Remove P3P header from authentication flow

Closes #23348
This commit is contained in:
Jon Koops 2023-09-19 11:49:40 +02:00 committed by Pedro Igor
parent 743bb696d9
commit e86bf1f0b2
4 changed files with 0 additions and 42 deletions

View file

@ -21,7 +21,6 @@ import org.keycloak.common.Version;
import org.keycloak.headers.SecurityHeadersProvider; import org.keycloak.headers.SecurityHeadersProvider;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.services.util.CacheControlUtil; import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.services.util.P3PHelper;
import jakarta.ws.rs.core.CacheControl; import jakarta.ws.rs.core.CacheControl;
import jakarta.ws.rs.core.Response; import jakarta.ws.rs.core.Response;
@ -41,7 +40,6 @@ public class IframeUtil {
InputStream resource = IframeUtil.class.getResourceAsStream(fileName); InputStream resource = IframeUtil.class.getResourceAsStream(fileName);
if (resource != null) { if (resource != null) {
P3PHelper.addP3PHeader(session);
session.getProvider(SecurityHeadersProvider.class).options().allowAnyFrameAncestor(); session.getProvider(SecurityHeadersProvider.class).options().allowAnyFrameAncestor();
return Response.ok(resource).cacheControl(cacheControl).build(); return Response.ok(resource).cacheControl(cacheControl).build();
} else { } else {

View file

@ -84,7 +84,6 @@ import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.resources.RealmsResource; import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.AuthorizationContextUtil; import org.keycloak.services.util.AuthorizationContextUtil;
import org.keycloak.services.util.CookieHelper; import org.keycloak.services.util.CookieHelper;
import org.keycloak.services.util.P3PHelper;
import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel; import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.sessions.RootAuthenticationSessionModel; import org.keycloak.sessions.RootAuthenticationSessionModel;
@ -800,7 +799,6 @@ public class AuthenticationManager {
// Max age should be set to the max lifespan of the session as it's used to invalidate old-sessions on re-login // Max age should be set to the max lifespan of the session as it's used to invalidate old-sessions on re-login
int sessionCookieMaxAge = session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0 ? realm.getSsoSessionMaxLifespanRememberMe() : realm.getSsoSessionMaxLifespan(); int sessionCookieMaxAge = session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0 ? realm.getSsoSessionMaxLifespanRememberMe() : realm.getSsoSessionMaxLifespan();
CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, sessionCookieMaxAge, secureOnly, false, SameSiteAttributeValue.NONE, keycloakSession); CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, sessionCookieMaxAge, secureOnly, false, SameSiteAttributeValue.NONE, keycloakSession);
P3PHelper.addP3PHeader(keycloakSession);
} }
public static void createRememberMeCookie(String username, UriInfo uriInfo, KeycloakSession session) { public static void createRememberMeCookie(String username, UriInfo uriInfo, KeycloakSession session) {

View file

@ -1,35 +0,0 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.services.util;
import org.keycloak.http.HttpResponse;
import org.keycloak.models.KeycloakSession;
/**
* IE requires P3P header to allow loading cookies from iframes when domain differs from main page (see KEYCLOAK-2828 for more details)
*
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/
public class P3PHelper {
public static void addP3PHeader(KeycloakSession session) {
HttpResponse response = session.getContext().getHttpResponse();
response.setHeader("P3P", "CP=\"This is not a P3P policy!\"");
}
}

View file

@ -88,8 +88,6 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
response = client.execute(post); response = client.execute(post);
assertEquals("CP=\"This is not a P3P policy!\"", response.getFirstHeader("P3P").getValue());
Header setIdentityCookieHeader = null; Header setIdentityCookieHeader = null;
Header setSessionCookieHeader = null; Header setSessionCookieHeader = null;
for (Header h : response.getAllHeaders()) { for (Header h : response.getAllHeaders()) {
@ -123,7 +121,6 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
response = client.execute(get); response = client.execute(get);
assertEquals(200, response.getStatusLine().getStatusCode()); assertEquals(200, response.getStatusLine().getStatusCode());
assertEquals("CP=\"This is not a P3P policy!\"", response.getFirstHeader("P3P").getValue());
assertNull(response.getFirstHeader(BrowserSecurityHeaders.X_FRAME_OPTIONS.getHeaderName())); assertNull(response.getFirstHeader(BrowserSecurityHeaders.X_FRAME_OPTIONS.getHeaderName()));
assertEquals("frame-src 'self'; object-src 'none';", response.getFirstHeader(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getHeaderName()).getValue()); assertEquals("frame-src 'self'; object-src 'none';", response.getFirstHeader(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getHeaderName()).getValue());
assertEquals("none", response.getFirstHeader(BrowserSecurityHeaders.X_ROBOTS_TAG.getHeaderName()).getValue()); assertEquals("none", response.getFirstHeader(BrowserSecurityHeaders.X_ROBOTS_TAG.getHeaderName()).getValue());