Merge pull request #2126 from patriot1burke/master

browser back button
This commit is contained in:
Bill Burke 2016-01-28 10:31:14 -05:00
commit fae05c1cc5
15 changed files with 235 additions and 130 deletions

View file

@ -54,9 +54,12 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
entity.setTimestamp(Time.currentTime()); entity.setTimestamp(Time.currentTime());
entity.setClient(client.getId()); entity.setClient(client.getId());
tx.put(sessionCache, id, entity); tx.put(sessionCache, id, entity);
return wrap(realm, entity, false); ClientSessionAdapter wrap = wrap(realm, entity, false);
wrap.setNote(ClientSessionModel.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
return wrap;
} }
@Override @Override

View file

@ -7,6 +7,7 @@ import java.util.Set;
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a> * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/ */
public interface ClientSessionModel { public interface ClientSessionModel {
public static final String ACTION_KEY = "action_key";
public String getId(); public String getId();
public RealmModel getRealm(); public RealmModel getRealm();

View file

@ -22,8 +22,6 @@ import java.util.UUID;
*/ */
public class ClientSessionCode { public class ClientSessionCode {
public static final String ACTION_KEY = "action_key";
private static final byte[] HASH_SEPERATOR = "//".getBytes(); private static final byte[] HASH_SEPERATOR = "//".getBytes();
private final RealmModel realm; private final RealmModel realm;
@ -211,7 +209,6 @@ public class ClientSessionCode {
public void setAction(String action) { public void setAction(String action) {
clientSession.setAction(action); clientSession.setAction(action);
clientSession.setNote(ACTION_KEY, UUID.randomUUID().toString());
clientSession.setTimestamp(Time.currentTime()); clientSession.setTimestamp(Time.currentTime());
} }
@ -237,7 +234,7 @@ public class ClientSessionCode {
mac.init(codeSecretKey); mac.init(codeSecretKey);
mac.update(clientSession.getId().getBytes()); mac.update(clientSession.getId().getBytes());
mac.update(HASH_SEPERATOR); mac.update(HASH_SEPERATOR);
mac.update(clientSession.getNote(ACTION_KEY).getBytes()); mac.update(clientSession.getNote(ClientSessionModel.ACTION_KEY).getBytes());
return Base64Url.encode(mac.doFinal()); return Base64Url.encode(mac.doFinal());
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);

View file

@ -1,5 +1,6 @@
package org.keycloak.authentication; package org.keycloak.authentication;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.HttpRequest; import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.common.ClientConnection; import org.keycloak.common.ClientConnection;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
@ -30,6 +31,7 @@ import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages; import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.common.util.Time; import org.keycloak.common.util.Time;
import org.keycloak.services.util.CacheControlUtil;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo; import javax.ws.rs.core.UriInfo;
@ -575,9 +577,11 @@ public class AuthenticationProcessor {
.setConnection(connection) .setConnection(connection)
.setEventBuilder(event) .setEventBuilder(event)
.setRealm(realm) .setRealm(realm)
.setBrowserFlow(isBrowserFlow())
.setSession(session) .setSession(session)
.setUriInfo(uriInfo) .setUriInfo(uriInfo)
.setRequest(request); .setRequest(request);
CacheControlUtil.noBackButtonCacheControlHeader();
return processor.authenticate(); return processor.authenticate();
} else { } else {
@ -656,6 +660,17 @@ public class AuthenticationProcessor {
} }
} }
public Response redirectToFlow() {
String code = generateCode();
URI redirect = LoginActionsService.loginActionsBaseUrl(getUriInfo())
.path(flowPath)
.queryParam(OAuth2Constants.CODE, code).build(getRealm().getName());
return Response.status(302).location(redirect).build();
}
public static Response redirectToRequiredActions(RealmModel realm, ClientSessionModel clientSession, UriInfo uriInfo) { public static Response redirectToRequiredActions(RealmModel realm, ClientSessionModel clientSession, UriInfo uriInfo) {
// redirect to non-action url so browser refresh button works without reposting past data // redirect to non-action url so browser refresh button works without reposting past data

View file

@ -74,9 +74,10 @@ public abstract class AuthorizationEndpointBase {
* @param clientSession for current request * @param clientSession for current request
* @param protocol handler for protocol used to initiate login * @param protocol handler for protocol used to initiate login
* @param isPassive set to true if login should be passive (without login screen shown) * @param isPassive set to true if login should be passive (without login screen shown)
* @param redirectToAuthentication if true redirect to flow url. If initial call to protocol is a POST, you probably want to do this. This is so we can disable the back button on browser
* @return response to be returned to the browser * @return response to be returned to the browser
*/ */
protected Response handleBrowserAuthenticationRequest(ClientSessionModel clientSession, LoginProtocol protocol, boolean isPassive) { protected Response handleBrowserAuthenticationRequest(ClientSessionModel clientSession, LoginProtocol protocol, boolean isPassive, boolean redirectToAuthentication) {
List<IdentityProviderModel> identityProviders = realm.getIdentityProviders(); List<IdentityProviderModel> identityProviders = realm.getIdentityProviders();
for (IdentityProviderModel identityProvider : identityProviders) { for (IdentityProviderModel identityProvider : identityProviders) {
@ -115,6 +116,9 @@ public abstract class AuthorizationEndpointBase {
} else { } else {
try { try {
RestartLoginCookie.setRestartCookie(realm, clientConnection, uriInfo, clientSession); RestartLoginCookie.setRestartCookie(realm, clientConnection, uriInfo, clientSession);
if (redirectToAuthentication) {
return processor.redirectToFlow();
}
return processor.authenticate(); return processor.authenticate();
} catch (Exception e) { } catch (Exception e) {
return processor.handleBrowserException(e); return processor.handleBrowserException(e);

