rebased to latest master

This commit is contained in:
Vlastimil Elias 2015-11-25 13:46:29 +01:00
parent 18fa03bf97
commit e3060e5e58
6 changed files with 36 additions and 30 deletions

View file

@ -36,4 +36,11 @@ public class OIDCAuthenticationError implements AuthenticationError {
public String getDescription() { public String getDescription() {
return description; return description;
} }
@Override
public String toString() {
return "OIDCAuthenticationError [reason=" + reason + ", description=" + description + "]";
}
} }

View file

@ -40,4 +40,10 @@ public class SamlAuthenticationError implements AuthenticationError {
public StatusResponseType getStatus() { public StatusResponseType getStatus() {
return status; return status;
} }
@Override
public String toString() {
return "SamlAuthenticationError [reason=" + reason + ", status=" + status + "]";
}
} }

View file

@ -212,24 +212,6 @@ public abstract class SamlAuthenticator {
} }
if (statusResponse instanceof ResponseType) { if (statusResponse instanceof ResponseType) {
//validate status
StatusType status = statusResponse.getStatus();
if(status == null){
log.error("Missing Status in SAML response");
return AuthOutcome.FAILED;
}
if(!checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_SUCCESS.get())){
if(checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())){
// KEYCLOAK-2107 - handle user not authenticated due passive mode
log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
return AuthOutcome.NOT_AUTHENTICATED;
}
log.error("Error Status found in SAML response: " + status.toString());
return AuthOutcome.FAILED;
}
try { try {
if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) { if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) {
try { try {
@ -276,7 +258,15 @@ public abstract class SamlAuthenticator {
} }
} else if (sessionStore.isLoggingIn()) { } else if (sessionStore.isLoggingIn()) {
try { try {
// KEYCLOAK-2107 - handle user not authenticated due passive mode. Return special outcome so different authentication mechanisms can behave accordingly.
StatusType status = statusResponse.getStatus();
if(checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())){
log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
return AuthOutcome.NOT_AUTHENTICATED;
}
challenge = new AuthChallenge() { challenge = new AuthChallenge() {
@Override @Override
public boolean challenge(HttpFacade exchange) { public boolean challenge(HttpFacade exchange) {

View file

@ -1,28 +1,21 @@
package org.keycloak.saml; package org.keycloak.saml;
<<<<<<< Upstream, based on keycloak/master
import org.keycloak.dom.saml.v2.assertion.NameIDType; import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.protocol.StatusCodeType; import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType; import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.dom.saml.v2.protocol.StatusType; import org.keycloak.dom.saml.v2.protocol.StatusType;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants; import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
=======
import org.keycloak.dom.saml.v2.protocol.ResponseType;
>>>>>>> 9408d08 KEYCLOAK-2107 - support IsPassive mode in SAML SP adapter library KEYCLOAK-2075 - added integration tests for both server and adapter side
import org.keycloak.saml.common.exceptions.ConfigurationException; import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ParsingException; import org.keycloak.saml.common.exceptions.ParsingException;
import org.keycloak.saml.common.exceptions.ProcessingException; import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response; import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator; import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
import org.keycloak.saml.processing.core.saml.v2.factories.JBossSAMLAuthnResponseFactory; import org.keycloak.saml.processing.core.saml.v2.factories.JBossSAMLAuthnResponseFactory;
<<<<<<< Upstream, based on keycloak/master
import org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder; import org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder;
import org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder; import org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder;
import org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder; import org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder;
import org.keycloak.dom.saml.v2.protocol.ResponseType; import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil; import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
=======
>>>>>>> 9408d08 KEYCLOAK-2107 - support IsPassive mode in SAML SP adapter library KEYCLOAK-2075 - added integration tests for both server and adapter side
import org.w3c.dom.Document; import org.w3c.dom.Document;
import java.net.URI; import java.net.URI;
@ -52,6 +45,7 @@ public class SAML2ErrorResponseBuilder {
return this; return this;
} }
public Document buildDocument() throws ProcessingException { public Document buildDocument() throws ProcessingException {
try { try {
@ -71,6 +65,8 @@ public class SAML2ErrorResponseBuilder {
} catch (ParsingException e) { } catch (ParsingException e) {
throw new ProcessingException(e); throw new ProcessingException(e);
} }
} }
} }

View file

@ -140,12 +140,13 @@ public class SamlAdapterTestStrategy extends ExternalResource {
} }
public void testPostPassiveLoginLogout(boolean forbiddenIfNotauthenticated) { public void testPostPassiveLoginLogout(boolean forbiddenIfNotauthenticated) {
// first request on passive app - no login page shown, user not logged in as we are in passive mode // first request on passive app - no login page shown, user not logged in as we are in passive mode.
// Shown page depends on used authentication mechanism, some may return forbidden error, some return requested page with anonymous user (not logged in)
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/");
assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl()); assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl());
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
if (forbiddenIfNotauthenticated) { if (forbiddenIfNotauthenticated) {
Assert.assertTrue(driver.getPageSource().contains("Forbidden")); Assert.assertTrue(driver.getPageSource().contains("HTTP status code: 403"));
} else { } else {
Assert.assertTrue(driver.getPageSource().contains("principal=null")); Assert.assertTrue(driver.getPageSource().contains("principal=null"));
} }

View file

@ -6,7 +6,6 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException; import java.io.IOException;
import java.io.PrintWriter; import java.io.PrintWriter;
@ -20,10 +19,17 @@ public class ErrorServlet extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
authError = (AuthenticationError)req.getAttribute(AuthenticationError.class.getName()); authError = (AuthenticationError)req.getAttribute(AuthenticationError.class.getName());
Integer statusCode = (Integer) req.getAttribute("javax.servlet.error.status_code");
resp.setContentType("text/html"); resp.setContentType("text/html");
PrintWriter pw = resp.getWriter(); PrintWriter pw = resp.getWriter();
pw.printf("<html><head><title>%s</title></head><body>", "Error Page"); pw.printf("<html><head><title>%s</title></head><body>", "Error Page");
pw.print("<h1>There was an error</h1></body></html>"); pw.print("<h1>There was an error</h1>");
if (statusCode != null)
pw.print("<br/>HTTP status code: " + statusCode);
if (authError != null)
pw.print("<br/>Error info: " + authError.toString());
pw.print("</body></html>");
pw.flush(); pw.flush();