keycloak-aplcache
Changes
spi/authentication-model/src/main/java/org/keycloak/spi/authentication/model/AbstractModelAuthenticationProvider.java 5(+2 -3)
spi/authentication-picketlink/src/main/java/org/keycloak/spi/authentication/picketlink/PicketlinkAuthenticationProvider.java 11(+7 -4)
spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthenticationProvider.java 2(+1 -1)
Details
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js
index bce292e..8da77e8 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js
@@ -122,6 +122,15 @@ module.config([ '$routeProvider', function($routeProvider) {
},
controller : 'RealmSMTPSettingsCtrl'
})
+ .when('/realms/:realm/ldap-settings', {
+ templateUrl : 'partials/realm-ldap.html',
+ resolve : {
+ realm : function(RealmLoader) {
+ return RealmLoader();
+ }
+ },
+ controller : 'RealmSMTPSettingsCtrl'
+ })
.when('/create/user/:realm', {
templateUrl : 'partials/user-detail.html',
resolve : {
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-ldap.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-ldap.html
new file mode 100644
index 0000000..b08899f
--- /dev/null
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-ldap.html
@@ -0,0 +1,74 @@
+<div class="bs-sidebar col-sm-3 " data-ng-include data-src="'partials/realm-menu.html'"></div>
+<div id="content-area" class="col-sm-9" role="main">
+ <data-kc-navigation data-kc-current="ldap" data-kc-realm="realm.realm" data-kc-social="realm.social"></data-kc-navigation>
+ <div id="content">
+ <ol class="breadcrumb">
+ <li><a href="#/realms/{{realm.realm}}">{{realm.realm}}</a></li>
+ <li><a href="#/realms/{{realm.realm}}">Settings</a></li>
+ <li class="active">Ldap Configuration</li>
+ </ol>
+ <h2><span>{{realm.realm}}</span> Email Server Settings</h2>
+ <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!access.manageRealm">
+ <span class="fieldset-notice"><span class="required">*</span> Required fields</span>
+ <fieldset>
+ <legend><span class="text">Required Settings</span></legend>
+ <div class="form-group clearfix">
+ <label class="col-sm-2 control-label" for="smtpHost">Host <span class="required">*</span></label>
+ <div class="col-sm-4">
+ <input class="form-control" id="smtpHost" type="text" ng-model="realm.smtpServer.host" placeholder="SMTP Host" required>
+ </div>
+ </div>
+ <div class="form-group clearfix">
+ <label class="col-sm-2 control-label" for="smtpPort">Port <span class="required">*</span></label>
+ <div class="col-sm-4">
+ <input class="form-control" id="smtpPort" type="number" ng-model="realm.smtpServer.port" placeholder="SMTP Port (defaults to 25)" required>
+ </div>
+ </div>
+ <div class="form-group clearfix">
+ <label class="col-sm-2 control-label" for="smtpFrom">From <span class="required">*</span></label>
+ <div class="col-sm-4">
+ <input class="form-control" id="smtpFrom" type="email" ng-model="realm.smtpServer.from" placeholder="Sender Email Address" required>
+ </div>
+ </div>
+ <div class="form-group clearfix">
+ <label class="col-sm-2 control-label" for="smtpSSL">Enable SSL</label>
+ <div class="col-sm-4">
+ <input ng-model="realm.smtpServer.ssl" name="smtpSSL" id="smtpSSL" onoffswitch />
+ </div>
+ </div>
+ <div class="form-group clearfix">
+ <label class="col-sm-2 control-label" for="smtpStartTLS">Enable StartTLS</label>
+ <div class="col-sm-4">
+ <input ng-model="realm.smtpServer.starttls" name="smtpStartTLS" id="smtpStartTLS" onoffswitch />
+ </div>
+ </div>
+ </fieldset>
+ <fieldset>
+ <legend><span class="text">Authentication</span></legend>
+ <div class="form-group clearfix">
+ <label class="col-sm-2 control-label" for="smtpAuth">Enable Authentication</label>
+ <div class="col-sm-4">
+ <input ng-model="realm.smtpServer.auth" name="smtpAuth" id="smtpAuth" onoffswitch />
+ </div>
+ </div>
+ <div class="form-group clearfix" data-ng-show="realm.smtpServer.auth">
+ <label class="col-sm-2 control-label" for="smtpUsername">Username <span class="required" ng-show="realm.smtpServer.auth">*</span></label>
