libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

[KEYCLOAK-7427] - Fix to support writing to response when doing programmatic logouts

Browse source
This commit is contained in:
Pedro Igor 2018-06-26 16:55:14 -03:00
parent 23db2b852b
commit f10c47955f
10 changed files with 161 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
adapters/oidc/wildfly-elytron/pom.xml
View file

@ -95,5 +95,10 @@
<artifactId>jboss-servlet-api_3.0_spec</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>io.undertow</groupId>
<artifactId>undertow-servlet</artifactId>
<scope>provided</scope>
</dependency>
</dependencies>
</project>

8
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronAccount.java
View file

@ -78,7 +78,7 @@ public class ElytronAccount implements OidcKeycloakAccount {
return false;
}
boolean tryRefresh(CallbackHandler callbackHandler) {
boolean tryRefresh() {
log.debug("Trying to refresh");
RefreshableKeycloakSecurityContext securityContext = getKeycloakSecurityContext();
@ -88,16 +88,10 @@ public class ElytronAccount implements OidcKeycloakAccount {
}
if (securityContext.refreshExpiredToken(false)) {
SecurityIdentity securityIdentity = SecurityIdentityUtil.authorize(callbackHandler, principal);
if (securityIdentity != null) {
log.debug("refresh succeeded");
return true;
}
return false;
}
return checkActive();
}
}

2
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronCookieTokenStore.java
View file

@ -88,7 +88,7 @@ public class ElytronCookieTokenStore implements ElytronTokeStore {
boolean active = account.checkActive();
if (!active) {
active = account.tryRefresh(this.callbackHandler);
active = account.tryRefresh();
}
if (active) {

14
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronHttpFacade.java
View file

@ -18,6 +18,7 @@
package org.keycloak.adapters.elytron;
import io.undertow.server.handlers.CookieImpl;
import org.bouncycastle.asn1.cmp.Challenge;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterDeploymentContext;
@ -62,6 +63,8 @@ import java.util.function.Consumer;
*/
class ElytronHttpFacade implements OIDCHttpFacade {
static final String UNDERTOW_EXCHANGE = ElytronHttpFacade.class.getName() + ".undertow.exchange";
private final HttpServerRequest request;
private final CallbackHandler callbackHandler;
private final AdapterTokenStore tokenStore;
@ -312,6 +315,17 @@ class ElytronHttpFacade implements OIDCHttpFacade {
@Override
public void resetCookie(final String name, final String path) {
responseConsumer = responseConsumer.andThen(response -> setCookie(name, "", path, null, 0, false, false, response));
HttpScope exchangeScope = getScope(Scope.EXCHANGE);
ProtectedHttpServerExchange undertowExchange = ProtectedHttpServerExchange.class.cast(exchangeScope.getAttachment(UNDERTOW_EXCHANGE));
if (undertowExchange != null) {
CookieImpl cookie = new CookieImpl(name, "");
cookie.setMaxAge(0);
cookie.setPath(path);
undertowExchange.getExchange().setResponseCookie(cookie);
}
}
@Override

2
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronSessionTokenStore.java
View file

@ -104,7 +104,7 @@ public class ElytronSessionTokenStore implements ElytronTokeStore {
boolean active = account.checkActive();
if (!active) {
active = account.tryRefresh(this.callbackHandler);
active = account.tryRefresh();
}
if (active) {

42
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/KeycloakServletExtension.java Normal file
View file

@ -0,0 +1,42 @@
/*
* Copyright 2018 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.adapters.elytron;
import javax.servlet.ServletContext;
import javax.servlet.ServletRequest;
import io.undertow.server.HttpHandler;
import io.undertow.servlet.ServletExtension;
import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.handlers.ServletRequestContext;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class KeycloakServletExtension implements ServletExtension {
@Override
public void handleDeployment(DeploymentInfo deploymentInfo, ServletContext servletContext) {
deploymentInfo.addOuterHandlerChainWrapper(handler -> (HttpHandler) exchange -> {
ServletRequest servletRequest = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getServletRequest();
servletRequest.setAttribute(ElytronHttpFacade.UNDERTOW_EXCHANGE, new ProtectedHttpServerExchange(exchange));
handler.handleRequest(exchange);
});
}
}

42
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ProtectedHttpServerExchange.java Normal file
View file

