[KEYCLOAK-7427] - Fix to support writing to response when doing programmatic logouts
This commit is contained in:
parent
23db2b852b
commit
f10c47955f
10 changed files with 161 additions and 30 deletions
|
@ -95,5 +95,10 @@
|
||||||
<artifactId>jboss-servlet-api_3.0_spec</artifactId>
|
<artifactId>jboss-servlet-api_3.0_spec</artifactId>
|
||||||
<scope>provided</scope>
|
<scope>provided</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>io.undertow</groupId>
|
||||||
|
<artifactId>undertow-servlet</artifactId>
|
||||||
|
<scope>provided</scope>
|
||||||
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</project>
|
</project>
|
|
@ -78,7 +78,7 @@ public class ElytronAccount implements OidcKeycloakAccount {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean tryRefresh(CallbackHandler callbackHandler) {
|
boolean tryRefresh() {
|
||||||
log.debug("Trying to refresh");
|
log.debug("Trying to refresh");
|
||||||
|
|
||||||
RefreshableKeycloakSecurityContext securityContext = getKeycloakSecurityContext();
|
RefreshableKeycloakSecurityContext securityContext = getKeycloakSecurityContext();
|
||||||
|
@ -88,16 +88,10 @@ public class ElytronAccount implements OidcKeycloakAccount {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (securityContext.refreshExpiredToken(false)) {
|
if (securityContext.refreshExpiredToken(false)) {
|
||||||
SecurityIdentity securityIdentity = SecurityIdentityUtil.authorize(callbackHandler, principal);
|
|
||||||
|
|
||||||
if (securityIdentity != null) {
|
|
||||||
log.debug("refresh succeeded");
|
log.debug("refresh succeeded");
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return checkActive();
|
return checkActive();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -88,7 +88,7 @@ public class ElytronCookieTokenStore implements ElytronTokeStore {
|
||||||
boolean active = account.checkActive();
|
boolean active = account.checkActive();
|
||||||
|
|
||||||
if (!active) {
|
if (!active) {
|
||||||
active = account.tryRefresh(this.callbackHandler);
|
active = account.tryRefresh();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (active) {
|
if (active) {
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
|
|
||||||
package org.keycloak.adapters.elytron;
|
package org.keycloak.adapters.elytron;
|
||||||
|
|
||||||
|
import io.undertow.server.handlers.CookieImpl;
|
||||||
import org.bouncycastle.asn1.cmp.Challenge;
|
import org.bouncycastle.asn1.cmp.Challenge;
|
||||||
import org.keycloak.KeycloakSecurityContext;
|
import org.keycloak.KeycloakSecurityContext;
|
||||||
import org.keycloak.adapters.AdapterDeploymentContext;
|
import org.keycloak.adapters.AdapterDeploymentContext;
|
||||||
|
@ -62,6 +63,8 @@ import java.util.function.Consumer;
|
||||||
*/
|
*/
|
||||||
class ElytronHttpFacade implements OIDCHttpFacade {
|
class ElytronHttpFacade implements OIDCHttpFacade {
|
||||||
|
|
||||||
|
static final String UNDERTOW_EXCHANGE = ElytronHttpFacade.class.getName() + ".undertow.exchange";
|
||||||
|
|
||||||
private final HttpServerRequest request;
|
private final HttpServerRequest request;
|
||||||
private final CallbackHandler callbackHandler;
|
private final CallbackHandler callbackHandler;
|
||||||
private final AdapterTokenStore tokenStore;
|
private final AdapterTokenStore tokenStore;
|
||||||
|
@ -312,6 +315,17 @@ class ElytronHttpFacade implements OIDCHttpFacade {
|
||||||
@Override
|
@Override
|
||||||
public void resetCookie(final String name, final String path) {
|
public void resetCookie(final String name, final String path) {
|
||||||
responseConsumer = responseConsumer.andThen(response -> setCookie(name, "", path, null, 0, false, false, response));
|
responseConsumer = responseConsumer.andThen(response -> setCookie(name, "", path, null, 0, false, false, response));
|
||||||
|
HttpScope exchangeScope = getScope(Scope.EXCHANGE);
|
||||||
|
ProtectedHttpServerExchange undertowExchange = ProtectedHttpServerExchange.class.cast(exchangeScope.getAttachment(UNDERTOW_EXCHANGE));
|
||||||
|
|
||||||
|
if (undertowExchange != null) {
|
||||||
|
CookieImpl cookie = new CookieImpl(name, "");
|
||||||
|
|
||||||
|
cookie.setMaxAge(0);
|
||||||
|
