rebased to latest master
This commit is contained in:
parent
18fa03bf97
commit
e3060e5e58
6 changed files with 36 additions and 30 deletions
|
@ -36,4 +36,11 @@ public class OIDCAuthenticationError implements AuthenticationError {
|
|||
public String getDescription() {
|
||||
return description;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "OIDCAuthenticationError [reason=" + reason + ", description=" + description + "]";
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -40,4 +40,10 @@ public class SamlAuthenticationError implements AuthenticationError {
|
|||
public StatusResponseType getStatus() {
|
||||
return status;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "SamlAuthenticationError [reason=" + reason + ", status=" + status + "]";
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -212,24 +212,6 @@ public abstract class SamlAuthenticator {
|
|||
}
|
||||
|
||||
if (statusResponse instanceof ResponseType) {
|
||||
|
||||
//validate status
|
||||
StatusType status = statusResponse.getStatus();
|
||||
if(status == null){
|
||||
log.error("Missing Status in SAML response");
|
||||
return AuthOutcome.FAILED;
|
||||
}
|
||||
if(!checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_SUCCESS.get())){
|
||||
if(checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())){
|
||||
// KEYCLOAK-2107 - handle user not authenticated due passive mode
|
||||
log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
|
||||
return AuthOutcome.NOT_AUTHENTICATED;
|
||||
}
|
||||
log.error("Error Status found in SAML response: " + status.toString());
|
||||
return AuthOutcome.FAILED;
|
||||
|
||||
}
|
||||
|
||||
try {
|
||||
if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) {
|
||||
try {
|
||||
|
@ -276,7 +258,15 @@ public abstract class SamlAuthenticator {
|
|||
}
|
||||
|
||||
} else if (sessionStore.isLoggingIn()) {
|
||||
|
||||
try {
|
||||
// KEYCLOAK-2107 - handle user not authenticated due passive mode. Return special outcome so different authentication mechanisms can behave accordingly.
|
||||
StatusType status = statusResponse.getStatus();
|
||||
if(checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())){
|
||||
log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
|
||||
return AuthOutcome.NOT_AUTHENTICATED;
|
||||
}
|
||||
|
||||
challenge = new AuthChallenge() {
|
||||
@Override
|
||||
public boolean challenge(HttpFacade exchange) {
|
||||
|
|
|
@ -1,28 +1,21 @@
|
|||
package org.keycloak.saml;
|
||||
|
||||
<<<<<<< Upstream, based on keycloak/master
|
||||
import org.keycloak.dom.saml.v2.assertion.NameIDType;
|
||||
import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
|
||||
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
|
||||
import org.keycloak.dom.saml.v2.protocol.StatusType;
|
||||
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
|
||||
=======
|
||||
import org.keycloak.dom.saml.v2.protocol.ResponseType;
|
||||
>>>>>>> 9408d08 KEYCLOAK-2107 - support IsPassive mode in SAML SP adapter library KEYCLOAK-2075 - added integration tests for both server and adapter side
|
||||
import org.keycloak.saml.common.exceptions.ConfigurationException;
|
||||
import org.keycloak.saml.common.exceptions.ParsingException;
|
||||
import org.keycloak.saml.common.exceptions.ProcessingException;
|
||||
import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
|
||||
import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
|
||||
import org.keycloak.saml.processing.core.saml.v2.factories.JBossSAMLAuthnResponseFactory;
|
||||
<<<<<<< Upstream, based on keycloak/master
|
||||
import org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder;
|
||||
import org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder;
|
||||
import org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder;
|
||||
import org.keycloak.dom.saml.v2.protocol.ResponseType;
|
||||
import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
|
||||
=======
|
||||
>>>>>>> 9408d08 KEYCLOAK-2107 - support IsPassive mode in SAML SP adapter library KEYCLOAK-2075 - added integration tests for both server and adapter side
|
||||
import org.w3c.dom.Document;
|
||||
|
||||
import java.net.URI;
|
||||
|
@ -52,6 +45,7 @@ public class SAML2ErrorResponseBuilder {
|
|||
return this;
|
||||
}
|
||||
|
||||
|
||||
public Document buildDocument() throws ProcessingException {
|
||||
|
||||
try {
|
||||
|
@ -71,6 +65,8 @@ public class SAML2ErrorResponseBuilder {
|
|||
} catch (ParsingException e) {
|
||||
throw new ProcessingException(e);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -140,12 +140,13 @@ public class SamlAdapterTestStrategy extends ExternalResource {
|
|||
}
|
||||
|
||||
public void testPostPassiveLoginLogout(boolean forbiddenIfNotauthenticated) {
|
||||
// first request on passive app - no login page shown, user not logged in as we are in passive mode
|
||||
// first request on passive app - no login page shown, user not logged in as we are in passive mode.
|
||||
// Shown page depends on used authentication mechanism, some may return forbidden error, some return requested page with anonymous user (not logged in)
|
||||
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/");
|
||||
assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl());
|
||||
System.out.println(driver.getPageSource());
|
||||
if (forbiddenIfNotauthenticated) {
|
||||
Assert.assertTrue(driver.getPageSource().contains("Forbidden"));
|
||||
Assert.assertTrue(driver.getPageSource().contains("HTTP status code: 403"));
|
||||
} else {
|
||||
Assert.assertTrue(driver.getPageSource().contains("principal=null"));
|
||||
}
|
||||
|
|
|
@ -6,7 +6,6 @@ import javax.servlet.ServletException;
|
|||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.http.HttpSession;
|
||||
import java.io.IOException;
|
||||
import java.io.PrintWriter;
|
||||
|
||||
|
@ -20,10 +19,17 @@ public class ErrorServlet extends HttpServlet {
|
|||
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||||
authError = (AuthenticationError)req.getAttribute(AuthenticationError.class.getName());
|
||||
|
||||
Integer statusCode = (Integer) req.getAttribute("javax.servlet.error.status_code");
|
||||
|
||||
resp.setContentType("text/html");
|
||||
PrintWriter pw = resp.getWriter();
|
||||
pw.printf("<html><head><title>%s</title></head><body>", "Error Page");
|
||||
pw.print("<h1>There was an error</h1></body></html>");
|
||||
pw.print("<h1>There was an error</h1>");
|
||||
if (statusCode != null)
|
||||
pw.print("<br/>HTTP status code: " + statusCode);
|
||||
if (authError != null)
|
||||
pw.print("<br/>Error info: " + authError.toString());
|
||||
pw.print("</body></html>");
|
||||
pw.flush();
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue