keycloak-uncached
Changes
integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java 38(+7 -31)
integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletRequestAuthenticator.java 12(+9 -3)
integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowAuthenticatedActionsHandler.java 3(+2 -1)
Details
diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java
index 26a735f..0923d2e 100755
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java
@@ -1,21 +1,18 @@
package org.keycloak.adapters.undertow;
-import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.server.HttpServerExchange;
import io.undertow.servlet.api.ConfidentialPortManager;
-import io.undertow.util.AttachmentKey;
import org.keycloak.adapters.AdapterDeploymentContext;
-import org.keycloak.adapters.AuthChallenge;
-import org.keycloak.adapters.AuthOutcome;
import org.keycloak.adapters.KeycloakDeployment;
+import org.keycloak.adapters.RequestAuthenticator;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
* @version $Revision: 1 $
*/
-public class ServletKeycloakAuthMech implements AuthenticationMechanism {
- public static final AttachmentKey<AuthChallenge> KEYCLOAK_CHALLENGE_ATTACHMENT_KEY = AttachmentKey.create(AuthChallenge.class);
+public class ServletKeycloakAuthMech extends UndertowKeycloakAuthMech {
protected AdapterDeploymentContext deploymentContext;
protected UndertowUserSessionManagement userSessionManagement;
@@ -34,23 +31,13 @@ public class ServletKeycloakAuthMech implements AuthenticationMechanism {
if (!deployment.isConfigured()) {
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
- ServletRequestAuthenticator authenticator = createRequestAuthenticator(deployment, exchange, securityContext, facade);
- AuthOutcome outcome = authenticator.authenticate();
- if (outcome == AuthOutcome.AUTHENTICATED) {
- return AuthenticationMechanismOutcome.AUTHENTICATED;
- }
- AuthChallenge challenge = authenticator.getChallenge();
- if (challenge != null) {
- exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
- }
- if (outcome == AuthOutcome.FAILED) {
- return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
- }
- return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
+ RequestAuthenticator authenticator = createRequestAuthenticator(deployment, exchange, securityContext, facade);
+
+ return super.keycloakAuthenticate(exchange, authenticator);
}
- protected ServletRequestAuthenticator createRequestAuthenticator(KeycloakDeployment deployment, HttpServerExchange exchange, SecurityContext securityContext, UndertowHttpFacade facade) {
+ protected RequestAuthenticator createRequestAuthenticator(KeycloakDeployment deployment, HttpServerExchange exchange, SecurityContext securityContext, UndertowHttpFacade facade) {
int confidentialPort = getConfidentilPort(exchange);
return new ServletRequestAuthenticator(facade, deployment,
@@ -67,15 +54,4 @@ public class ServletKeycloakAuthMech implements AuthenticationMechanism {
return confidentialPort;
}
- @Override
- public ChallengeResult sendChallenge(HttpServerExchange exchange, SecurityContext securityContext) {
- AuthChallenge challenge = exchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
- if (challenge != null) {
- UndertowHttpFacade facade = new UndertowHttpFacade(exchange);
- if (challenge.challenge(facade)) {
- return new ChallengeResult(true, exchange.getResponseCode());
- }
- }
- return new ChallengeResult(false);
- }
}
diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletRequestAuthenticator.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletRequestAuthenticator.java
index 139683a..546e126 100755
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletRequestAuthenticator.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletRequestAuthenticator.java
@@ -10,20 +10,21 @@ import org.keycloak.adapters.KeycloakDeployment;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
