keycloak-uncached
Changes
adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakDependencyProcessorWildFly.java 2(+1 -1)
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronAccount.java 12(+3 -9)
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronCookieTokenStore.java 2(+1 -1)
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronHttpFacade.java 14(+14 -0)
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronSessionTokenStore.java 2(+1 -1)
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/KeycloakServletExtension.java 42(+42 -0)
adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ProtectedHttpServerExchange.java 42(+42 -0)
Details
diff --git a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakDependencyProcessorWildFly.java b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakDependencyProcessorWildFly.java
index c43aee0..07625d5 100755
--- a/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakDependencyProcessorWildFly.java
+++ b/adapters/oidc/wildfly/wildfly-subsystem/src/main/java/org/keycloak/subsystem/adapter/extension/KeycloakDependencyProcessorWildFly.java
@@ -39,7 +39,7 @@ public class KeycloakDependencyProcessorWildFly extends KeycloakDependencyProces
@Override
protected void addPlatformSpecificModules(DeploymentPhaseContext phaseContext, ModuleSpecification moduleSpecification, ModuleLoader moduleLoader) {
if (isElytronEnabled(phaseContext)) {
- moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_ELYTRON_ADAPTER, true, false, false, false));
+ moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_ELYTRON_ADAPTER, true, false, true, false));
} else {
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_WILDFLY_ADAPTER, false, false, true, false));
moduleSpecification.addSystemDependency(new ModuleDependency(moduleLoader, KEYCLOAK_UNDERTOW_ADAPTER, false, false, false, false));
diff --git a/adapters/oidc/wildfly-elytron/pom.xml b/adapters/oidc/wildfly-elytron/pom.xml
index ceb7f53..310d9f6 100755
--- a/adapters/oidc/wildfly-elytron/pom.xml
+++ b/adapters/oidc/wildfly-elytron/pom.xml
@@ -95,5 +95,10 @@
<artifactId>jboss-servlet-api_3.0_spec</artifactId>
<scope>provided</scope>
</dependency>
+ <dependency>
+ <groupId>io.undertow</groupId>
+ <artifactId>undertow-servlet</artifactId>
+ <scope>provided</scope>
+ </dependency>
</dependencies>
</project>
\ No newline at end of file
diff --git a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronAccount.java b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronAccount.java
index c8db009..d11f1a9 100644
--- a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronAccount.java
+++ b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronAccount.java
@@ -78,7 +78,7 @@ public class ElytronAccount implements OidcKeycloakAccount {
return false;
}
- boolean tryRefresh(CallbackHandler callbackHandler) {
+ boolean tryRefresh() {
log.debug("Trying to refresh");
RefreshableKeycloakSecurityContext securityContext = getKeycloakSecurityContext();
@@ -88,14 +88,8 @@ public class ElytronAccount implements OidcKeycloakAccount {
}
if (securityContext.refreshExpiredToken(false)) {
- SecurityIdentity securityIdentity = SecurityIdentityUtil.authorize(callbackHandler, principal);
-
- if (securityIdentity != null) {
- log.debug("refresh succeeded");
- return true;
- }
-
- return false;
+ log.debug("refresh succeeded");
+ return true;
}
return checkActive();
diff --git a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronCookieTokenStore.java b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronCookieTokenStore.java
index eda7d17..bbe1046 100644
--- a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronCookieTokenStore.java
+++ b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronCookieTokenStore.java
@@ -88,7 +88,7 @@ public class ElytronCookieTokenStore implements ElytronTokeStore {
boolean active = account.checkActive();
if (!active) {
- active = account.tryRefresh(this.callbackHandler);
+ active = account.tryRefresh();
}
if (active) {
diff --git a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronHttpFacade.java b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronHttpFacade.java
index bda24bb..9004bda 100644
--- a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronHttpFacade.java
+++ b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronHttpFacade.java
@@ -18,6 +18,7 @@
package org.keycloak.adapters.elytron;
+import io.undertow.server.handlers.CookieImpl;
import org.bouncycastle.asn1.cmp.Challenge;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterDeploymentContext;
@@ -62,6 +63,8 @@ import java.util.function.Consumer;
*/
class ElytronHttpFacade implements OIDCHttpFacade {
+ static final String UNDERTOW_EXCHANGE = ElytronHttpFacade.class.getName() + ".undertow.exchange";
+
private final HttpServerRequest request;
private final CallbackHandler callbackHandler;
private final AdapterTokenStore tokenStore;
@@ -312,6 +315,17 @@ class ElytronHttpFacade implements OIDCHttpFacade {
@Override
public void resetCookie(final String name, final String path) {
responseConsumer = responseConsumer.andThen(response -> setCookie(name, "", path, null, 0, false, false, response));
+ HttpScope exchangeScope = getScope(Scope.EXCHANGE);
+ ProtectedHttpServerExchange undertowExchange = ProtectedHttpServerExchange.class.cast(exchangeScope.getAttachment(UNDERTOW_EXCHANGE));
+
+ if (undertowExchange != null) {
+ CookieImpl cookie = new CookieImpl(name, "");
+
+ cookie.setMaxAge(0);
+ cookie.setPath(path);
+
+ undertowExchange.getExchange().setResponseCookie(cookie);
+ }
}
@Override
diff --git a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronSessionTokenStore.java b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronSessionTokenStore.java
index d494641..1a81637 100644
--- a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronSessionTokenStore.java
+++ b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ElytronSessionTokenStore.java
@@ -104,7 +104,7 @@ public class ElytronSessionTokenStore implements ElytronTokeStore {
boolean active = account.checkActive();
if (!active) {
- active = account.tryRefresh(this.callbackHandler);
+ active = account.tryRefresh();
}
if (active) {
diff --git a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/KeycloakServletExtension.java b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/KeycloakServletExtension.java
new file mode 100644
index 0000000..5adf6e9
--- /dev/null
+++ b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/KeycloakServletExtension.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2018 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.adapters.elytron;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletRequest;
+
+import io.undertow.server.HttpHandler;
+import io.undertow.servlet.ServletExtension;
+import io.undertow.servlet.api.DeploymentInfo;
+import io.undertow.servlet.handlers.ServletRequestContext;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class KeycloakServletExtension implements ServletExtension {
+
+ @Override
+ public void handleDeployment(DeploymentInfo deploymentInfo, ServletContext servletContext) {
+ deploymentInfo.addOuterHandlerChainWrapper(handler -> (HttpHandler) exchange -> {
+ ServletRequest servletRequest = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getServletRequest();
+
+ servletRequest.setAttribute(ElytronHttpFacade.UNDERTOW_EXCHANGE, new ProtectedHttpServerExchange(exchange));
+
+ handler.handleRequest(exchange);
+ });
+ }
+}
diff --git a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ProtectedHttpServerExchange.java b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ProtectedHttpServerExchange.java
new file mode 100644
index 0000000..682feb3
--- /dev/null
+++ b/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/ProtectedHttpServerExchange.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2018 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.adapters.elytron;
+
+import io.undertow.server.HttpServerExchange;
+
+/**
+ * <p>A wrapper for {@code {@link HttpServerExchange}} accessible only from classes in the same package.
