KEYCLOAK-2900
This commit is contained in:
parent
6c3d31dd4c
commit
fa8b272e76
1 changed files with 21 additions and 13 deletions
|
@ -81,8 +81,6 @@ public class WelcomeResource {
|
||||||
@Context
|
@Context
|
||||||
private KeycloakSession session;
|
private KeycloakSession session;
|
||||||
|
|
||||||
private String stateChecker;
|
|
||||||
|
|
||||||
public WelcomeResource(boolean bootstrap) {
|
public WelcomeResource(boolean bootstrap) {
|
||||||
this.bootstrap = bootstrap;
|
this.bootstrap = bootstrap;
|
||||||
}
|
}
|
||||||
|
@ -119,8 +117,9 @@ public class WelcomeResource {
|
||||||
throw new WebApplicationException(Response.Status.BAD_REQUEST);
|
throw new WebApplicationException(Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
String stateChecker = formData.getFirst("stateChecker");
|
String cookieStateChecker = getCsrfCookie();
|
||||||
csrfCheck(stateChecker);
|
String formStateChecker = formData.getFirst("stateChecker");
|
||||||
|
csrfCheck(cookieStateChecker, formStateChecker);
|
||||||
|
|
||||||
String username = formData.getFirst("username");
|
String username = formData.getFirst("username");
|
||||||
String password = formData.getFirst("password");
|
String password = formData.getFirst("password");
|
||||||
|
@ -181,11 +180,14 @@ public class WelcomeResource {
|
||||||
Map<String, Object> map = new HashMap<>();
|
Map<String, Object> map = new HashMap<>();
|
||||||
map.put("bootstrap", bootstrap);
|
map.put("bootstrap", bootstrap);
|
||||||
if (bootstrap) {
|
if (bootstrap) {
|
||||||
map.put("localUser", isLocal());
|
boolean isLocal = isLocal();
|
||||||
|
map.put("localUser", isLocal);
|
||||||
|
|
||||||
updateCsrfChecks();
|
if (isLocal) {
|
||||||
|
String stateChecker = updateCsrfChecks();
|
||||||
map.put("stateChecker", stateChecker);
|
map.put("stateChecker", stateChecker);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
if (successMessage != null) {
|
if (successMessage != null) {
|
||||||
map.put("successMessage", successMessage);
|
map.put("successMessage", successMessage);
|
||||||
}
|
}
|
||||||
|
@ -230,20 +232,26 @@ public class WelcomeResource {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void updateCsrfChecks() {
|
private String updateCsrfChecks() {
|
||||||
Cookie cookie = headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
|
String stateChecker = getCsrfCookie();
|
||||||
if (cookie != null) {
|
if (stateChecker != null) {
|
||||||
stateChecker = cookie.getValue();
|
return stateChecker;
|
||||||
} else {
|
} else {
|
||||||
stateChecker = KeycloakModelUtils.generateSecret();
|
stateChecker = KeycloakModelUtils.generateSecret();
|
||||||
String cookiePath = uriInfo.getPath();
|
String cookiePath = uriInfo.getPath();
|
||||||
boolean secureOnly = uriInfo.getRequestUri().getScheme().equalsIgnoreCase("https");
|
boolean secureOnly = uriInfo.getRequestUri().getScheme().equalsIgnoreCase("https");
|
||||||
CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, -1, secureOnly, true);
|
CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, -1, secureOnly, true);
|
||||||
|
return stateChecker;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void csrfCheck(String stateChecker) {
|
private String getCsrfCookie() {
|
||||||
if (!this.stateChecker.equals(stateChecker)) {
|
Cookie cookie = headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
|
||||||
|
return cookie==null ? null : cookie.getValue();
|
||||||
|
}
|
||||||
|
|
||||||
|
private void csrfCheck(String cookieStateChecker, String formStateChecker) {
|
||||||
|
if (cookieStateChecker == null || !cookieStateChecker.equals(formStateChecker)) {
|
||||||
throw new ForbiddenException();
|
throw new ForbiddenException();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue