Key bearer tokens.
* *
* @author <a href="mailto:ungarida@gmail.com">Davide Ungari</a> * @author <a href="mailto:ungarida@gmail.com">Davide Ungari</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
@ -48,13 +49,33 @@ public class KeycloakAuthenticatorValve extends FormAuthenticator implements Lif
@Override @Override
public void lifecycleEvent(LifecycleEvent event) { public void lifecycleEvent(LifecycleEvent event) {
if (event.getType() == Lifecycle.START_EVENT) { if (Lifecycle.START_EVENT.equals(event.getType())) {
try { try {
startDeployment(); startDeployment();
} catch (LifecycleException e) { } catch (LifecycleException e) {
e.printStackTrace(); log.severe("Error starting deployment. " + e.getMessage());
}
} else if (Lifecycle.AFTER_START_EVENT.equals(event.getType())) {
initInternal();
}
}
@Override
public void logout(Request request) throws ServletException {
KeycloakSecurityContext ksc = (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
if (ksc != null) {
request.removeAttribute(KeycloakSecurityContext.class.getName());
Session session = request.getSessionInternal(false);
if (session != null) {
session.removeNote(KeycloakSecurityContext.class.getName());
try {
ServerRequest.invokeLogout(deploymentContext.getDeployment(), ksc.getToken().getSessionState());
} catch (Exception e) {
log.severe("failed to invoke remote logout. " + e.getMessage());
}
} }
} }
super.logout(request);
} }
public void startDeployment() throws LifecycleException { public void startDeployment() throws LifecycleException {
@ -151,7 +172,7 @@ public class KeycloakAuthenticatorValve extends FormAuthenticator implements Lif
* @param request * @param request
*/ */
protected void checkKeycloakSession(Request request, HttpFacade facade) { protected void checkKeycloakSession(Request request, HttpFacade facade) {
if (request.getSessionInternal(false) == null || request.getSessionInternal().getPrincipal() == null) return; if (request.getSessionInternal(false) == null || request.getPrincipal() == null) return;
RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) request.getSessionInternal().getNote(KeycloakSecurityContext.class.getName()); RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) request.getSessionInternal().getNote(KeycloakSecurityContext.class.getName());
if (session == null) return; if (session == null) return;
// just in case session got serialized // just in case session got serialized