+ *
+ * <p>This class is used to provide to the elytron mechanism access to the current exchange in order to allow making
+ * changes to the exchange (e.g. response) during the evaluation of requests. By default, changes to the exchange are only
+ * propagated after the execution of the mechanism. But in certain situations, such as when making a programmatic logout (HttpServletRequest.logout()) from
+ * within application code, any change made to the exchange is not propagated.
+ *
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+class ProtectedHttpServerExchange {
+
+ private final HttpServerExchange exchange;
+
+ public ProtectedHttpServerExchange(HttpServerExchange exchange) {
+ this.exchange = exchange;
+ }
+
+ HttpServerExchange getExchange() {
+ return exchange;
+ }
+}
diff --git a/adapters/oidc/wildfly-elytron/src/main/resources/META-INF/services/io.undertow.servlet.ServletExtension b/adapters/oidc/wildfly-elytron/src/main/resources/META-INF/services/io.undertow.servlet.ServletExtension
new file mode 100644
index 0000000..965ca75
--- /dev/null
+++ b/adapters/oidc/wildfly-elytron/src/main/resources/META-INF/services/io.undertow.servlet.ServletExtension
@@ -0,0 +1,52 @@
+#
+# * Copyright 2018 Red Hat, Inc. and/or its affiliates
+# * and other contributors as indicated by the @author tags.
+# *
+# * Licensed under the Apache License, Version 2.0 (the "License");
+# * you may not use this file except in compliance with the License.
+# * You may obtain a copy of the License at
+# *
+# * http://www.apache.org/licenses/LICENSE-2.0
+# *
+# * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS,
+# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# * See the License for the specific language governing permissions and
+# * limitations under the License.
+#
+
+#
+# * Copyright 2018 Red Hat, Inc. and/or its affiliates
+# * and other contributors as indicated by the @author tags.
+# *
+# * Licensed under the Apache License, Version 2.0 (the "License");
+# * you may not use this file except in compliance with the License.
+# * You may obtain a copy of the License at
+# *
+# * http://www.apache.org/licenses/LICENSE-2.0
+# *
+# * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS,
+# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# * See the License for the specific language governing permissions and
+# * limitations under the License.
+#
+
+#
+# Copyright 2016 Red Hat, Inc. and/or its affiliates
+# and other contributors as indicated by the @author tags.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+org.keycloak.adapters.elytron.KeycloakServletExtension
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java
index 65bc5fa..baff898 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java
@@ -21,7 +21,6 @@ import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
-import java.nio.file.Paths;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
@@ -49,7 +48,6 @@ import org.jboss.arquillian.drone.api.annotation.Drone;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert;
-import org.junit.Assume;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
@@ -272,21 +270,9 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
driver.manage().deleteAllCookies();
}
- private void assumeNotElytronAdapter() {
- if (!AppServerTestEnricher.isUndertowAppServer()) {
- try {
- Assume.assumeFalse(FileUtils.readFileToString(Paths.get(System.getProperty("app.server.home"), "standalone", "configuration", "standalone.xml").toFile(), "UTF-8").contains("<security-domain name=\"KeycloakDomain\""));
- } catch (IOException e) {
- throw new RuntimeException(e);
- }
- }
- }
-
//KEYCLOAK-702
@Test
public void testTokenInCookieSSO() {
- assumeNotElytronAdapter();
-
// Login
String tokenCookie = loginToCustomerCookiePortal();
@@ -311,8 +297,6 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
//KEYCLOAK-702
@Test
public void testTokenInCookieRefresh() {
- assumeNotElytronAdapter();
-
log.debug("Set token timeout 10 sec");
RealmRepresentation demo = adminClient.realm("demo").toRepresentation();
int originalTokenTimeout = demo.getAccessTokenLifespan();
@@ -362,8 +346,6 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
//KEYCLOAK-702
@Test
public void testInvalidTokenCookie() {
- assumeNotElytronAdapter();
-
// Login
String tokenCookie = loginToCustomerCookiePortal();
String changedTokenCookie = tokenCookie.replace("a", "b");