Merge pull request #445 from patriot1burke/master

wildfly ssl fixes
2014-06-02 11:22:51 -04:00 · 2014-06-02 11:22:51 -04:00 · f689747fd6
commit f689747fd6
parent 4662781213 bb11165568
9 changed files with 185 additions and 11 deletions
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
@ -242,7 +242,8 @@ public abstract class OAuthRequestAuthenticator {
    protected AuthChallenge resolveCode(String code) {
        // abort if not HTTPS
        if (deployment.isSslRequired() && !isRequestSecure()) {
-            log.error("SSL is required");
+
+            log.error("Adapter requires SSL. Request: " + facade.getRequest().getURI());
            return challenge(403);
        }

--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java
@ -32,10 +32,6 @@ public abstract class RequestAuthenticator {

    public AuthOutcome authenticate() {
        log.info("--> authenticate()");
-        if (!facade.getRequest().isSecure() && deployment.isSslRequired()) {
-            log.warn("SSL is required to authenticate");
-            return AuthOutcome.FAILED;
-        }
        BearerTokenRequestAuthenticator bearer = createBearerTokenAuthenticator();
        log.info("try bearer");
        AuthOutcome outcome = bearer.authenticate(facade);
@ -44,6 +40,7 @@ public abstract class RequestAuthenticator {
            log.info("Bearer FAILED");
            return AuthOutcome.FAILED;
        } else if (outcome == AuthOutcome.AUTHENTICATED) {
+            if (verifySSL()) return AuthOutcome.FAILED;
            completeAuthentication(bearer);
            log.info("Bearer AUTHENTICATED");
            return AuthOutcome.AUTHENTICATED;
@ -55,6 +52,7 @@ public abstract class RequestAuthenticator {

        log.info("try oauth");
        if (isCached()) {
+            if (verifySSL()) return AuthOutcome.FAILED;
            log.info("AUTHENTICATED: was cached");
            return AuthOutcome.AUTHENTICATED;
        }
@ -70,6 +68,8 @@ public abstract class RequestAuthenticator {

        }

+        if (verifySSL()) return AuthOutcome.FAILED;
+
        completeAuthentication(oauth);

        // redirect to strip out access code and state query parameters
@ -81,6 +81,14 @@ public abstract class RequestAuthenticator {
        return AuthOutcome.AUTHENTICATED;
    }

+    protected boolean verifySSL() {
+        if (!facade.getRequest().isSecure() && deployment.isSslRequired()) {
+            log.warn("SSL is required to authenticate");
+            return true;
+        }
+        return false;
+    }
+
    protected abstract OAuthRequestAuthenticator createOAuthAuthenticator();

    protected BearerTokenRequestAuthenticator createBearerTokenAuthenticator() {
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java
@ -51,12 +51,22 @@ public class ServletKeycloakAuthMech implements AuthenticationMechanism {
    }

    protected ServletRequestAuthenticator createRequestAuthenticator(KeycloakDeployment deployment, HttpServerExchange exchange, SecurityContext securityContext, UndertowHttpFacade facade) {
-        int confidentialPort = 8443;
-        if (portManager != null) confidentialPort = portManager.getConfidentialPort(exchange);
+
+        int confidentialPort = getConfidentilPort(exchange);
        return new ServletRequestAuthenticator(facade, deployment,
                confidentialPort, securityContext, exchange, userSessionManagement);
    }

+    protected int getConfidentilPort(HttpServerExchange exchange) {
+        int confidentialPort = 8443;
+        if (exchange.getRequestScheme().equalsIgnoreCase("HTTPS")) {
+            confidentialPort = exchange.getHostPort();
+        } else if (portManager != null) {
+            confidentialPort = portManager.getConfidentialPort(exchange);
+        }
+        return confidentialPort;
+    }
+
    @Override
    public ChallengeResult sendChallenge(HttpServerExchange exchange, SecurityContext securityContext) {
        AuthChallenge challenge = exchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowHttpFacade.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowHttpFacade.java
@ -6,6 +6,7 @@ import io.undertow.server.handlers.CookieImpl;
 import io.undertow.util.AttachmentKey;
 import io.undertow.util.Headers;
 import io.undertow.util.HttpString;
+import org.jboss.logging.Logger;
 import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.adapters.AuthChallenge;
 import org.keycloak.adapters.HttpFacade;
@ -24,6 +25,7 @@ import java.util.Map;
 * @version $Revision: 1 $
 */
 public class UndertowHttpFacade implements HttpFacade {
+    private static final Logger log = Logger.getLogger(UndertowHttpFacade.class);
    public static final AttachmentKey<KeycloakSecurityContext> KEYCLOAK_SECURITY_CONTEXT_KEY = AttachmentKey.create(KeycloakSecurityContext.class);

    protected HttpServerExchange exchange;
@ -41,7 +43,8 @@ public class UndertowHttpFacade implements HttpFacade {