+import org.keycloak.KeycloakPrincipal;
+import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
* @version $Revision: 1 $
*/
public class ServletRequestAuthenticator extends UndertowRequestAuthenticator {
- protected UndertowUserSessionManagement userSessionManagement;
public ServletRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort,
SecurityContext securityContext, HttpServerExchange exchange,
UndertowUserSessionManagement userSessionManagement) {
- super(facade, deployment, sslRedirectPort, securityContext, exchange);
- this.userSessionManagement = userSessionManagement;
+ super(facade, deployment, sslRedirectPort, securityContext, exchange, userSessionManagement);
}
@Override
@@ -69,4 +70,9 @@ public class ServletRequestAuthenticator extends UndertowRequestAuthenticator {
userSessionManagement.login(servletRequestContext.getDeployment().getSessionManager(), session.getId(), account.getPrincipal().getName(), account.getKeycloakSecurityContext().getToken().getSessionState());
}
+
+ @Override
+ protected KeycloakUndertowAccount createAccount(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
+ return new KeycloakUndertowAccount(principal, session, deployment);
+ }
}
diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowAuthenticatedActionsHandler.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowAuthenticatedActionsHandler.java
index 294daee..dbb7478 100755
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowAuthenticatedActionsHandler.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowAuthenticatedActionsHandler.java
@@ -12,6 +12,7 @@ import org.keycloak.adapters.KeycloakDeployment;
* Bridge for authenticated Keycloak adapter actions
*
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
* @version $Revision: 1 $
*/
public class UndertowAuthenticatedActionsHandler implements HttpHandler {
@@ -33,7 +34,7 @@ public class UndertowAuthenticatedActionsHandler implements HttpHandler {
}
- protected UndertowAuthenticatedActionsHandler(AdapterDeploymentContext deploymentContext, HttpHandler next) {
+ public UndertowAuthenticatedActionsHandler(AdapterDeploymentContext deploymentContext, HttpHandler next) {
this.deploymentContext = deploymentContext;
this.next = next;
}
diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowKeycloakAuthMech.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowKeycloakAuthMech.java
new file mode 100644
index 0000000..00319c7
--- /dev/null
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowKeycloakAuthMech.java
@@ -0,0 +1,52 @@
+package org.keycloak.adapters.undertow;
+
+import io.undertow.security.api.AuthenticationMechanism;
+import io.undertow.security.api.SecurityContext;
+import io.undertow.server.HttpServerExchange;
+import io.undertow.util.AttachmentKey;
+import org.keycloak.adapters.AuthChallenge;
+import org.keycloak.adapters.AuthOutcome;
+import org.keycloak.adapters.RequestAuthenticator;
+import static org.keycloak.adapters.undertow.ServletKeycloakAuthMech.KEYCLOAK_CHALLENGE_ATTACHMENT_KEY;
+
+/**
+ * Abstract base class for a Keycloak-enabled Undertow AuthenticationMechanism.
+ *
+ * @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
+ */
+public abstract class UndertowKeycloakAuthMech implements AuthenticationMechanism {
+ public static final AttachmentKey<AuthChallenge> KEYCLOAK_CHALLENGE_ATTACHMENT_KEY = AttachmentKey.create(AuthChallenge.class);
+
+ @Override
+ public ChallengeResult sendChallenge(HttpServerExchange exchange, SecurityContext securityContext) {
+ AuthChallenge challenge = exchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
+ if (challenge != null) {
+ UndertowHttpFacade facade = new UndertowHttpFacade(exchange);
+ if (challenge.challenge(facade)) {
+ return new ChallengeResult(true, exchange.getResponseCode());
+ }
+ }
+ return new ChallengeResult(false);
+ }
+
+ /**
+ * Call this inside your authenticate method.
