From cde3e87ad943f1ee1399fc991ffacd5d6ce947e5 Mon Sep 17 00:00:00 2001 From: Agile Developer Date: Thu, 2 Feb 2017 21:18:14 +0100 Subject: [PATCH 1/6] verifySSL() - debug info DEBUG report like this: SSL Verification: passed: true, request is secure: true, SSL is required for: EXTERNAL, SSL is required for remote addr 192.168.100.123: false --- .../adapters/RequestAuthenticator.java | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java index 0cbe687fc4..05fc1a1ec9 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java @@ -159,11 +159,26 @@ public abstract class RequestAuthenticator { } protected boolean verifySSL() { - if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { + boolean verificationPassed = facade.getRequest().isSecure() + || !deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()); + if (!verificationPassed){ log.warn("SSL is required to authenticate"); - return true; } - return false; + + if (log.isDebugEnabled()) { + final String remoteAddr = facade.getRequest().getRemoteAddr(); + final SslRequired sslRequired = deployment.getSslRequired(); + log.debugf("SSL Verification: " + + "\n\tpassed: %s, request is secure: %s, " + + "\n\tSSL is required for: %s, " + + "\n\tSSL is required for remote addr %s: %s", + verificationPassed, + facade.getRequest().isSecure(), + sslRequired.name(), + remoteAddr, + sslRequired.isRequired(remoteAddr)); + } + return !verificationPassed; } protected boolean isAutodetectedBearerOnly(HttpFacade.Request request) { From d60c3b7c0c22c07a412a4f2a057db6bc0638181e Mon Sep 17 00:00:00 2001 From: Agile Developer Date: Fri, 3 Feb 2017 00:47:41 +0100 Subject: [PATCH 2/6] missing import --- .../main/java/org/keycloak/adapters/RequestAuthenticator.java | 1 + 1 file changed, 1 insertion(+) diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java index 05fc1a1ec9..c547fcd846 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java @@ -24,6 +24,7 @@ import org.keycloak.KeycloakPrincipal; import org.keycloak.adapters.spi.AuthChallenge; import org.keycloak.adapters.spi.AuthOutcome; import org.keycloak.adapters.spi.HttpFacade; +import org.keycloak.common.enums.SslRequired; /** * @author Bill Burke From 7904ce5a37d72b0a1b990858bf88270fdaeed36f Mon Sep 17 00:00:00 2001 From: wildloop Date: Tue, 7 Mar 2017 16:01:13 +0100 Subject: [PATCH 3/6] one-line debug log --- .../java/org/keycloak/adapters/RequestAuthenticator.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java index c547fcd846..6e455b63f0 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java @@ -169,10 +169,10 @@ public abstract class RequestAuthenticator { if (log.isDebugEnabled()) { final String remoteAddr = facade.getRequest().getRemoteAddr(); final SslRequired sslRequired = deployment.getSslRequired(); - log.debugf("SSL Verification: " + - "\n\tpassed: %s, request is secure: %s, " + - "\n\tSSL is required for: %s, " + - "\n\tSSL is required for remote addr %s: %s", + log.debugf("SSL Verification. " + + "Passed: %s, request is secure: %s, " + + "SSL is required for: %s, " + + "SSL is required for remote addr %s: %s", verificationPassed, facade.getRequest().isSecure(), sslRequired.name(), From d723c608d6a111b1aa95d1ee0cfe5c488349d71a Mon Sep 17 00:00:00 2001 From: wildloop Date: Tue, 14 Mar 2017 11:36:57 +0100 Subject: [PATCH 4/6] Update RequestAuthenticator.java --- .../keycloak/adapters/RequestAuthenticator.java | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java index 6e455b63f0..d8869fdec1 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java @@ -160,26 +160,22 @@ public abstract class RequestAuthenticator { } protected boolean verifySSL() { - boolean verificationPassed = facade.getRequest().isSecure() - || !deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()); - if (!verificationPassed){ - log.warn("SSL is required to authenticate"); - } - - if (log.isDebugEnabled()) { + boolean verificationFail = !facade.getRequest().isSecure() + && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()); + if (verificationFail){ final String remoteAddr = facade.getRequest().getRemoteAddr(); final SslRequired sslRequired = deployment.getSslRequired(); - log.debugf("SSL Verification. " + + log.warnf("SSL is required to authenticate. "+ "Passed: %s, request is secure: %s, " + "SSL is required for: %s, " + "SSL is required for remote addr %s: %s", - verificationPassed, + !verificationFail, facade.getRequest().isSecure(), sslRequired.name(), remoteAddr, sslRequired.isRequired(remoteAddr)); } - return !verificationPassed; + return verificationFail; } protected boolean isAutodetectedBearerOnly(HttpFacade.Request request) { From 366dee657538eda2fa44ed52e3eb24df84209f51 Mon Sep 17 00:00:00 2001 From: wildloop Date: Wed, 15 Mar 2017 09:13:41 +0100 Subject: [PATCH 5/6] Update RequestAuthenticator.java --- .../adapters/RequestAuthenticator.java | 21 ++++++------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java index d8869fdec1..158bc9d03f 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java @@ -160,22 +160,13 @@ public abstract class RequestAuthenticator { } protected boolean verifySSL() { - boolean verificationFail = !facade.getRequest().isSecure() - && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()); - if (verificationFail){ - final String remoteAddr = facade.getRequest().getRemoteAddr(); - final SslRequired sslRequired = deployment.getSslRequired(); - log.warnf("SSL is required to authenticate. "+ - "Passed: %s, request is secure: %s, " + - "SSL is required for: %s, " + - "SSL is required for remote addr %s: %s", - !verificationFail, - facade.getRequest().isSecure(), - sslRequired.name(), - remoteAddr, - sslRequired.isRequired(remoteAddr)); + if (!facade.getRequest().isSecure() + && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { + log.warnf("SSL is required to authenticate. Remote address %s is secure: %s, SSL required for: %s .", + facade.getRequest().getRemoteAddr(), facade.getRequest().isSecure(), deployment.getSslRequired().name()); + return true; } - return verificationFail; + return false; } protected boolean isAutodetectedBearerOnly(HttpFacade.Request request) { From 80c9e23282ebc9d9f37a4bae909f4260739af3b2 Mon Sep 17 00:00:00 2001 From: wildloop Date: Wed, 15 Mar 2017 09:14:48 +0100 Subject: [PATCH 6/6] Update RequestAuthenticator.java --- .../main/java/org/keycloak/adapters/RequestAuthenticator.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java index 158bc9d03f..4f3029015b 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java @@ -160,8 +160,7 @@ public abstract class RequestAuthenticator { } protected boolean verifySSL() { - if (!facade.getRequest().isSecure() - && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { + if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.warnf("SSL is required to authenticate. Remote address %s is secure: %s, SSL required for: %s .", facade.getRequest().getRemoteAddr(), facade.getRequest().isSecure(), deployment.getSslRequired().name()); return true;