View file

@ -28,6 +28,7 @@ import org.keycloak.services.Urls;
import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages; import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.util.CacheControlUtil;
/** /**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a> * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -87,7 +88,8 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
checkRedirectUri(); checkRedirectUri();
createClientSession(); createClientSession();
// So back button doesn't work
CacheControlUtil.noBackButtonCacheControlHeader();
switch (action) { switch (action) {
case REGISTER: case REGISTER:
return buildRegister(); return buildRegister();
@ -219,7 +221,6 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
clientSession.setRedirectUri(redirectUri); clientSession.setRedirectUri(redirectUri);
clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
clientSession.setNote(ClientSessionCode.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
clientSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, responseType); clientSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, responseType);
clientSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUriParam); clientSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUriParam);
clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()));
@ -249,7 +250,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
this.event.event(EventType.LOGIN); this.event.event(EventType.LOGIN);
clientSession.setNote(Details.AUTH_TYPE, CODE_AUTH_TYPE); clientSession.setNote(Details.AUTH_TYPE, CODE_AUTH_TYPE);
return handleBrowserAuthenticationRequest(clientSession, new OIDCLoginProtocol(session, realm, uriInfo, headers, event), prompt != null && prompt.equals("none")); return handleBrowserAuthenticationRequest(clientSession, new OIDCLoginProtocol(session, realm, uriInfo, headers, event), prompt != null && prompt.equals("none"), false);
} }
private Response buildRegister() { private Response buildRegister() {

View file

@ -18,6 +18,7 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo; import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.ResteasyProviderFactory; import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.common.VerificationException; import org.keycloak.common.VerificationException;
import org.keycloak.common.util.StreamUtil; import org.keycloak.common.util.StreamUtil;
@ -50,6 +51,7 @@ import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages; import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.RealmsResource; import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.CacheControlUtil;
/** /**
* Resource class for the oauth/openid connect token service * Resource class for the oauth/openid connect token service
@ -66,6 +68,12 @@ public class SamlService extends AuthorizationEndpointBase {
} }
public abstract class BindingProtocol { public abstract class BindingProtocol {
// this is to support back button on browser
// if true, we redirect to authenticate URL otherwise back button behavior has bad side effects
// and we want to turn it off.
protected boolean redirectToAuthentication;
protected Response basicChecks(String samlRequest, String samlResponse) { protected Response basicChecks(String samlRequest, String samlResponse) {
if (!checkSsl()) { if (!checkSsl()) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
@ -229,7 +237,6 @@ public class SamlService extends AuthorizationEndpointBase {
clientSession.setAuthMethod(SamlProtocol.LOGIN_PROTOCOL); clientSession.setAuthMethod(SamlProtocol.LOGIN_PROTOCOL);
clientSession.setRedirectUri(redirect); clientSession.setRedirectUri(redirect);
clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
clientSession.setNote(ClientSessionCode.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
clientSession.setNote(SamlProtocol.SAML_BINDING, bindingType); clientSession.setNote(SamlProtocol.SAML_BINDING, bindingType);
clientSession.setNote(GeneralConstants.RELAY_STATE, relayState); clientSession.setNote(GeneralConstants.RELAY_STATE, relayState);
clientSession.setNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID()); clientSession.setNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID());
@ -248,7 +255,7 @@ public class SamlService extends AuthorizationEndpointBase {
} }
} }
return newBrowserAuthentication(clientSession, requestAbstractType.isIsPassive()); return newBrowserAuthentication(clientSession, requestAbstractType.isIsPassive(), redirectToAuthentication);
} }
protected String getBindingType(AuthnRequestType requestAbstractType) { protected String getBindingType(AuthnRequestType requestAbstractType) {
@ -449,13 +456,13 @@ public class SamlService extends AuthorizationEndpointBase {
} }
protected Response newBrowserAuthentication(ClientSessionModel clientSession, boolean isPassive) { protected Response newBrowserAuthentication(ClientSessionModel clientSession, boolean isPassive, boolean redirectToAuthentication) {
SamlProtocol samlProtocol = new SamlProtocol().setEventBuilder(event).setHttpHeaders(headers).setRealm(realm).setSession(session).setUriInfo(uriInfo); SamlProtocol samlProtocol = new SamlProtocol().setEventBuilder(event).setHttpHeaders(headers).setRealm(realm).setSession(session).setUriInfo(uriInfo);
return newBrowserAuthentication(clientSession, isPassive, samlProtocol); return newBrowserAuthentication(clientSession, isPassive, redirectToAuthentication, samlProtocol);
} }
protected Response newBrowserAuthentication(ClientSessionModel clientSession, boolean isPassive, SamlProtocol samlProtocol) { protected Response newBrowserAuthentication(ClientSessionModel clientSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol) {
return handleBrowserAuthenticationRequest(clientSession, samlProtocol, isPassive); return handleBrowserAuthenticationRequest(clientSession, samlProtocol, isPassive, redirectToAuthentication);
} }
/** /**
@ -463,21 +470,29 @@ public class SamlService extends AuthorizationEndpointBase {
@GET @GET
public Response redirectBinding(@QueryParam(GeneralConstants.SAML_REQUEST_KEY) String samlRequest, @QueryParam(GeneralConstants.SAML_RESPONSE_KEY) String samlResponse, @QueryParam(GeneralConstants.RELAY_STATE) String relayState) { public Response redirectBinding(@QueryParam(GeneralConstants.SAML_REQUEST_KEY) String samlRequest, @QueryParam(GeneralConstants.SAML_RESPONSE_KEY) String samlResponse, @QueryParam(GeneralConstants.RELAY_STATE) String relayState) {
logger.debug("SAML GET"); logger.debug("SAML GET");
CacheControlUtil.noBackButtonCacheControlHeader();
return new RedirectBindingProtocol().execute(samlRequest, samlResponse, relayState); return new RedirectBindingProtocol().execute(samlRequest, samlResponse, relayState);
} }
/** /**
*/ */
@POST @POST
@NoCache
@Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response postBinding(@FormParam(GeneralConstants.SAML_REQUEST_KEY) String samlRequest, @FormParam(GeneralConstants.SAML_RESPONSE_KEY) String samlResponse, @FormParam(GeneralConstants.RELAY_STATE) String relayState) { public Response postBinding(@FormParam(GeneralConstants.SAML_REQUEST_KEY) String samlRequest, @FormParam(GeneralConstants.SAML_RESPONSE_KEY) String samlResponse, @FormParam(GeneralConstants.RELAY_STATE) String relayState) {
logger.debug("SAML POST"); logger.debug("SAML POST");
return new PostBindingProtocol().execute(samlRequest, samlResponse, relayState); PostBindingProtocol postBindingProtocol = new PostBindingProtocol();
// this is to support back button on browser
// if true, we redirect to authenticate URL otherwise back button behavior has bad side effects
// and we want to turn it off.
postBindingProtocol.redirectToAuthentication = true;
return postBindingProtocol.execute(samlRequest, samlResponse, relayState);
} }
@GET @GET
@Path("descriptor") @Path("descriptor")
@Produces(MediaType.APPLICATION_XML) @Produces(MediaType.APPLICATION_XML)
@NoCache
public String getDescriptor() throws Exception { public String getDescriptor() throws Exception {
return getIDPMetadataDescriptor(uriInfo, realm); return getIDPMetadataDescriptor(uriInfo, realm);
@ -499,6 +514,7 @@ public class SamlService extends AuthorizationEndpointBase {
@Produces(MediaType.TEXT_HTML) @Produces(MediaType.TEXT_HTML)
public Response idpInitiatedSSO(@PathParam("client") String clientUrlName, @QueryParam("RelayState") String relayState) { public Response idpInitiatedSSO(@PathParam("client") String clientUrlName, @QueryParam("RelayState") String relayState) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
CacheControlUtil.noBackButtonCacheControlHeader();
ClientModel client = null; ClientModel client = null;
for (ClientModel c : realm.getClients()) { for (ClientModel c : realm.getClients()) {
String urlName = c.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME); String urlName = c.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME);
@ -537,7 +553,6 @@ public class SamlService extends AuthorizationEndpointBase {
ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); ClientSessionModel clientSession = session.sessions().createClientSession(realm, client);
clientSession.setAuthMethod(SamlProtocol.LOGIN_PROTOCOL); clientSession.setAuthMethod(SamlProtocol.LOGIN_PROTOCOL);
clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
clientSession.setNote(ClientSessionCode.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
clientSession.setNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING); clientSession.setNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING);
clientSession.setNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true"); clientSession.setNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true");
clientSession.setRedirectUri(redirect); clientSession.setRedirectUri(redirect);
@ -549,11 +564,12 @@ public class SamlService extends AuthorizationEndpointBase {
clientSession.setNote(GeneralConstants.RELAY_STATE, relayState); clientSession.setNote(GeneralConstants.RELAY_STATE, relayState);
} }
return newBrowserAuthentication(clientSession, false); return newBrowserAuthentication(clientSession, false, false);
} }
@POST @POST
@NoCache
@Consumes({"application/soap+xml",MediaType.TEXT_XML}) @Consumes({"application/soap+xml",MediaType.TEXT_XML})
public Response soapBinding(InputStream inputStream) { public Response soapBinding(InputStream inputStream) {
SamlEcpProfileService bindingService = new SamlEcpProfileService(realm, event); SamlEcpProfileService bindingService = new SamlEcpProfileService(realm, event);