cookie.setPath(path);
|
||||||
|
|
||||||
|
undertowExchange.getExchange().setResponseCookie(cookie);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -104,7 +104,7 @@ public class ElytronSessionTokenStore implements ElytronTokeStore {
|
||||||
boolean active = account.checkActive();
|
boolean active = account.checkActive();
|
||||||
|
|
||||||
if (!active) {
|
if (!active) {
|
||||||
active = account.tryRefresh(this.callbackHandler);
|
active = account.tryRefresh();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (active) {
|
if (active) {
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2018 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.keycloak.adapters.elytron;
|
||||||
|
|
||||||
|
import javax.servlet.ServletContext;
|
||||||
|
import javax.servlet.ServletRequest;
|
||||||
|
|
||||||
|
import io.undertow.server.HttpHandler;
|
||||||
|
import io.undertow.servlet.ServletExtension;
|
||||||
|
import io.undertow.servlet.api.DeploymentInfo;
|
||||||
|
import io.undertow.servlet.handlers.ServletRequestContext;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||||
|
*/
|
||||||
|
public class KeycloakServletExtension implements ServletExtension {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void handleDeployment(DeploymentInfo deploymentInfo, ServletContext servletContext) {
|
||||||
|
deploymentInfo.addOuterHandlerChainWrapper(handler -> (HttpHandler) exchange -> {
|
||||||
|
ServletRequest servletRequest = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getServletRequest();
|
||||||
|
|
||||||
|
servletRequest.setAttribute(ElytronHttpFacade.UNDERTOW_EXCHANGE, new ProtectedHttpServerExchange(exchange));
|
||||||
|
|
||||||
|
handler.handleRequest(exchange);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,42 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2018 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.keycloak.adapters.elytron;
|
||||||
|
|
||||||
|
import io.undertow.server.HttpServerExchange;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* <p>A wrapper for {@code {@link HttpServerExchange}} accessible only from classes in the same package.
|
||||||
|
*
|
||||||
|
* <p>This class is used to provide to the elytron mechanism access to the current exchange in order to allow making
|
||||||
|
* changes to the exchange (e.g. response) during the evaluation of requests. By default, changes to the exchange are only
|
||||||
|
* propagated after the execution of the mechanism. But in certain situations, such as when making a programmatic logout (HttpServletRequest.logout()) from
|
||||||
|
* within application code, any change made to the exchange is not propagated.
|
||||||
|
*
|
||||||
|
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||||
|
*/
|
||||||
|
class ProtectedHttpServerExchange {
|
||||||
|
|
||||||
|
private final HttpServerExchange exchange;
|
||||||
|
|
||||||
|
public ProtectedHttpServerExchange(HttpServerExchange exchange) {
|
||||||
|
this.exchange = exchange;
|
||||||
|
}
|
||||||
|
|
||||||
|
HttpServerExchange getExchange() {
|
||||||
|
return exchange;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,52 @@
|
||||||
|
#
|
||||||
|
# * Copyright 2018 Red Hat, Inc. and/or its affiliates
|
||||||
|
# * and other contributors as indicated by the @author tags.
|
||||||
|
# *
|
||||||
|
# * Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# * you may not use this file except in compliance with the License.
|
||||||
|
# * You may obtain a copy of the License at
|
||||||
|
# *
|
||||||
|
# * http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
# *
|
||||||
|
# * Unless required by applicable law or agreed to in writing, software
|
||||||
|
# * distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# * See the License for the specific language governing permissions and
|
||||||
|
# * limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# * Copyright 2018 Red Hat, Inc. and/or its affiliates
|
||||||
|
# * and other contributors as indicated by the @author tags.
|
||||||
|
# *
|
||||||
|
# * Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# * you may not use this file except in compliance with the License.