        @Override
        public boolean isSecure() {
-            return exchange.getProtocol().toString().equalsIgnoreCase("https");
+            String protocol = exchange.getRequestScheme();
+            return protocol.equalsIgnoreCase("https");
        }

        @Override
--- a/integration/wildfly-adapter/src/main/java/org/keycloak/adapters/wildfly/WildflyAuthenticationMechanism.java
+++ b/integration/wildfly-adapter/src/main/java/org/keycloak/adapters/wildfly/WildflyAuthenticationMechanism.java
@ -24,7 +24,8 @@ public class WildflyAuthenticationMechanism extends ServletKeycloakAuthMech {

    @Override
    protected ServletRequestAuthenticator createRequestAuthenticator(KeycloakDeployment deployment, HttpServerExchange exchange, SecurityContext securityContext, UndertowHttpFacade facade) {
+        int confidentialPort = getConfidentilPort(exchange);
        return new WildflyRequestAuthenticator(facade, deployment,
-                portManager.getConfidentialPort(exchange), securityContext, exchange, userSessionManagement);
+                confidentialPort, securityContext, exchange, userSessionManagement);
    }
 }
--- a/model/invalidation-cache/model-adapters/pom.xml
+++ b/model/invalidation-cache/model-adapters/pom.xml
@ -0,0 +1,120 @@
+<?xml version="1.0"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <parent>
+        <artifactId>keycloak-parent</artifactId>
+        <groupId>org.keycloak</groupId>
+        <version>1.0-beta-2-SNAPSHOT</version>
+        <relativePath>../../../pom.xml</relativePath>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>keycloak-invalidation-cache-model</artifactId>
+    <name>Keycloak Model JPA</name>
+    <description/>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk16</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>net.iharder</groupId>
+            <artifactId>base64</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-core</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-model-api</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.hibernate.javax.persistence</groupId>
+            <artifactId>hibernate-jpa-2.0-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.hibernate</groupId>
+            <artifactId>hibernate-entitymanager</artifactId>
+            <version>${hibernate.entitymanager.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.jboss.resteasy</groupId>
+            <artifactId>resteasy-jaxrs</artifactId>
+            <scope>provided</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-simple</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>${maven.compiler.source}</source>
+                    <target>${maven.compiler.target}</target>
+                </configuration>
+            </plugin>
+
+            <!-- Test jar used in export-import -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>package-tests-jar</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>test-jar</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>default-test</id>
+                        <configuration>
+                            <dependenciesToScan>
+                                <dependency>org.keycloak:keycloak-model-tests</dependency>
+                            </dependenciesToScan>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+
+        </plugins>
+    </build>
+
+</project>
--- a/model/invalidation-cache/pom.xml
+++ b/model/invalidation-cache/pom.xml
@ -0,0 +1,30 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <parent>
+        <artifactId>keycloak-parent</artifactId>
+        <groupId>org.keycloak</groupId>
+        <version>1.0-beta-2-SNAPSHOT</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+    <name>Model Parent</name>
+    <description/>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>keycloak-invalidation-cache-model-pom</artifactId>
+    <packaging>pom</packaging>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    <modules>
+        <module>model-adapters</module>
+    </modules>
+</project>
--- a/model/pom.xml
+++ b/model/pom.xml
@ -29,6 +29,7 @@
        <!-- <module>picketlink</module> -->
        <module>jpa</module>
        <module>mongo</module>
+        <module>invalidation-cache</module>
        <module>tests</module>
    </modules>
 </project>
--- a/pom.xml
+++ b/pom.xml
@ -18,7 +18,7 @@
        <resteasy.version>2.3.7.Final</resteasy.version>
        <resteasy.version.eap.6.3>2.3.7.Final</resteasy.version.eap.6.3>
        <resteasy.version.latest>3.0.8.Final</resteasy.version.latest>
-        <undertow.version>1.0.0.Final</undertow.version>
+        <undertow.version>1.0.15.Final</undertow.version>
        <picketlink.version>2.6.0.CR2</picketlink.version>
        <picketbox.ldap.version>1.0.2.Final</picketbox.ldap.version>
        <mongo.driver.version>2.11.3</mongo.driver.version>
@ -34,7 +34,7 @@
        <mysql.version>5.1.25</mysql.version>
        <slf4j.version>1.5.10</slf4j.version>
        <jboss.version>7.1.1.Final</jboss.version>
-        <wildfly.version>8.0.0.Final</wildfly.version>
+        <wildfly.version>8.1.0.Final</wildfly.version>
        <servlet.api.30.version>1.0.1.Final</servlet.api.30.version>
        <google.zxing.version>2.2</google.zxing.version>
        <google.client.version>1.14.1-beta</google.client.version>