View file

@ -68,8 +68,8 @@ public class SamlEcpProfileService extends SamlService {
} }
@Override @Override
protected Response newBrowserAuthentication(ClientSessionModel clientSession, boolean isPassive, SamlProtocol samlProtocol) { protected Response newBrowserAuthentication(ClientSessionModel clientSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol) {
return super.newBrowserAuthentication(clientSession, isPassive, createEcpSamlProtocol()); return super.newBrowserAuthentication(clientSession, isPassive, redirectToAuthentication, createEcpSamlProtocol());
} }
private SamlProtocol createEcpSamlProtocol() { private SamlProtocol createEcpSamlProtocol() {

View file

@ -528,7 +528,8 @@ public class AuthenticationManager {
// Skip grant screen if everything was already approved by this user // Skip grant screen if everything was already approved by this user
if (realmRoles.size() > 0 || resourceRoles.size() > 0 || protocolMappers.size() > 0) { if (realmRoles.size() > 0 || resourceRoles.size() > 0 || protocolMappers.size() > 0) {
accessCode.setAction(ClientSessionModel.Action.OAUTH_GRANT.name()); accessCode.setAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name());
clientSession.setNote(CURRENT_REQUIRED_ACTION, ClientSessionModel.Action.OAUTH_GRANT.name());
return session.getProvider(LoginFormsProvider.class) return session.getProvider(LoginFormsProvider.class)
.setClientSessionCode(accessCode.getCode()) .setClientSessionCode(accessCode.getCode())

View file

@ -17,6 +17,7 @@
*/ */
package org.keycloak.services.resources; package org.keycloak.services.resources;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.HttpRequest; import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.ResteasyProviderFactory; import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
@ -61,6 +62,7 @@ import org.keycloak.services.ErrorResponse;
import org.keycloak.services.ErrorPage; import org.keycloak.services.ErrorPage;
import org.keycloak.services.ServicesLogger; import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls; import org.keycloak.services.Urls;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.services.validation.Validation; import org.keycloak.services.validation.Validation;
import org.keycloak.broker.social.SocialIdentityProvider; import org.keycloak.broker.social.SocialIdentityProvider;
import org.keycloak.common.util.ObjectUtil; import org.keycloak.common.util.ObjectUtil;
@ -694,6 +696,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
processor.setClientSession(clientSession) processor.setClientSession(clientSession)
.setFlowPath(LoginActionsService.AUTHENTICATE_PATH) .setFlowPath(LoginActionsService.AUTHENTICATE_PATH)
.setFlowId(flowId) .setFlowId(flowId)
.setBrowserFlow(true)
.setConnection(clientConnection) .setConnection(clientConnection)
.setEventBuilder(event) .setEventBuilder(event)
.setRealm(realmModel) .setRealm(realmModel)
@ -703,6 +706,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage)); if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage));
try { try {
CacheControlUtil.noBackButtonCacheControlHeader();
return processor.authenticate(); return processor.authenticate();
} catch (Exception e) { } catch (Exception e) {
return processor.handleBrowserException(e); return processor.handleBrowserException(e);