+ <div class="col-sm-4">
+ <input class="form-control" id="smtpUsername" type="text" ng-model="realm.smtpServer.user" placeholder="Login Username" ng-disabled="!realm.smtpServer.auth" ng-required="realm.smtpServer.auth">
+ </div>
+ </div>
+ <div class="form-group clearfix" data-ng-show="realm.smtpServer.auth">
+ <label class="col-sm-2 control-label" for="smtpPassword">Password <span class="required" ng-show="realm.smtpServer.auth">*</span></label>
+ <div class="col-sm-4">
+ <input class="form-control" id="smtpPassword" type="password" ng-model="realm.smtpServer.password" placeholder="Login Password" ng-disabled="!realm.smtpServer.auth" ng-required="realm.smtpServer.auth">
+ </div>
+ </div>
+ </fieldset>
+
+ <div class="pull-right form-actions" data-ng-show="access.manageRealm">
+ <button data-kc-reset data-ng-show="changed">Clear changes</button>
+ <button data-kc-save data-ng-show="changed">Save</button>
+ </div>
+ </form>
+ </div>
+</div>
\ No newline at end of file
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/templates/kc-navigation.html b/admin-ui/src/main/resources/META-INF/resources/admin/templates/kc-navigation.html
index 6c53b86..95dac11 100644
--- a/admin-ui/src/main/resources/META-INF/resources/admin/templates/kc-navigation.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/templates/kc-navigation.html
@@ -7,4 +7,5 @@
<li ng-class="{active: path[2] == 'token-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/token-settings">Token</a></li>
<li ng-class="{active: path[2] == 'keys-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/keys-settings">Keys</a></li>
<li ng-class="{active: path[2] == 'smtp-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/smtp-settings">Email</a></li>
+ <li ng-class="{active: path[2] == 'ldap-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/ldap-settings">Ldap</a></li>
</ul>
\ No newline at end of file
diff --git a/model/tests/src/test/java/org/keycloak/model/test/AuthProvidersExternalModelTest.java b/model/tests/src/test/java/org/keycloak/model/test/AuthProvidersExternalModelTest.java
index 41b1071..f8ce23b 100644
--- a/model/tests/src/test/java/org/keycloak/model/test/AuthProvidersExternalModelTest.java
+++ b/model/tests/src/test/java/org/keycloak/model/test/AuthProvidersExternalModelTest.java
@@ -13,7 +13,9 @@ import javax.ws.rs.core.MultivaluedMap;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.junit.Assert;
import org.junit.Before;
+import org.junit.FixMethodOrder;
import org.junit.Test;
+import org.junit.runners.MethodSorters;
import org.keycloak.models.AuthenticationLinkModel;
import org.keycloak.models.AuthenticationProviderModel;
import org.keycloak.models.KeycloakSession;
@@ -30,6 +32,7 @@ import org.keycloak.spi.authentication.AuthenticationProviderManager;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
+@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class AuthProvidersExternalModelTest extends AbstractModelTest {
private RealmModel realm1;
@@ -63,14 +66,14 @@ public class AuthProvidersExternalModelTest extends AbstractModelTest {
@Test
- public void testExternalModelPasswordValidation() {
+ public void testExternalModelAuthentication() {
MultivaluedMap<String, String> formData = createFormData("john", "password");
// Authenticate user with realm1
Assert.assertEquals(AuthenticationManager.AuthenticationStatus.SUCCESS, am.authenticateForm(realm1, formData));
// Verify that user doesn't exists in realm2 and can't authenticate here
- Assert.assertEquals(AuthenticationManager.AuthenticationStatus.INVALID_CREDENTIALS, am.authenticateForm(realm2, formData));
+ Assert.assertEquals(AuthenticationManager.AuthenticationStatus.INVALID_USER, am.authenticateForm(realm2, formData));
Assert.assertNull(realm2.getUser("john"));
// Add externalModel authenticationProvider into realm2 and point to realm1
diff --git a/model/tests/src/test/java/org/keycloak/model/test/AuthProvidersLDAPTest.java b/model/tests/src/test/java/org/keycloak/model/test/AuthProvidersLDAPTest.java
