rebased to latest master

This commit is contained in:
Vlastimil Elias 2015-11-25 13:46:29 +01:00
parent 18fa03bf97
commit e3060e5e58
6 changed files with 36 additions and 30 deletions

View file

@ -36,4 +36,11 @@ public class OIDCAuthenticationError implements AuthenticationError {
public String getDescription() {
return description;
}
@Override
public String toString() {
return "OIDCAuthenticationError [reason=" + reason + ", description=" + description + "]";
}
}

View file

@ -40,4 +40,10 @@ public class SamlAuthenticationError implements AuthenticationError {
public StatusResponseType getStatus() {
return status;
}
@Override
public String toString() {
return "SamlAuthenticationError [reason=" + reason + ", status=" + status + "]";
}
}

View file

@ -211,25 +211,7 @@ public abstract class SamlAuthenticator {
return AuthOutcome.FAILED;
}
if (statusResponse instanceof ResponseType) {
//validate status
StatusType status = statusResponse.getStatus();
if(status == null){
log.error("Missing Status in SAML response");
return AuthOutcome.FAILED;
}
if(!checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_SUCCESS.get())){
if(checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())){
// KEYCLOAK-2107 - handle user not authenticated due passive mode
log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
return AuthOutcome.NOT_AUTHENTICATED;
}
log.error("Error Status found in SAML response: " + status.toString());
return AuthOutcome.FAILED;
}
if (statusResponse instanceof ResponseType) {
try {
if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) {
try {
@ -276,7 +258,15 @@ public abstract class SamlAuthenticator {
}
} else if (sessionStore.isLoggingIn()) {
try {
// KEYCLOAK-2107 - handle user not authenticated due passive mode. Return special outcome so different authentication mechanisms can behave accordingly.
StatusType status = statusResponse.getStatus();
if(checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())){
log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
return AuthOutcome.NOT_AUTHENTICATED;
}
challenge = new AuthChallenge() {
@Override
public boolean challenge(HttpFacade exchange) {

View file

@ -1,28 +1,21 @@
package org.keycloak.saml;
<<<<<<< Upstream, based on keycloak/master
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.dom.saml.v2.protocol.StatusType;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
=======
import org.keycloak.dom.saml.v2.protocol.ResponseType;
>>>>>>> 9408d08 KEYCLOAK-2107 - support IsPassive mode in SAML SP adapter library KEYCLOAK-2075 - added integration tests for both server and adapter side
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ParsingException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
import org.keycloak.saml.processing.core.saml.v2.factories.JBossSAMLAuthnResponseFactory;
<<<<<<< Upstream, based on keycloak/master
import org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder;
import org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder;
import org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
=======
>>>>>>> 9408d08 KEYCLOAK-2107 - support IsPassive mode in SAML SP adapter library KEYCLOAK-2075 - added integration tests for both server and adapter side
import org.w3c.dom.Document;
import java.net.URI;
@ -52,6 +45,7 @@ public class SAML2ErrorResponseBuilder {
return this;
}
public Document buildDocument() throws ProcessingException {
try {
@ -71,6 +65,8 @@ public class SAML2ErrorResponseBuilder {
} catch (ParsingException e) {
throw new ProcessingException(e);
}
}
}

View file

@ -140,12 +140,13 @@ public class SamlAdapterTestStrategy extends ExternalResource {
}
public void testPostPassiveLoginLogout(boolean forbiddenIfNotauthenticated) {
// first request on passive app - no login page shown, user not logged in as we are in passive mode
// first request on passive app - no login page shown, user not logged in as we are in passive mode.
// Shown page depends on used authentication mechanism, some may return forbidden error, some return requested page with anonymous user (not logged in)
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/");
assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl());
System.out.println(driver.getPageSource());
if (forbiddenIfNotauthenticated) {
Assert.assertTrue(driver.getPageSource().contains("Forbidden"));
Assert.assertTrue(driver.getPageSource().contains("HTTP status code: 403"));
} else {
Assert.assertTrue(driver.getPageSource().contains("principal=null"));
}

View file

@ -6,7 +6,6 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
@ -20,10 +19,17 @@ public class ErrorServlet extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
authError = (AuthenticationError)req.getAttribute(AuthenticationError.class.getName());
Integer statusCode = (Integer) req.getAttribute("javax.servlet.error.status_code");
resp.setContentType("text/html");
PrintWriter pw = resp.getWriter();
pw.printf("<html><head><title>%s</title></head><body>", "Error Page");
pw.print("<h1>There was an error</h1></body></html>");
pw.print("<h1>There was an error</h1>");
if (statusCode != null)
pw.print("<br/>HTTP status code: " + statusCode);
if (authError != null)
pw.print("<br/>Error info: " + authError.toString());
pw.print("</body></html>");
pw.flush();