+ */
+ protected AuthenticationMechanismOutcome keycloakAuthenticate(HttpServerExchange exchange, RequestAuthenticator authenticator) {
+ AuthOutcome outcome = authenticator.authenticate();
+ if (outcome == AuthOutcome.AUTHENTICATED) {
+ return AuthenticationMechanismOutcome.AUTHENTICATED;
+ }
+ AuthChallenge challenge = authenticator.getChallenge();
+ if (challenge != null) {
+ exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
+ }
+
+ if (outcome == AuthOutcome.FAILED) {
+ return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
+ }
+
+ return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
+ }
+
+}
\ No newline at end of file
diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowRequestAuthenticator.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowRequestAuthenticator.java
index cd5fdaa..c3b0ea4 100755
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowRequestAuthenticator.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowRequestAuthenticator.java
@@ -2,6 +2,8 @@ package org.keycloak.adapters.undertow;
import io.undertow.security.api.SecurityContext;
import io.undertow.server.HttpServerExchange;
+import io.undertow.server.session.Session;
+import io.undertow.util.Sessions;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.adapters.HttpFacade;
import org.keycloak.adapters.KeycloakAccount;
@@ -12,17 +14,22 @@ import org.keycloak.adapters.RequestAuthenticator;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @author Stan Silvert ssilvert@redhat.com (C) 2014 Red Hat Inc.
* @version $Revision: 1 $
*/
-public class UndertowRequestAuthenticator extends RequestAuthenticator {
+public abstract class UndertowRequestAuthenticator extends RequestAuthenticator {
protected SecurityContext securityContext;
protected HttpServerExchange exchange;
+ protected UndertowUserSessionManagement userSessionManagement;
- public UndertowRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort, SecurityContext securityContext, HttpServerExchange exchange) {
+ public UndertowRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort,
+ SecurityContext securityContext, HttpServerExchange exchange,
+ UndertowUserSessionManagement userSessionManagement) {
super(facade, deployment, sslRedirectPort);
this.securityContext = securityContext;
this.exchange = exchange;
+ this.userSessionManagement = userSessionManagement;
}
protected void propagateKeycloakContext(KeycloakUndertowAccount account) {
@@ -41,26 +48,55 @@ public class UndertowRequestAuthenticator extends RequestAuthenticator {
@Override
protected void completeOAuthAuthentication(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
- KeycloakUndertowAccount account = new KeycloakUndertowAccount(principal, session, deployment);
+ KeycloakUndertowAccount account = createAccount(principal, session);
securityContext.authenticationComplete(account, "KEYCLOAK", false);
propagateKeycloakContext(account);
login(account);
}
protected void login(KeycloakAccount account) {
-
+ Session session = Sessions.getOrCreateSession(exchange);
+ session.setAttribute(KeycloakUndertowAccount.class.getName(), account);
+ String username = account.getPrincipal().getName();
+ String keycloakSessionId = account.getKeycloakSecurityContext().getToken().getSessionState();
+ userSessionManagement.login(session.getSessionManager(), session.getId(), username, keycloakSessionId);
}
@Override
protected void completeBearerAuthentication(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session) {
- KeycloakUndertowAccount account = new KeycloakUndertowAccount(principal, session, deployment);
+ KeycloakUndertowAccount account = createAccount(principal, session);
securityContext.authenticationComplete(account, "KEYCLOAK", false);
propagateKeycloakContext(account);
}
@Override
protected boolean isCached() {
+ Session session = Sessions.getSession(exchange);
+ if (session == null) {
+ log.info("session was null, returning null");
+ return false;
+ }
+ KeycloakUndertowAccount account = (KeycloakUndertowAccount)session.getAttribute(KeycloakUndertowAccount.class.getName());
+ if (account == null) {
+ log.info("Account was not in session, returning null");
+ return false;
+ }
+ account.setDeployment(deployment);
+ if (account.isActive()) {
+ log.info("Cached account found");
+ securityContext.authenticationComplete(account, "KEYCLOAK", false);
+ propagateKeycloakContext( account);
+ return true;
+ }
+ log.info("Account was not active, returning false");
+ session.removeAttribute(KeycloakUndertowAccount.class.getName());
return false;
}
+
+ /**
+ * Subclasses need to be able to create their own version of the KeycloakUndertowAccount
+ * @return The account
+ */
+ protected abstract KeycloakUndertowAccount createAccount(KeycloakPrincipal principal, RefreshableKeycloakSecurityContext session);
}