index 2165e2f..06a498c 100644
--- a/model/tests/src/test/java/org/keycloak/model/test/AuthProvidersLDAPTest.java
+++ b/model/tests/src/test/java/org/keycloak/model/test/AuthProvidersLDAPTest.java
@@ -10,10 +10,13 @@ import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
+import org.junit.FixMethodOrder;
import org.junit.Test;
+import org.junit.runners.MethodSorters;
import org.keycloak.models.AuthenticationLinkModel;
import org.keycloak.models.AuthenticationProviderModel;
import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.services.managers.AuthenticationManager;
@@ -25,6 +28,7 @@ import org.keycloak.util.KeycloakRegistry;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
+@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class AuthProvidersLDAPTest extends AbstractModelTest {
private RealmModel realm;
@@ -64,11 +68,11 @@ public class AuthProvidersLDAPTest extends AbstractModelTest {
}
@Test
- public void testLdapPasswordValidation() {
+ public void testLdapAuthentication() {
MultivaluedMap<String, String> formData = AuthProvidersExternalModelTest.createFormData("john", "password");
// Verify that user doesn't exists in realm2 and can't authenticate here
- Assert.assertEquals(AuthenticationManager.AuthenticationStatus.INVALID_CREDENTIALS, am.authenticateForm(realm, formData));
+ Assert.assertEquals(AuthenticationManager.AuthenticationStatus.INVALID_USER, am.authenticateForm(realm, formData));
Assert.assertNull(realm.getUser("john"));
// Add ldap authenticationProvider
@@ -87,9 +91,6 @@ public class AuthProvidersLDAPTest extends AbstractModelTest {
Assert.assertEquals("Doe", john.getLastName());
Assert.assertEquals("john@email.org", john.getEmail());
- formData = AuthProvidersExternalModelTest.createFormData("john", "invalid");
- Assert.assertEquals(AuthenticationManager.AuthenticationStatus.INVALID_CREDENTIALS, am.authenticateForm(realm, formData));
-
// Verify link exists
Set<AuthenticationLinkModel> authLinks = realm.getAuthenticationLinks(john);
Assert.assertEquals(1, authLinks.size());
@@ -102,6 +103,41 @@ public class AuthProvidersLDAPTest extends AbstractModelTest {
}
@Test
+ public void testLdapInvalidAuthentication() {
+ setupAuthenticationProviders();
+
+ try {
+ ResteasyProviderFactory.pushContext(KeycloakRegistry.class, new KeycloakRegistry());
+
+ // Add some user and password to realm
+ UserModel realmUser = realm.addUser("realmUser");
+ UserCredentialModel credential = new UserCredentialModel();
+ credential.setType(CredentialRepresentation.PASSWORD);
+ credential.setValue("pass");
+ realm.updateCredential(realmUser, credential);
+
+ // User doesn't exists
+ MultivaluedMap<String, String> formData = AuthProvidersExternalModelTest.createFormData("invalid", "invalid");
+ Assert.assertEquals(AuthenticationManager.AuthenticationStatus.INVALID_USER, am.authenticateForm(realm, formData));
+
+ // User exists in ldap
+ formData = AuthProvidersExternalModelTest.createFormData("john", "invalid");
+ Assert.assertEquals(AuthenticationManager.AuthenticationStatus.INVALID_CREDENTIALS, am.authenticateForm(realm, formData));
+
+ // User exists in realm
+ formData = AuthProvidersExternalModelTest.createFormData("realmUser", "invalid");
+ Assert.assertEquals(AuthenticationManager.AuthenticationStatus.INVALID_CREDENTIALS, am.authenticateForm(realm, formData));
+
+ // User disabled
+ realmUser.setEnabled(false);
+ formData = AuthProvidersExternalModelTest.createFormData("realmUser", "pass");
+ Assert.assertEquals(AuthenticationManager.AuthenticationStatus.ACCOUNT_DISABLED, am.authenticateForm(realm, formData));
+ } finally {
+ ResteasyProviderFactory.clearContextData();
+ }
+ }
+
+ @Test
public void testLdapPasswordUpdate() {
// Add ldap
setupAuthenticationProviders();
diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
index 0d8773b..fe86e5b 100755
--- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@@ -224,9 +224,12 @@ public class AuthenticationManager {
logger.debug("validating password for user: " + username);