View file

@ -67,6 +67,7 @@ import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages; import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.services.util.CookieHelper; import org.keycloak.services.util.CookieHelper;
import javax.ws.rs.Consumes; import javax.ws.rs.Consumes;
@ -155,6 +156,7 @@ public class LoginActionsService {
public LoginActionsService(RealmModel realm, EventBuilder event) { public LoginActionsService(RealmModel realm, EventBuilder event) {
this.realm = realm; this.realm = realm;
this.event = event; this.event = event;
CacheControlUtil.noBackButtonCacheControlHeader();
} }
private boolean checkSsl() { private boolean checkSsl() {
@ -175,20 +177,34 @@ public class LoginActionsService {
if (!verifyCode(code)) { if (!verifyCode(code)) {
return false; return false;
} }
if (!verifyAction(requiredAction, actionType)) { if (!clientCode.isValidAction(requiredAction)) {
return false; if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(clientCode.getClientSession().getAction())) {
} else { response = redirectToRequiredActions(code);
return true; return false;
} else {
invalidAction();
return false;
}
} }
if (!isActionActive(actionType)) return false;
return true;
}
public boolean isValidAction(String requiredAction) {
if (!clientCode.isValidAction(requiredAction)) {
invalidAction();
return false;
}
return true;
} }
public boolean verifyAction(String requiredAction, ClientSessionCode.ActionType actionType) { private void invalidAction() {
if (!clientCode.isValidAction(requiredAction)) { event.client(clientCode.getClientSession().getClient());
event.client(clientCode.getClientSession().getClient()); event.error(Errors.INVALID_CODE);
event.error(Errors.INVALID_CODE); response = ErrorPage.error(session, Messages.INVALID_CODE);
response = ErrorPage.error(session, Messages.INVALID_CODE); }
return false;
} public boolean isActionActive(ClientSessionCode.ActionType actionType) {
if (!clientCode.isActionActive(actionType)) { if (!clientCode.isActionActive(actionType)) {
event.client(clientCode.getClientSession().getClient()); event.client(clientCode.getClientSession().getClient());
event.clone().error(Errors.EXPIRED_CODE); event.clone().error(Errors.EXPIRED_CODE);
@ -256,8 +272,48 @@ public class LoginActionsService {
session.getContext().setClient(client); session.getContext().setClient(client);
return true; return true;
} }
public boolean verifyRequiredAction(String code, String executedAction) {
if (!verifyCode(code)) {
return false;
}
if (!isValidAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name())) return false;
if (!isActionActive(ClientSessionCode.ActionType.USER)) return false;
final ClientSessionModel clientSession = clientCode.getClientSession();
final UserSessionModel userSession = clientSession.getUserSession();
if (userSession == null) {
logger.userSessionNull();
event.error(Errors.USER_SESSION_NOT_FOUND);
throw new WebApplicationException(ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE));
}
if (!AuthenticationManager.isSessionValid(realm, userSession)) {
AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, clientConnection, headers, true);
event.error(Errors.INVALID_CODE);
response = ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE);
return false;
}
if (executedAction == null && userSession != null) { // do next required action only if user is already authenticated
initEvent(clientSession);
event.event(EventType.LOGIN);
response = AuthenticationManager.nextActionAfterAuthentication(session, userSession, clientSession, clientConnection, request, uriInfo, event);
return false;
}
if (!executedAction.equals(clientSession.getNote(AuthenticationManager.CURRENT_REQUIRED_ACTION))) {
logger.debug("required action doesn't match current required action");
clientSession.removeNote(AuthenticationManager.CURRENT_REQUIRED_ACTION);
response = redirectToRequiredActions(code);
return false;
}
return true;
}
} }
/** /**
* protocol independent login page entry point * protocol independent login page entry point
* *
@ -361,13 +417,11 @@ public class LoginActionsService {
ClientModel client = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); ClientModel client = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); ClientSessionModel clientSession = session.sessions().createClientSession(realm, client);
clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
clientSession.setNote(ClientSessionCode.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
//clientSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); //clientSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString();
clientSession.setRedirectUri(redirectUri); clientSession.setRedirectUri(redirectUri);
clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
clientSession.setNote(ClientSessionCode.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
clientSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE); clientSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE);
clientSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); clientSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri);
clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()));
@ -589,19 +643,12 @@ public class LoginActionsService {
@Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response processConsent(final MultivaluedMap<String, String> formData) { public Response processConsent(final MultivaluedMap<String, String> formData) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
if (!checkSsl()) {
return ErrorPage.error(session, Messages.HTTPS_REQUIRED);
}
String code = formData.getFirst("code"); String code = formData.getFirst("code");
Checks checks = new Checks();
ClientSessionCode accessCode = ClientSessionCode.parse(code, session, realm); if (!checks.verifyRequiredAction(code, ClientSessionModel.Action.OAUTH_GRANT.name())) {
if (accessCode == null || !accessCode.isValid(ClientSessionModel.Action.OAUTH_GRANT.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response;
event.error(Errors.INVALID_CODE);
return ErrorPage.error(session, Messages.INVALID_ACCESS_CODE);
} }
ClientSessionCode accessCode = checks.clientCode;
ClientSessionModel clientSession = accessCode.getClientSession(); ClientSessionModel clientSession = accessCode.getClientSession();
initEvent(clientSession); initEvent(clientSession);
@ -610,11 +657,6 @@ public class LoginActionsService {
UserModel user = userSession.getUser(); UserModel user = userSession.getUser();
ClientModel client = clientSession.getClient(); ClientModel client = clientSession.getClient();
if (!AuthenticationManager.isSessionValid(realm, userSession)) {
AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, clientConnection, headers, true);
event.error(Errors.INVALID_CODE);
return ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE);
}
if (formData.containsKey("cancel")) { if (formData.containsKey("cancel")) {
LoginProtocol protocol = session.getProvider(LoginProtocol.class, clientSession.getAuthMethod()); LoginProtocol protocol = session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
@ -810,29 +852,13 @@ public class LoginActionsService {
event.event(EventType.CUSTOM_REQUIRED_ACTION); event.event(EventType.CUSTOM_REQUIRED_ACTION);
event.detail(Details.CUSTOM_REQUIRED_ACTION, action); event.detail(Details.CUSTOM_REQUIRED_ACTION, action);
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { if (!checks.verifyRequiredAction(code, action)) {
return checks.response; return checks.response;
} }
final ClientSessionCode clientCode = checks.clientCode; final ClientSessionCode clientCode = checks.clientCode;
final ClientSessionModel clientSession = clientCode.getClientSession(); final ClientSessionModel clientSession = clientCode.getClientSession();
final UserSessionModel userSession = clientSession.getUserSession(); final UserSessionModel userSession = clientSession.getUserSession();
if (userSession == null) {
logger.userSessionNull();
event.error(Errors.USER_SESSION_NOT_FOUND);
throw new WebApplicationException(ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE));
}
if (action == null && userSession != null) { // do next required action only if user is already authenticated
initEvent(clientSession);
event.event(EventType.LOGIN);
return AuthenticationManager.nextActionAfterAuthentication(session, userSession, clientSession, clientConnection, request, uriInfo, event);
}
if (!action.equals(clientSession.getNote(AuthenticationManager.CURRENT_REQUIRED_ACTION))) {
logger.debug("required action doesn't match current required action");
clientSession.removeNote(AuthenticationManager.CURRENT_REQUIRED_ACTION);
redirectToRequiredActions(code);
}
RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, action); RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, action);
if (factory == null) { if (factory == null) {

View file

@ -1,5 +1,7 @@
package org.keycloak.services.util; package org.keycloak.services.util;
import org.jboss.resteasy.spi.HttpResponse;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.Config; import org.keycloak.Config;
import javax.ws.rs.core.CacheControl; import javax.ws.rs.core.CacheControl;
@ -9,6 +11,11 @@ import javax.ws.rs.core.CacheControl;
*/ */
public class CacheControlUtil { public class CacheControlUtil {
public static void noBackButtonCacheControlHeader() {
HttpResponse response = ResteasyProviderFactory.getContextData(HttpResponse.class);
response.getOutputHeaders().putSingle("Cache-Control", "no-store, must-revalidate, max-age=0");
}
public static CacheControl getDefaultCacheControl() { public static CacheControl getDefaultCacheControl() {
CacheControl cacheControl = new CacheControl(); CacheControl cacheControl = new CacheControl();
cacheControl.setNoTransform(false); cacheControl.setNoTransform(false);

View file

@ -54,6 +54,11 @@ public class SamlAdapterTest {
@Rule @Rule
public SamlAdapterTestStrategy testStrategy = new SamlAdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8081", keycloakRule); public SamlAdapterTestStrategy testStrategy = new SamlAdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8081", keycloakRule);
//@Test
public void testIDE() throws Exception {
Thread.sleep(100000000);
}
@Test @Test
public void testPostBadRealmSignature() { public void testPostBadRealmSignature() {
testStrategy.testPostBadRealmSignature(); testStrategy.testPostBadRealmSignature();

View file

@ -99,15 +99,27 @@ public class SamlAdapterTestStrategy extends ExternalResource {
protected void checkLoggedOut(String mainUrl) { protected void checkLoggedOut(String mainUrl, boolean postBinding) {
String pageSource = driver.getPageSource(); String pageSource = driver.getPageSource();
System.out.println("*** logout pagesource ***"); System.out.println("*** logout pagesource ***");
System.out.println(pageSource); System.out.println(pageSource);
System.out.println("driver url: " + driver.getCurrentUrl()); System.out.println("driver url: " + driver.getCurrentUrl());
Assert.assertTrue(pageSource.contains("request-path: /logout.jsp")); Assert.assertTrue(pageSource.contains("request-path: /logout.jsp"));
driver.navigate().to(mainUrl); driver.navigate().to(mainUrl);
checkAtLoginPage(postBinding);
}
protected void checkAtLoginPage(boolean postBinding) {
if (postBinding) assertAtLoginPagePostBinding();
else assertAtLoginPageRedirectBinding();
}
protected void assertAtLoginPageRedirectBinding() {
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml")); Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml"));
} }
protected void assertAtLoginPagePostBinding() {
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/login-actions/authenticate"));
}
public void testSavedPostRequest() throws Exception { public void testSavedPostRequest() throws Exception {
// test login to customer-portal which does a bearer request to customer-db // test login to customer-portal which does a bearer request to customer-db
@ -116,7 +128,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/input-portal")); Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/input-portal"));
inputPage.execute("hello"); inputPage.execute("hello");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke@redhat.com", "password"); loginPage.login("bburke@redhat.com", "password");
System.out.println("Current url: " + driver.getCurrentUrl()); System.out.println("Current url: " + driver.getCurrentUrl());
Assert.assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/input-portal/secured/post"); Assert.assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/input-portal/secured/post");
@ -170,13 +182,13 @@ public class SamlAdapterTestStrategy extends ExternalResource {
public void testPostSimpleLoginLogout() { public void testPostSimpleLoginLogout() {
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post/");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post/");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post/"); checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post/", true);
} }
public void testPostPassiveLoginLogout(boolean forbiddenIfNotauthenticated) { public void testPostPassiveLoginLogout(boolean forbiddenIfNotauthenticated) {
@ -213,7 +225,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
public void testPostSimpleUnauthorized(CheckAuthError error) { public void testPostSimpleUnauthorized(CheckAuthError error) {
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post/");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("unauthorized", "password"); loginPage.login("unauthorized", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post/");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
@ -227,52 +239,52 @@ public class SamlAdapterTestStrategy extends ExternalResource {
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post/"); checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post/", true);
} }
public void testPostSignedLoginLogout() { public void testPostSignedLoginLogout() {
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig/");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-sig/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-sig/");
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-sig/"); checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-sig/", true);
} }
public void testPostSignedLoginLogoutTransientNameID() { public void testPostSignedLoginLogoutTransientNameID() {
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-transient/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-transient/");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-sig-transient/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-sig-transient/");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertFalse(driver.getPageSource().contains("bburke")); Assert.assertFalse(driver.getPageSource().contains("bburke"));
Assert.assertTrue(driver.getPageSource().contains("principal=G-")); Assert.assertTrue(driver.getPageSource().contains("principal=G-"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-transient?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-transient?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-sig-transient/"); checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-sig-transient/", true);
} }
public void testPostSignedLoginLogoutPersistentNameID() { public void testPostSignedLoginLogoutPersistentNameID() {
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-persistent/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-persistent/");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-sig-persistent/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-sig-persistent/");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertFalse(driver.getPageSource().contains("bburke")); Assert.assertFalse(driver.getPageSource().contains("bburke"));
Assert.assertTrue(driver.getPageSource().contains("principal=G-")); Assert.assertTrue(driver.getPageSource().contains("principal=G-"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-persistent?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-persistent?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-sig-persistent/"); checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-sig-persistent/", true);
} }
public void testPostSignedLoginLogoutEmailNameID() { public void testPostSignedLoginLogoutEmailNameID() {
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-email/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-email/");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-sig-email/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-sig-email/");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertTrue(driver.getPageSource().contains("principal=bburke@redhat.com")); Assert.assertTrue(driver.getPageSource().contains("principal=bburke@redhat.com"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-email?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig-email?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-sig-email/"); checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-sig-email/", true);
} }
@ -281,7 +293,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
// at the relay state // at the relay state
SamlSPFacade.samlResponse = null; SamlSPFacade.samlResponse = null;
driver.navigate().to(APP_SERVER_BASE_URL + "/employee/"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee/");
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml")); assertAtLoginPageRedirectBinding();
System.out.println(driver.getCurrentUrl()); System.out.println(driver.getCurrentUrl());
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee/");
@ -304,7 +316,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
SendUsernameServlet.sentPrincipal = null; SendUsernameServlet.sentPrincipal = null;
SendUsernameServlet.checkRoles = null; SendUsernameServlet.checkRoles = null;
driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/");
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml")); assertAtLoginPagePostBinding();
List<String> requiredRoles = new LinkedList<>(); List<String> requiredRoles = new LinkedList<>();
requiredRoles.add("manager"); requiredRoles.add("manager");
requiredRoles.add("user"); requiredRoles.add("user");
@ -322,14 +334,14 @@ public class SamlAdapterTestStrategy extends ExternalResource {
Set<String> groupSet = new HashSet<>(); Set<String> groupSet = new HashSet<>();
assertEquals("level2@redhat.com", principal.getFriendlyAttribute("email")); assertEquals("level2@redhat.com", principal.getFriendlyAttribute("email"));
driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/employee2/"); checkLoggedOut(APP_SERVER_BASE_URL + "/employee2/", true);
} }
{ {
SendUsernameServlet.sentPrincipal = null; SendUsernameServlet.sentPrincipal = null;
SendUsernameServlet.checkRoles = null; SendUsernameServlet.checkRoles = null;
driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/");
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml")); assertAtLoginPagePostBinding();
List<String> requiredRoles = new LinkedList<>(); List<String> requiredRoles = new LinkedList<>();
requiredRoles.add("manager"); requiredRoles.add("manager");
requiredRoles.add("employee"); requiredRoles.add("employee");
@ -345,7 +357,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
assertEquals("617", principal.getAttribute("phone")); assertEquals("617", principal.getAttribute("phone"));
Assert.assertNull(principal.getFriendlyAttribute("phone")); Assert.assertNull(principal.getFriendlyAttribute("phone"));
driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/employee2/"); checkLoggedOut(APP_SERVER_BASE_URL + "/employee2/", true);
} }
keycloakRule.update(new KeycloakRule.KeycloakSetup() { keycloakRule.update(new KeycloakRule.KeycloakSetup() {
@ -374,7 +386,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
SendUsernameServlet.sentPrincipal = null; SendUsernameServlet.sentPrincipal = null;
SendUsernameServlet.checkRoles = null; SendUsernameServlet.checkRoles = null;
driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/");
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml")); assertAtLoginPagePostBinding();
List<String> requiredRoles = new LinkedList<>(); List<String> requiredRoles = new LinkedList<>();
requiredRoles.add("el-jefe"); requiredRoles.add("el-jefe");
requiredRoles.add("user"); requiredRoles.add("user");
@ -394,23 +406,23 @@ public class SamlAdapterTestStrategy extends ExternalResource {
public void testRedirectSignedLoginLogout() { public void testRedirectSignedLoginLogout() {
driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig/"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig/");
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml")); assertAtLoginPageRedirectBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee-sig/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee-sig/");
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/employee-sig/"); checkLoggedOut(APP_SERVER_BASE_URL + "/employee-sig/", false);
} }
public void testRedirectSignedLoginLogoutFrontNoSSO() { public void testRedirectSignedLoginLogoutFrontNoSSO() {
driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig-front/"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig-front/");
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml")); assertAtLoginPageRedirectBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee-sig-front/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee-sig-front/");
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig-front?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig-front?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/employee-sig-front/"); checkLoggedOut(APP_SERVER_BASE_URL + "/employee-sig-front/", false);
} }
@ -418,7 +430,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
// visit 1st app an logg in // visit 1st app an logg in
System.out.println("visit 1st app "); System.out.println("visit 1st app ");
driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig/"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig/");
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml")); assertAtLoginPageRedirectBinding();
System.out.println("login to form"); System.out.println("login to form");
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee-sig/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee-sig/");
@ -439,28 +451,29 @@ public class SamlAdapterTestStrategy extends ExternalResource {
// logout of first app // logout of first app
System.out.println("GLO"); System.out.println("GLO");
driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/employee-sig/"); checkLoggedOut(APP_SERVER_BASE_URL + "/employee-sig/", false);
driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig-front/"); driver.navigate().to(APP_SERVER_BASE_URL + "/employee-sig-front/");
String currentUrl = driver.getCurrentUrl(); String currentUrl = driver.getCurrentUrl();
Assert.assertTrue(currentUrl.startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml")); Assert.assertTrue(currentUrl.startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig/");
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml")); assertAtLoginPagePostBinding();
} }
public void testPostEncryptedLoginLogout() { public void testPostEncryptedLoginLogout() {
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-enc/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-enc/");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-enc/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post-enc/");
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-enc?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-enc?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-enc/"); checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post-enc/", true);
} }
public void testPostBadClientSignature() { public void testPostBadClientSignature() {
driver.navigate().to(APP_SERVER_BASE_URL + "/bad-client-sales-post-sig/"); driver.navigate().to(APP_SERVER_BASE_URL + "/bad-client-sales-post-sig/");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); System.out.println(driver.getCurrentUrl());
Assert.assertTrue(driver.getCurrentUrl().startsWith(AUTH_SERVER_URL + "/realms/demo/protocol/saml"));
assertEquals(driver.getTitle(), "We're sorry..."); assertEquals(driver.getTitle(), "We're sorry...");
} }
@ -471,7 +484,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
public void testPostBadRealmSignature() { public void testPostBadRealmSignature() {
ErrorServlet.authError = null; ErrorServlet.authError = null;
driver.navigate().to(APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/"); driver.navigate().to(APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
@ -484,13 +497,13 @@ public class SamlAdapterTestStrategy extends ExternalResource {
public void testMetadataPostSignedLoginLogout() throws Exception { public void testMetadataPostSignedLoginLogout() throws Exception {
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-metadata/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-metadata/");
assertEquals(driver.getCurrentUrl(), AUTH_SERVER_URL + "/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-metadata/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-metadata/");
String pageSource = driver.getPageSource(); String pageSource = driver.getPageSource();
Assert.assertTrue(pageSource.contains("bburke")); Assert.assertTrue(pageSource.contains("bburke"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-metadata?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-metadata?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-metadata/"); checkLoggedOut(APP_SERVER_BASE_URL + "/sales-metadata/", true);
} }

View file

@ -47,13 +47,13 @@ import static org.junit.Assert.assertEquals;
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $ * @version $Revision: 1 $
*/ */
public class SamlBindingTest { public class SamlPicketlinkSPTest {
@ClassRule @ClassRule
public static SamlKeycloakRule keycloakRule = new SamlKeycloakRule() { public static SamlKeycloakRule keycloakRule = new SamlKeycloakRule() {
@Override @Override
public void initWars() { public void initWars() {
ClassLoader classLoader = SamlBindingTest.class.getClassLoader(); ClassLoader classLoader = SamlPicketlinkSPTest.class.getClassLoader();
initializeSamlSecuredWar("/saml/simple-post", "/sales-post", "post.war", classLoader); initializeSamlSecuredWar("/saml/simple-post", "/sales-post", "post.war", classLoader);
initializeSamlSecuredWar("/saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader); initializeSamlSecuredWar("/saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader);
@ -120,15 +120,27 @@ public class SamlBindingTest {
@WebResource @WebResource
protected LoginPage loginPage; protected LoginPage loginPage;
protected void checkLoggedOut(String mainUrl) { protected void checkLoggedOut(String mainUrl, boolean postBinding) {
String pageSource = driver.getPageSource(); String pageSource = driver.getPageSource();
System.out.println("*** logout pagesouce ***"); System.out.println("*** logout pagesouce ***");
System.out.println(pageSource); System.out.println(pageSource);
System.out.println("driver url: " + driver.getCurrentUrl()); System.out.println("driver url: " + driver.getCurrentUrl());
Assert.assertTrue(pageSource.contains("request-path: /logout.jsp")); Assert.assertTrue(pageSource.contains("request-path: /logout.jsp"));
driver.navigate().to(mainUrl); driver.navigate().to(mainUrl);
checkAtLoginPage(postBinding);
}
protected void checkAtLoginPage(boolean postBinding) {
if (postBinding) assertAtLoginPagePostBinding();
else assertAtLoginPageRedirectBinding();
}
protected void assertAtLoginPageRedirectBinding() {
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml")); Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml"));
} }
protected void assertAtLoginPagePostBinding() {
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/login-actions/authenticate"));
}
//@Test //@Test
public void ideTesting() throws Exception { public void ideTesting() throws Exception {
@ -138,13 +150,13 @@ public class SamlBindingTest {
@Test @Test
public void testPostSimpleLoginLogout() { public void testPostSimpleLoginLogout() {
driver.navigate().to("http://localhost:8081/sales-post/"); driver.navigate().to("http://localhost:8081/sales-post/");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post/");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to("http://localhost:8081/sales-post?GLO=true"); driver.navigate().to("http://localhost:8081/sales-post?GLO=true");
checkLoggedOut("http://localhost:8081/sales-post/"); checkLoggedOut("http://localhost:8081/sales-post/", true);
} }
@Test @Test
@ -155,57 +167,57 @@ public class SamlBindingTest {
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to("http://localhost:8081/sales-post?GLO=true"); driver.navigate().to("http://localhost:8081/sales-post?GLO=true");
checkLoggedOut("http://localhost:8081/sales-post/"); checkLoggedOut("http://localhost:8081/sales-post/", true);
} }
@Test @Test
public void testPostSignedLoginLogout() { public void testPostSignedLoginLogout() {
driver.navigate().to("http://localhost:8081/sales-post-sig/"); driver.navigate().to("http://localhost:8081/sales-post-sig/");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig/");
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to("http://localhost:8081/sales-post-sig?GLO=true"); driver.navigate().to("http://localhost:8081/sales-post-sig?GLO=true");
checkLoggedOut("http://localhost:8081/sales-post-sig/"); checkLoggedOut("http://localhost:8081/sales-post-sig/", true);
} }
@Test @Test
public void testPostSignedLoginLogoutTransientNameID() { public void testPostSignedLoginLogoutTransientNameID() {
driver.navigate().to("http://localhost:8081/sales-post-sig-transient/"); driver.navigate().to("http://localhost:8081/sales-post-sig-transient/");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-transient/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-transient/");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertFalse(driver.getPageSource().contains("bburke")); Assert.assertFalse(driver.getPageSource().contains("bburke"));
Assert.assertTrue(driver.getPageSource().contains("principal=G-")); Assert.assertTrue(driver.getPageSource().contains("principal=G-"));
driver.navigate().to("http://localhost:8081/sales-post-sig-transient?GLO=true"); driver.navigate().to("http://localhost:8081/sales-post-sig-transient?GLO=true");
checkLoggedOut("http://localhost:8081/sales-post-sig-transient/"); checkLoggedOut("http://localhost:8081/sales-post-sig-transient/", true);
} }
@Test @Test
public void testPostSignedLoginLogoutPersistentNameID() { public void testPostSignedLoginLogoutPersistentNameID() {
driver.navigate().to("http://localhost:8081/sales-post-sig-persistent/"); driver.navigate().to("http://localhost:8081/sales-post-sig-persistent/");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-persistent/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-persistent/");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertFalse(driver.getPageSource().contains("bburke")); Assert.assertFalse(driver.getPageSource().contains("bburke"));
Assert.assertTrue(driver.getPageSource().contains("principal=G-")); Assert.assertTrue(driver.getPageSource().contains("principal=G-"));
driver.navigate().to("http://localhost:8081/sales-post-sig-persistent?GLO=true"); driver.navigate().to("http://localhost:8081/sales-post-sig-persistent?GLO=true");
checkLoggedOut("http://localhost:8081/sales-post-sig-persistent/"); checkLoggedOut("http://localhost:8081/sales-post-sig-persistent/", true);
} }
@Test @Test
public void testPostSignedLoginLogoutEmailNameID() { public void testPostSignedLoginLogoutEmailNameID() {
driver.navigate().to("http://localhost:8081/sales-post-sig-email/"); driver.navigate().to("http://localhost:8081/sales-post-sig-email/");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-email/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-email/");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertTrue(driver.getPageSource().contains("principal=bburke@redhat.com")); Assert.assertTrue(driver.getPageSource().contains("principal=bburke@redhat.com"));
driver.navigate().to("http://localhost:8081/sales-post-sig-email?GLO=true"); driver.navigate().to("http://localhost:8081/sales-post-sig-email?GLO=true");
checkLoggedOut("http://localhost:8081/sales-post-sig-email/"); checkLoggedOut("http://localhost:8081/sales-post-sig-email/", true);
} }
