KEYCLOAK-1391: Return an HTTP 401 for API requests
Non browser HTTP requests shouldn't redirect to the Keycloak login page. Instead, return an HTTP 401 with a proper WWW-Authenticate header.
This commit is contained in:
parent
04ddf7ba4d
commit
f1c3295cec
4 changed files with 151 additions and 7 deletions
|
@ -0,0 +1,38 @@
|
|||
package org.keycloak.adapters.springsecurity.authentication;
|
||||
|
||||
import org.apache.http.HttpHeaders;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
/**
|
||||
* {@link RequestMatcher} that determines if a given request is an API request or an
|
||||
* interactive login request.
|
||||
*
|
||||
* @author <a href="mailto:srossillo@smartling.com">Scott Rossillo</a>
|
||||
* @see RequestMatcher
|
||||
*/
|
||||
public class HttpHeaderInspectingApiRequestMatcher implements RequestMatcher {
|
||||
|
||||
protected static final String X_REQUESTED_WITH_HEADER = "X-Requested-With";
|
||||
protected static final String X_REQUESTED_WITH_HEADER_AJAX_VALUE = "XMLHttpRequest";
|
||||
|
||||
/**
|
||||
* Returns true if the given request is an API request or false if it's an interactive
|
||||
* login request.
|
||||
*
|
||||
* @param request the <code>HttpServletRequest</code>
|
||||
* @return <code>true</code> if the given <code>request</code> is an API request;
|
||||
* <code>false</code> otherwise
|
||||
*/
|
||||
@Override
|
||||
public boolean matches(HttpServletRequest request) {
|
||||
boolean ajax = X_REQUESTED_WITH_HEADER_AJAX_VALUE.equals(request.getHeader(X_REQUESTED_WITH_HEADER));
|
||||
boolean html = request.getHeader(HttpHeaders.ACCEPT) != null && request.getHeader(HttpHeaders.ACCEPT).contains(
|
||||
MediaType.TEXT_HTML_VALUE);
|
||||
|
||||
return ajax || !html;
|
||||
}
|
||||
|
||||
}
|
|
@ -1,9 +1,12 @@
|
|||
package org.keycloak.adapters.springsecurity.authentication;
|
||||
|
||||
import org.apache.http.HttpHeaders;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.web.AuthenticationEntryPoint;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
@ -12,10 +15,15 @@ import javax.servlet.http.HttpServletResponse;
|
|||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* Provides a Keycloak {@link AuthenticationEntryPoint authentication entry point}.
|
||||
* Provides a Keycloak {@link AuthenticationEntryPoint authentication entry point}. Uses a
|
||||
* {@link RequestMatcher} to determine if the request is an interactive login request or a
|
||||
* API request, which should not be redirected to an interactive login page. By default,
|
||||
* this entry point uses a {@link HttpHeaderInspectingApiRequestMatcher} but can be overridden using in the
|
||||
* constructor.
|
||||
*
|
||||
* @author <a href="mailto:srossillo@smartling.com">Scott Rossillo</a>
|
||||
* @version $Revision: 1 $
|
||||
*
|
||||
* @see HttpHeaderInspectingApiRequestMatcher
|
||||
*/
|
||||
public class KeycloakAuthenticationEntryPoint implements AuthenticationEntryPoint {
|
||||
|
||||
|
@ -23,23 +31,62 @@ public class KeycloakAuthenticationEntryPoint implements AuthenticationEntryPoin
|
|||
* Default Keycloak authentication login URI
|
||||
*/
|
||||
public static final String DEFAULT_LOGIN_URI = "/sso/login";
|
||||
private static final String DEFAULT_REALM = "Unknown";
|
||||
private static final RequestMatcher DEFAULT_API_REQUEST_MATCHER = new HttpHeaderInspectingApiRequestMatcher();
|
||||
|
||||
private final static Logger log = LoggerFactory.getLogger(KeycloakAuthenticationEntryPoint.class);
|
||||
|
||||
private final RequestMatcher apiRequestMatcher;
|
||||
private String loginUri = DEFAULT_LOGIN_URI;
|
||||
private String realm = DEFAULT_REALM;
|
||||
|
||||
/**
|
||||
* Creates a new Keycloak authentication entry point.
|
||||
*/
|
||||
public KeycloakAuthenticationEntryPoint() {
|
||||
this(DEFAULT_API_REQUEST_MATCHER);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new Keycloak authentication entry point using the given request
|
||||
* matcher to determine if the current request is an API request or a browser request.