|
||||||
|
# * You may obtain a copy of the License at
|
||||||
|
# *
|
||||||
|
# * http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
# *
|
||||||
|
# * Unless required by applicable law or agreed to in writing, software
|
||||||
|
# * distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# * See the License for the specific language governing permissions and
|
||||||
|
# * limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||||
|
# and other contributors as indicated by the @author tags.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
org.keycloak.adapters.elytron.KeycloakServletExtension
|
|
@ -39,7 +39,7 @@ public class KeycloakDependencyProcessorWildFly extends KeycloakDependencyProces
|
||||||
@Override
|
@Override
|
||||||
protected void addPlatformSpecificModules(DeploymentPhaseContext phaseContext, ModuleSpecification moduleSpecification, ModuleLoader moduleLoader) {
|
protected void addPlatformSpecificModules(DeploymentPhaseContext phaseContext, ModuleSpecification moduleSpecification, ModuleLoader moduleLoader) {
|
||||||
if (isElytronEnabled(phaseContext)) {
|
if (isElytronEnabled(phaseContext)) {
|
||||||
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_ELYTRON_ADAPTER, true, false, false, false));
|
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_ELYTRON_ADAPTER, true, false, true, false));
|
||||||
} else {
|
} else {
|
||||||
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_WILDFLY_ADAPTER, false, false, true, false));
|
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_WILDFLY_ADAPTER, false, false, true, false));
|
||||||
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_UNDERTOW_ADAPTER, false, false, false, false));
|
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_UNDERTOW_ADAPTER, false, false, false, false));
|
||||||
|
|
|
@ -21,7 +21,6 @@ import java.io.IOException;
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
import java.net.URISyntaxException;
|
import java.net.URISyntaxException;
|
||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
import java.nio.file.Paths;
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
@ -49,7 +48,6 @@ import org.jboss.arquillian.drone.api.annotation.Drone;
|
||||||
import org.jboss.arquillian.graphene.page.Page;
|
import org.jboss.arquillian.graphene.page.Page;
|
||||||
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||||
import org.junit.Assert;
|
import org.junit.Assert;
|
||||||
import org.junit.Assume;
|
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.Rule;
|
import org.junit.Rule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
@ -272,21 +270,9 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
|
||||||
driver.manage().deleteAllCookies();
|
driver.manage().deleteAllCookies();
|
||||||
}
|
}
|
||||||
|
|
||||||
private void assumeNotElytronAdapter() {
|
|
||||||
if (!AppServerTestEnricher.isUndertowAppServer()) {
|
|
||||||
try {
|
|
||||||
Assume.assumeFalse(FileUtils.readFileToString(Paths.get(System.getProperty("app.server.home"), "standalone", "configuration", "standalone.xml").toFile(), "UTF-8").contains("<security-domain name=\"KeycloakDomain\""));
|
|
||||||
} catch (IOException e) {
|
|
||||||
throw new RuntimeException(e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
//KEYCLOAK-702
|
//KEYCLOAK-702
|
||||||
@Test
|
@Test
|
||||||
public void testTokenInCookieSSO() {
|
public void testTokenInCookieSSO() {
|
||||||
assumeNotElytronAdapter();
|
|
||||||
|
|
||||||
// Login
|
// Login
|
||||||
String tokenCookie = loginToCustomerCookiePortal();
|
String tokenCookie = loginToCustomerCookiePortal();
|
||||||
|
|
||||||
|
@ -311,8 +297,6 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
|
||||||
//KEYCLOAK-702
|
//KEYCLOAK-702
|
||||||
@Test
|
@Test
|
||||||
public void testTokenInCookieRefresh() {
|
public void testTokenInCookieRefresh() {
|
||||||
assumeNotElytronAdapter();
|
|
||||||
|
|
||||||
log.debug("Set token timeout 10 sec");
|
log.debug("Set token timeout 10 sec");
|
||||||
RealmRepresentation demo = adminClient.realm("demo").toRepresentation();
|
RealmRepresentation demo = adminClient.realm("demo").toRepresentation();
|
||||||
int originalTokenTimeout = demo.getAccessTokenLifespan();
|
int originalTokenTimeout = demo.getAccessTokenLifespan();
|
||||||
|
@ -362,8 +346,6 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
|
||||||
//KEYCLOAK-702
|
//KEYCLOAK-702
|
||||||
@Test
|
@Test
|
||||||
public void testInvalidTokenCookie() {
|
public void testInvalidTokenCookie() {
|
||||||
assumeNotElytronAdapter();
|
|
||||||
|
|
||||||
// Login
|
// Login
|
||||||
String tokenCookie = loginToCustomerCookiePortal();
|
String tokenCookie = loginToCustomerCookiePortal();
|
||||||
String changedTokenCookie = tokenCookie.replace("a", "b");
|
String changedTokenCookie = tokenCookie.replace("a", "b");
|
||||||
|
|
Loading…
Reference in a new issue