@ -0,0 +1,42 @@
/*
* Copyright 2018 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.adapters.elytron;
import io.undertow.server.HttpServerExchange;
/**
* <p>A wrapper for {@code {@link HttpServerExchange}} accessible only from classes in the same package.
*
* <p>This class is used to provide to the elytron mechanism access to the current exchange in order to allow making
* changes to the exchange (e.g. response) during the evaluation of requests. By default, changes to the exchange are only
* propagated after the execution of the mechanism. But in certain situations, such as when making a programmatic logout (HttpServletRequest.logout()) from
* within application code, any change made to the exchange is not propagated.
*
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
class ProtectedHttpServerExchange {
private final HttpServerExchange exchange;
public ProtectedHttpServerExchange(HttpServerExchange exchange) {
this.exchange = exchange;
}
HttpServerExchange getExchange() {
return exchange;
}
}

52
adapters/oidc/wildfly-elytron/src/main/resources/META-INF/services/io.undertow.servlet.ServletExtension Normal file
View file

@ -0,0 +1,52 @@
#
# * Copyright 2018 Red Hat, Inc. and/or its affiliates
# * and other contributors as indicated by the @author tags.
# *
# * Licensed under the Apache License, Version 2.0 (the "License");
# * you may not use this file except in compliance with the License.
# * You may obtain a copy of the License at
# *
# * http://www.apache.org/licenses/LICENSE-2.0
# *
# * Unless required by applicable law or agreed to in writing, software
# * distributed under the License is distributed on an "AS IS" BASIS,
# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# * See the License for the specific language governing permissions and
# * limitations under the License.
#
#
# * Copyright 2018 Red Hat, Inc. and/or its affiliates
# * and other contributors as indicated by the @author tags.
# *
# * Licensed under the Apache License, Version 2.0 (the "License");
# * you may not use this file except in compliance with the License.
# * You may obtain a copy of the License at
# *
# * http://www.apache.org/licenses/LICENSE-2.0
# *
# * Unless required by applicable law or agreed to in writing, software
# * distributed under the License is distributed on an "AS IS" BASIS,
# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# * See the License for the specific language governing permissions and
# * limitations under the License.
#
#
# Copyright 2016 Red Hat, Inc. and/or its affiliates
# and other contributors as indicated by the @author tags.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
org.keycloak.adapters.elytron.KeycloakServletExtension

2
adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakDependencyProcessorWildFly.java
View file

@ -39,7 +39,7 @@ public class KeycloakDependencyProcessorWildFly extends KeycloakDependencyProces
@Override
protected void addPlatformSpecificModules(DeploymentPhaseContext phaseContext, ModuleSpecification moduleSpecification, ModuleLoader moduleLoader) {
if (isElytronEnabled(phaseContext)) {
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_ELYTRON_ADAPTER, true, false, false, false));
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_ELYTRON_ADAPTER, true, false, true, false));
} else {
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_WILDFLY_ADAPTER, false, false, true, false));
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_UNDERTOW_ADAPTER, false, false, false, false));

18
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java
View file

@ -21,7 +21,6 @@ import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Paths;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
@ -49,7 +48,6 @@ import org.jboss.arquillian.drone.api.annotation.Drone;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
@ -272,21 +270,9 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
driver.manage().deleteAllCookies();
}
private void assumeNotElytronAdapter() {
if (!AppServerTestEnricher.isUndertowAppServer()) {
try {
Assume.assumeFalse(FileUtils.readFileToString(Paths.get(System.getProperty("app.server.home"), "standalone", "configuration", "standalone.xml").toFile(), "UTF-8").contains("<security-domain name=\"KeycloakDomain\""));
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}
//KEYCLOAK-702
@Test
public void testTokenInCookieSSO() {
assumeNotElytronAdapter();
// Login
String tokenCookie = loginToCustomerCookiePortal();
@ -311,8 +297,6 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
//KEYCLOAK-702
@Test
public void testTokenInCookieRefresh() {
assumeNotElytronAdapter();
log.debug("Set token timeout 10 sec");
RealmRepresentation demo = adminClient.realm("demo").toRepresentation();
int originalTokenTimeout = demo.getAccessTokenLifespan();
@ -362,8 +346,6 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
//KEYCLOAK-702
@Test
public void testInvalidTokenCookie() {
assumeNotElytronAdapter();
// Login
String tokenCookie = loginToCustomerCookiePortal();
String changedTokenCookie = tokenCookie.replace("a", "b");