|
||||
*
|
||||
* @param apiRequestMatcher the <code>RequestMatcher</code> to use to determine
|
||||
* if the current request is an API request or a browser request (required)
|
||||
*/
|
||||
public KeycloakAuthenticationEntryPoint(RequestMatcher apiRequestMatcher) {
|
||||
Assert.notNull(apiRequestMatcher, "apiRequestMatcher required");
|
||||
this.apiRequestMatcher = apiRequestMatcher;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
|
||||
throws IOException, ServletException {
|
||||
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException
|
||||
{
|
||||
if (apiRequestMatcher.matches(request)) {
|
||||
commenceUnauthorizedResponse(request, response);
|
||||
} else {
|
||||
commenceLoginRedirect(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
protected void commenceLoginRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
|
||||
String contextAwareLoginUri = request.getContextPath() + loginUri;
|
||||
|
||||
log.debug("Redirecting to login URI {}", contextAwareLoginUri);
|
||||
response.sendRedirect(contextAwareLoginUri);
|
||||
}
|
||||
|
||||
protected void commenceUnauthorizedResponse(HttpServletRequest request, HttpServletResponse response) throws IOException {
|
||||
response.addHeader(HttpHeaders.WWW_AUTHENTICATE, String.format("Bearer realm=\"%s\"", realm));
|
||||
response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
|
||||
}
|
||||
|
||||
public void setLoginUri(String loginUri) {
|
||||
Assert.notNull(loginUri, "loginUri cannot be null");
|
||||
this.loginUri = loginUri;
|
||||
}
|
||||
|
||||
public void setRealm(String realm) {
|
||||
Assert.notNull(realm, "realm cannot be null");
|
||||
this.realm = realm;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
package org.keycloak.adapters.springsecurity.authentication;
|
||||
|
||||
import org.apache.http.HttpHeaders;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
/**
|
||||
* HTTP header inspecting API request matcher tests.
|
||||
*/
|
||||
public class HttpHeaderInspectingApiRequestMatcherTest {
|
||||
|
||||
private RequestMatcher apiRequestMatcher = new HttpHeaderInspectingApiRequestMatcher();
|
||||
private MockHttpServletRequest request;
|
||||
|
||||
@Before
|
||||
public void setUp() throws Exception {
|
||||
request = new MockHttpServletRequest();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMatches() throws Exception {
|
||||
assertTrue(apiRequestMatcher.matches(request));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMatchesBrowserRequest() throws Exception {
|
||||
request.addHeader(HttpHeaders.ACCEPT, "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
||||
assertFalse(apiRequestMatcher.matches(request));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMatchesRequestedWith() throws Exception {
|
||||
request.addHeader(
|
||||
HttpHeaderInspectingApiRequestMatcher.X_REQUESTED_WITH_HEADER,
|
||||
HttpHeaderInspectingApiRequestMatcher.X_REQUESTED_WITH_HEADER_AJAX_VALUE);
|
||||
assertTrue(apiRequestMatcher.matches(request));
|
||||
}
|
||||
|
||||
}
|
|
@ -1,5 +1,6 @@
|
|||
package org.keycloak.adapters.springsecurity.authentication;
|
||||
|
||||
import org.apache.http.HttpHeaders;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.springframework.http.HttpStatus;
|
||||
|
@ -25,14 +26,16 @@ public class KeycloakAuthenticationEntryPointTest {
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testCommence() throws Exception {
|
||||
public void testCommenceWithRedirect() throws Exception {
|
||||
configureBrowserRequest();
|
||||
authenticationEntryPoint.commence(request, response, null);
|
||||
assertEquals(HttpStatus.FOUND.value(), response.getStatus());
|
||||
assertEquals(KeycloakAuthenticationEntryPoint.DEFAULT_LOGIN_URI, response.getHeader("Location"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCommenceNotRootContext() throws Exception {
|
||||
public void testCommenceWithRedirectNotRootContext() throws Exception {
|
||||
configureBrowserRequest();
|
||||
String contextPath = "/foo";
|
||||
request.setContextPath(contextPath);
|
||||
authenticationEntryPoint.commence(request, response, null);
|
||||
|
@ -40,12 +43,25 @@ public class KeycloakAuthenticationEntryPointTest {
|
|||
assertEquals(contextPath + KeycloakAuthenticationEntryPoint.DEFAULT_LOGIN_URI, response.getHeader("Location"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCommenceWithUnauthorizedWithAccept() throws Exception {
|
||||
request.addHeader(HttpHeaders.ACCEPT, "application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
||||
authenticationEntryPoint.commence(request, response, null);
|
||||
assertEquals(HttpStatus.UNAUTHORIZED.value(), response.getStatus());
|
||||
assertNotNull(response.getHeader(HttpHeaders.WWW_AUTHENTICATE));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSetLoginUri() throws Exception {
|
||||
configureBrowserRequest();
|
||||
final String logoutUri = "/foo";
|
||||
authenticationEntryPoint.setLoginUri(logoutUri);
|
||||
authenticationEntryPoint.commence(request, response, null);
|
||||
assertEquals(HttpStatus.FOUND.value(), response.getStatus());
|
||||
assertEquals(logoutUri, response.getHeader("Location"));
|
||||
}
|
||||
|
||||
private void configureBrowserRequest() {
|
||||
request.addHeader(HttpHeaders.ACCEPT, "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue