keycloak-developers
Merge pull request #4544 from ssilvert/kc4952-header-info-disclosure KEYCLOAK-4952: …
10/10/2017 1:33:13 PM
Changes
distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml 4(+2 -2)
distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml 2(+1 -1)
distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml 2(+1 -1)
distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli 20(+15 -5)
distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli 9(+9 -0)
distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli 8(+8 -0)
Details
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml
index 7a84148..eb26b61 100755
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml
@@ -37,7 +37,7 @@
<subsystem>security.xml</subsystem>
<subsystem>security-manager.xml</subsystem>
<subsystem>transactions.xml</subsystem>
- <subsystem>undertow.xml</subsystem>
+ <subsystem>keycloak-undertow.xml</subsystem>
<subsystem>keycloak-server.xml</subsystem>
</subsystems>
<subsystems name="auth-server-clustered">
@@ -64,7 +64,7 @@
<subsystem>security.xml</subsystem>
<subsystem>security-manager.xml</subsystem>
<subsystem>transactions.xml</subsystem>
- <subsystem supplement="ha">undertow.xml</subsystem>
+ <subsystem supplement="ha">keycloak-undertow.xml</subsystem>
<subsystem>keycloak-server.xml</subsystem>
</subsystems>
<subsystems name="load-balancer">
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml
index a1a5035..cf2d9d5 100755
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml
@@ -39,7 +39,7 @@
<subsystem supplement="standalone-wildfly">elytron.xml</subsystem>
<subsystem>security.xml</subsystem>
<subsystem>transactions.xml</subsystem>
- <subsystem>undertow.xml</subsystem>
+ <subsystem>keycloak-undertow.xml</subsystem>
<subsystem>keycloak-server.xml</subsystem>
</subsystems>
</config>
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml
index e19734c..a0fed67 100755
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml
@@ -41,7 +41,7 @@
<subsystem supplement="standalone-wildfly">elytron.xml</subsystem>
<subsystem>security.xml</subsystem>
<subsystem>transactions.xml</subsystem>
- <subsystem supplement="ha">undertow.xml</subsystem>
+ <subsystem supplement="ha">keycloak-undertow.xml</subsystem>
<subsystem>keycloak-server.xml</subsystem>
</subsystems>
</config>
\ No newline at end of file
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli
index 9344217..b17853a 100644
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli
@@ -54,11 +54,12 @@ end-if
set persistenceProvider=jpa
# Migrate from 2.1.0 to 2.2.0
-if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
- echo Additing distributed-cache=authorization
- /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
- echo
-end-if
+# Do not add distributed-cache=authorization. This is now removed.
+#if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
+# echo Additing distributed-cache=authorization
+# /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
+# echo
+#end-if
if (result == update) of /profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema)
echo Updating connectionsJpa default properties...
/profile=$clusteredProfile/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema)
@@ -225,4 +226,13 @@ if (outcome == success) of /profile=$clusteredProfile/subsystem=infinispan/cache
echo
end-if
+# Migrate from 3.2.0 to 3.4.0
+if (outcome == success) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
+ echo Removing X-Powered-By and Server headers from Keycloak responses...
+ /profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
+ /profile=$clusteredProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
+ /profile=$clusteredProfile/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
+ /profile=$clusteredProfile/subsystem=undertow/configuration=filter/response-header=server-header/:remove
+end-if
+
echo *** End Migration of /profile=$clusteredProfile ***
\ No newline at end of file
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli
index fc01c29..be2b837 100644
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli
@@ -205,4 +205,13 @@ if (outcome == failed) of /profile=$standaloneProfile/subsystem=infinispan/cache
echo
end-if
+# Migrate from 3.2.0 to 3.4.0
+if (outcome == success) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
+ echo Removing X-Powered-By and Server headers from Keycloak responses...
+ /profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
+ /profile=$standaloneProfile/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
+ /profile=$standaloneProfile/subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
+ /profile=$standaloneProfile/subsystem=undertow/configuration=filter/response-header=server-header/:remove
+end-if
+
echo *** End Migration of /profile=$standaloneProfile ***
\ No newline at end of file
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli
index 517759f..3491bc5 100644
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli
@@ -213,4 +213,12 @@ if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-c
echo
end-if
+# Migrate from 3.2.0 to 3.4.0
+if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
+ echo Removing X-Powered-By and Server headers from Keycloak responses...
+ /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
+ /subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
+ /subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
+ /subsystem=undertow/configuration=filter/response-header=server-header/:remove
+end-if
echo *** End Migration ***
\ No newline at end of file
diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli
index 4f4e3e0..18225e8 100644
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli
@@ -60,11 +60,12 @@ if (outcome == failed) of /subsystem=deployment-scanner/scanner=default/:read-re
/subsystem=deployment-scanner/scanner=default/:add(path=deployments,relative-to=jboss.server.base.dir,runtime-failure-causes-rollback=${jboss.deployment.scanner.rollback.on.failure:false},scan-interval=5000)
echo
end-if
-if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
- echo Additing distributed-cache=authorization
- /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
- echo
-end-if
+# Do not add. This is now removed.
+#if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource
+# echo Adding distributed-cache=authorization
+# /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:add(mode=SYNC,owners=1)
+# echo
+#end-if
if (result == update) of /subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-get(name=properties,key=databaseSchema)
echo Updating connectionsJpa default properties...
/subsystem=keycloak-server/spi=connectionsJpa/provider=default/:map-remove(name=properties,key=databaseSchema)
@@ -230,4 +231,13 @@ if (outcome == success) of /subsystem=infinispan/cache-container=keycloak/distri
echo
end-if
+# Migrate from 3.2.0 to 3.4.0
+if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:read-resource
+ echo Removing X-Powered-By and Server headers from Keycloak responses...
+ /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header/:remove
+ /subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header/:remove
+ /subsystem=undertow/configuration=filter/response-header=x-powered-by-header/:remove
+ /subsystem=undertow/configuration=filter/response-header=server-header/:remove
+end-if
+
echo *** End Migration ***
\ No newline at end of file
diff --git a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-undertow.xml b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-undertow.xml
new file mode 100644
index 0000000..db46210
--- /dev/null
+++ b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-undertow.xml
@@ -0,0 +1,47 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!--
+ ~ Copyright 2016 Red Hat, Inc. and/or its affiliates
+ ~ and other contributors as indicated by the @author tags.
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+<config>
+ <extension-module>org.wildfly.extension.undertow</extension-module>
+ <subsystem xmlns="urn:jboss:domain:undertow:4.0">
+ <buffer-cache name="default" />
+ <server name="default-server">
+ <?AJP?>
+ <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" />
+ <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" />
+ <host name="default-host" alias="localhost">
+ <location name="/" handler="welcome-content" />
+ <http-invoker security-realm="ApplicationRealm"/>
+ </host>
+ </server>
+ <servlet-container name="default">
+ <jsp-config/>
+ <websockets/>
+ </servlet-container>
+ <handlers>
+ <file name="welcome-content" path="${jboss.home.dir}/welcome-content" />
+ </handlers>
+ </subsystem>
+ <supplement name="ha">
+ <replacement placeholder="AJP">
+ <ajp-listener name="ajp" socket-binding="ajp" />
+ </replacement>
+ </supplement>
+ <socket-binding name="http" port="${jboss.http.port:8080}"/>
+ <socket-binding name="https" port="${jboss.https.port:8443}"/>
+ <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
+</config>