AuthResult authResult = AuthenticationProviderManager.getManager(realm).validatePassword(username, password);
- if (authResult.getAuthProviderStatus() == AuthProviderStatus.FAILED) {
+ if (authResult.getAuthProviderStatus() == AuthProviderStatus.INVALID_CREDENTIALS) {
logger.debug("invalid password for user: " + username);
return AuthenticationStatus.INVALID_CREDENTIALS;
+ } else if (authResult.getAuthProviderStatus() == AuthProviderStatus.USER_NOT_FOUND) {
+ logger.debug("User " + username + " not found in any Authentication provider");
+ return AuthenticationStatus.INVALID_USER;
}
if (authResult.getAuthenticatedUser() != null) {
diff --git a/spi/authentication-model/src/main/java/org/keycloak/spi/authentication/model/AbstractModelAuthenticationProvider.java b/spi/authentication-model/src/main/java/org/keycloak/spi/authentication/model/AbstractModelAuthenticationProvider.java
index 94652a5..58bf423 100644
--- a/spi/authentication-model/src/main/java/org/keycloak/spi/authentication/model/AbstractModelAuthenticationProvider.java
+++ b/spi/authentication-model/src/main/java/org/keycloak/spi/authentication/model/AbstractModelAuthenticationProvider.java
@@ -29,14 +29,13 @@ public abstract class AbstractModelAuthenticationProvider implements Authenticat
UserModel user = KeycloakModelUtils.findUserByNameOrEmail(realm, username);
- // Ignore if user doesn't exists, so that other providers have opportunity to authenticate (and possibly create) him
if (user == null) {
- return new AuthResult(AuthProviderStatus.IGNORE);
+ return new AuthResult(AuthProviderStatus.USER_NOT_FOUND);
}
boolean result = realm.validatePassword(user, password);
if (!result) {
- return new AuthResult(AuthProviderStatus.IGNORE);
+ return new AuthResult(AuthProviderStatus.INVALID_CREDENTIALS);
}
AuthenticatedUser authUser = createAuthenticatedUserInstance(user);
diff --git a/spi/authentication-picketlink/src/main/java/org/keycloak/spi/authentication/picketlink/PicketlinkAuthenticationProvider.java b/spi/authentication-picketlink/src/main/java/org/keycloak/spi/authentication/picketlink/PicketlinkAuthenticationProvider.java
index 4494bde..2e9375d 100644
--- a/spi/authentication-picketlink/src/main/java/org/keycloak/spi/authentication/picketlink/PicketlinkAuthenticationProvider.java
+++ b/spi/authentication-picketlink/src/main/java/org/keycloak/spi/authentication/picketlink/PicketlinkAuthenticationProvider.java
@@ -39,23 +39,26 @@ public class PicketlinkAuthenticationProvider implements AuthenticationProvider
public AuthResult validatePassword(RealmModel realm, Map<String, String> configuration, String username, String password) throws AuthenticationProviderException {
IdentityManager identityManager = getIdentityManager(realm);
+ User picketlinkUser = BasicModel.getUser(identityManager, username);
+ if (picketlinkUser == null) {
+ return new AuthResult(AuthProviderStatus.USER_NOT_FOUND);
+ }
+
UsernamePasswordCredentials credential = new UsernamePasswordCredentials();
credential.setUsername(username);
credential.setPassword(new Password(password.toCharArray()));
identityManager.validateCredentials(credential);
- AuthResult result;
if (credential.getStatus() == Credentials.Status.VALID) {
- result = new AuthResult(AuthProviderStatus.SUCCESS);
+ AuthResult result = new AuthResult(AuthProviderStatus.SUCCESS);
- User picketlinkUser = BasicModel.getUser(identityManager, username);
AuthenticatedUser authenticatedUser = new AuthenticatedUser(picketlinkUser.getId(), picketlinkUser.getLoginName())
.setName(picketlinkUser.getFirstName(), picketlinkUser.getLastName())
.setEmail(picketlinkUser.getEmail());
result.setUser(authenticatedUser).setProviderName(getName());
return result;
} else {
- return new AuthResult(AuthProviderStatus.IGNORE);
+ return new AuthResult(AuthProviderStatus.INVALID_CREDENTIALS);
}
}
diff --git a/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthenticationProvider.java b/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthenticationProvider.java
index a960be9..1ab1836 100644
--- a/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthenticationProvider.java
+++ b/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthenticationProvider.java
@@ -16,7 +16,7 @@ public interface AuthenticationProvider {
*
* @param username
* @param password
- * @return
+ * @return result of authentication, which might eventually encapsulate info about authenticated user and provider which successfully authenticated
*/
AuthResult validatePassword(RealmModel realm, Map<String, String> configuration, String username, String password) throws AuthenticationProviderException;
diff --git a/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthenticationProviderManager.java b/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthenticationProviderManager.java
index f5a0d9c..669153e 100644
--- a/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthenticationProviderManager.java
+++ b/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthenticationProviderManager.java
@@ -17,7 +17,6 @@ import org.keycloak.util.ProviderLoader;
*
* Example of usage: AuthenticationProviderManager.getManager(realm).validateUser("joe", "password");
*
- *
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class AuthenticationProviderManager {
@@ -50,6 +49,7 @@ public class AuthenticationProviderManager {
public AuthResult validatePassword(String username, String password) {
List<AuthenticationProviderModel> configuredProviders = getConfiguredProviders(realm);
+ boolean userExists = false;
for (AuthenticationProviderModel authProviderConfig : configuredProviders) {
String providerName = authProviderConfig.getProviderName();
@@ -63,17 +63,20 @@ public class AuthenticationProviderManager {
AuthResult currentResult = delegate.validatePassword(realm, authProviderConfig.getConfig(), username, password);
logger.debugf("Authentication provider '%s' finished with '%s' for authentication of '%s'", delegate.getName(), currentResult.getAuthProviderStatus().toString(), username);
- if (currentResult.getAuthProviderStatus() == AuthProviderStatus.SUCCESS || currentResult.getAuthProviderStatus() == AuthProviderStatus.FAILED) {
+ if (currentResult.getAuthProviderStatus() == AuthProviderStatus.SUCCESS) {
return currentResult;
+ } else if (currentResult.getAuthProviderStatus() == AuthProviderStatus.INVALID_CREDENTIALS) {
+ userExists = true;
}
} catch (AuthenticationProviderException ape) {
logger.warn(ape.getMessage(), ape);
}
}
- logger.debugf("Not able to authenticate '%s' with any authentication provider", username);
+ AuthProviderStatus status = userExists ? AuthProviderStatus.INVALID_CREDENTIALS : AuthProviderStatus.USER_NOT_FOUND;
+ logger.debugf("Not able to authenticate '%s' with any authentication provider. Status: '%s'", username, status.toString());
- return new AuthResult(AuthProviderStatus.FAILED);
+ return new AuthResult(status);
}
public void updatePassword(String username, String password) throws AuthenticationProviderException {
@@ -97,7 +100,7 @@ public class AuthenticationProviderManager {
}
} catch (AuthenticationProviderException ape) {
// Rethrow it to upper layer
- logger.warn("Failed to update password", ape);
+ logger.warn("Failed to update password: " + ape.getMessage());
throw ape;
}
} else {
diff --git a/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthProviderStatus.java b/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthProviderStatus.java
index cfd16a7..56d05d0 100644
--- a/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthProviderStatus.java
+++ b/spi/authentication-spi/src/main/java/org/keycloak/spi/authentication/AuthProviderStatus.java
@@ -7,6 +7,6 @@ package org.keycloak.spi.authentication;
*/
public enum AuthProviderStatus {
- // Ignore means that AuthenticationProvider wasn't able to authenticate result, but it should postpone authentication to next provider (for example user didn't exists in realm)
- SUCCESS, FAILED, IGNORE
+ SUCCESS, INVALID_CREDENTIALS, USER_NOT_FOUND
+
}