@ -215,7 +227,7 @@ public class SamlBindingTest {
// at the relay state // at the relay state
SamlSPFacade.samlResponse = null; SamlSPFacade.samlResponse = null;
driver.navigate().to("http://localhost:8081/employee/"); driver.navigate().to("http://localhost:8081/employee/");
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml")); assertAtLoginPageRedirectBinding();
System.out.println(driver.getCurrentUrl()); System.out.println(driver.getCurrentUrl());
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee/");
@ -234,7 +246,7 @@ public class SamlBindingTest {
{ {
SamlSPFacade.samlResponse = null; SamlSPFacade.samlResponse = null;
driver.navigate().to("http://localhost:8081/employee/"); driver.navigate().to("http://localhost:8081/employee/");
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml")); assertAtLoginPageRedirectBinding();
System.out.println(driver.getCurrentUrl()); System.out.println(driver.getCurrentUrl());
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee/");
@ -351,24 +363,24 @@ public class SamlBindingTest {
@Test @Test
public void testRedirectSignedLoginLogout() { public void testRedirectSignedLoginLogout() {
driver.navigate().to("http://localhost:8081/employee-sig/"); driver.navigate().to("http://localhost:8081/employee-sig/");
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml")); assertAtLoginPageRedirectBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee-sig/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee-sig/");
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to("http://localhost:8081/employee-sig?GLO=true"); driver.navigate().to("http://localhost:8081/employee-sig?GLO=true");
checkLoggedOut("http://localhost:8081/employee-sig/"); checkLoggedOut("http://localhost:8081/employee-sig/", false);
} }
@Test @Test
public void testRedirectSignedLoginLogoutFrontNoSSO() { public void testRedirectSignedLoginLogoutFrontNoSSO() {
driver.navigate().to("http://localhost:8081/employee-sig-front/"); driver.navigate().to("http://localhost:8081/employee-sig-front/");
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml")); assertAtLoginPageRedirectBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee-sig-front/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee-sig-front/");
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to("http://localhost:8081/employee-sig-front?GLO=true"); driver.navigate().to("http://localhost:8081/employee-sig-front?GLO=true");
checkLoggedOut("http://localhost:8081/employee-sig-front/"); checkLoggedOut("http://localhost:8081/employee-sig-front/", false);
} }
@ -377,7 +389,7 @@ public class SamlBindingTest {
// visit 1st app an logg in // visit 1st app an logg in
System.out.println("visit 1st app "); System.out.println("visit 1st app ");
driver.navigate().to("http://localhost:8081/employee-sig/"); driver.navigate().to("http://localhost:8081/employee-sig/");
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml")); assertAtLoginPageRedirectBinding();
System.out.println("login to form"); System.out.println("login to form");
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee-sig/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee-sig/");
@ -398,23 +410,23 @@ public class SamlBindingTest {
// logout of first app // logout of first app
System.out.println("GLO"); System.out.println("GLO");
driver.navigate().to("http://localhost:8081/employee-sig?GLO=true"); driver.navigate().to("http://localhost:8081/employee-sig?GLO=true");
checkLoggedOut("http://localhost:8081/employee-sig/"); checkLoggedOut("http://localhost:8081/employee-sig/", false);
driver.navigate().to("http://localhost:8081/employee-sig-front/"); driver.navigate().to("http://localhost:8081/employee-sig-front/");
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml")); assertAtLoginPageRedirectBinding();
driver.navigate().to("http://localhost:8081/sales-post-sig/"); driver.navigate().to("http://localhost:8081/sales-post-sig/");
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml")); assertAtLoginPagePostBinding();
} }
@Test @Test
public void testPostEncryptedLoginLogout() { public void testPostEncryptedLoginLogout() {
driver.navigate().to("http://localhost:8081/sales-post-enc/"); driver.navigate().to("http://localhost:8081/sales-post-enc/");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-enc/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-enc/");
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to("http://localhost:8081/sales-post-enc?GLO=true"); driver.navigate().to("http://localhost:8081/sales-post-enc?GLO=true");
checkLoggedOut("http://localhost:8081/sales-post-enc/"); checkLoggedOut("http://localhost:8081/sales-post-enc/", true);
} }
@Test @Test
@ -428,7 +440,7 @@ public class SamlBindingTest {
@Test @Test
public void testPostBadRealmSignature() { public void testPostBadRealmSignature() {
driver.navigate().to("http://localhost:8081/bad-realm-sales-post-sig/"); driver.navigate().to("http://localhost:8081/bad-realm-sales-post-sig/");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/bad-realm-sales-post-sig/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/bad-realm-sales-post-sig/");
Assert.assertTrue(driver.getPageSource().contains("null")); Assert.assertTrue(driver.getPageSource().contains("null"));
@ -445,13 +457,13 @@ public class SamlBindingTest {
public void testMetadataPostSignedLoginLogout() throws Exception { public void testMetadataPostSignedLoginLogout() throws Exception {
driver.navigate().to("http://localhost:8081/sales-metadata/"); driver.navigate().to("http://localhost:8081/sales-metadata/");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml"); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-metadata/"); Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-metadata/");
String pageSource = driver.getPageSource(); String pageSource = driver.getPageSource();
Assert.assertTrue(pageSource.contains("bburke")); Assert.assertTrue(pageSource.contains("bburke"));
driver.navigate().to("http://localhost:8081/sales-metadata?GLO=true"); driver.navigate().to("http://localhost:8081/sales-metadata?GLO=true");
checkLoggedOut("http://localhost:8081/sales-metadata/"); checkLoggedOut("http://localhost:8081/sales-metadata/", true);
} }
@ -462,7 +474,7 @@ public class SamlBindingTest {
admin.toRepresentation(); admin.toRepresentation();
ClientRepresentation clientRep = admin.convertClientDescription(IOUtils.toString(SamlBindingTest.class.getResourceAsStream("/saml/sp-metadata.xml"))); ClientRepresentation clientRep = admin.convertClientDescription(IOUtils.toString(SamlPicketlinkSPTest.class.getResourceAsStream("/saml/sp-metadata.xml")));
Response response = admin.clients().create(clientRep); Response response = admin.clients().create(clientRep);
assertEquals(201, response.getStatus()); assertEquals(201, response.getStatus());