Details
diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/index.html b/admin-ui/src/main/resources/META-INF/resources/admin/index.html
index a890c6a..3ef1734 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/index.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/index.html
@@ -11,7 +11,7 @@
<link rel="stylesheet" href="/auth-server/admin-ui/css/reset.css">
<link rel="stylesheet" href="/auth-server/admin-ui/bootstrap-3.0.0-wip/css/bootstrap.css">
<link rel="stylesheet" href="/auth-server/admin-ui/css/sprites.css">
- <link rel="stylesheet" href='http://fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,400italic,600,600italic,700,700italic,800,800italic'>
+ <link rel="stylesheet" href='//fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,400italic,600,600italic,700,700italic,800,800italic'>
<!-- RCUE styles -->
<link rel="stylesheet" href="/auth-server/admin-ui/css/base.css">
diff --git a/forms/src/main/resources/META-INF/resources/forms/theme/default/styles.css b/forms/src/main/resources/META-INF/resources/forms/theme/default/styles.css
index 161be89..2bd23a0 100644
--- a/forms/src/main/resources/META-INF/resources/forms/theme/default/styles.css
+++ b/forms/src/main/resources/META-INF/resources/forms/theme/default/styles.css
@@ -3,7 +3,7 @@
@IMPORT url("css/forms.css");
@IMPORT url("css/zocial/zocial.css");
@IMPORT url("css/login-register.css");
-@IMPORT url("http://fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,400italic,600,600italic,700,700italic,800,800italic");
+@IMPORT url("//fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,400italic,600,600italic,700,700italic,800,800italic");
.zocial.google {
background-color: #dd4b39 !important;
diff --git a/services/src/main/java/org/keycloak/services/resources/TokenService.java b/services/src/main/java/org/keycloak/services/resources/TokenService.java
index 37cbec3..36bd3f4 100755
--- a/services/src/main/java/org/keycloak/services/resources/TokenService.java
+++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java
@@ -32,6 +32,7 @@ import org.keycloak.services.validation.Validation;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
+import javax.ws.rs.NotAcceptableException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
@@ -129,6 +130,10 @@ public class TokenService {
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Response grantIdentityToken(final MultivaluedMap<String, String> form) {
+ if (!checkSsl()) {
+ throw new NotAcceptableException("HTTPS required");
+ }
+
String username = form.getFirst(AuthenticationManager.FORM_USERNAME);
if (username == null) {
throw new NotAuthorizedException("No user");
@@ -155,6 +160,10 @@ public class TokenService {
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Response grantAccessToken(final MultivaluedMap<String, String> form) {
+ if (!checkSsl()) {
+ throw new NotAcceptableException("HTTPS required");
+ }
+
String username = form.getFirst(AuthenticationManager.FORM_USERNAME);
if (username == null) {
throw new NotAuthorizedException("No user");
@@ -187,6 +196,10 @@ public class TokenService {
logger.debug("TokenService.processLogin");
OAuthFlows oauth = Flows.oauth(realm, request, uriInfo, authManager, tokenManager);
+ if (!checkSsl()) {
+ return oauth.forwardToSecurityFailure("HTTPS required");
+ }
+
if (!realm.isEnabled()) {
return oauth.forwardToSecurityFailure("Realm not enabled.");
}
@@ -360,6 +373,11 @@ public class TokenService {
@Produces("application/json")
public Response accessCodeToToken(final MultivaluedMap<String, String> formData) {
logger.debug("accessRequest <---");
+
+ if (!checkSsl()) {
+ throw new NotAcceptableException("HTTPS required");
+ }
+
if (!realm.isEnabled()) {
throw new NotAuthorizedException("Realm not enabled");
}
@@ -480,6 +498,10 @@ public class TokenService {
logger.info("TokenService.loginPage");
OAuthFlows oauth = Flows.oauth(realm, request, uriInfo, authManager, tokenManager);
+ if (!checkSsl()) {
+ return oauth.forwardToSecurityFailure("HTTPS required");
+ }
+
if (!realm.isEnabled()) {
logger.warn("Realm not enabled");
return oauth.forwardToSecurityFailure("Realm not enabled");
@@ -529,6 +551,10 @@ public class TokenService {
logger.info("**********registerPage()");
OAuthFlows oauth = Flows.oauth(realm, request, uriInfo, authManager, tokenManager);
+ if (!checkSsl()) {
+ return oauth.forwardToSecurityFailure("HTTPS required");
+ }
+
if (!realm.isEnabled()) {
logger.warn("Realm not enabled");
return oauth.forwardToSecurityFailure("Realm not enabled");
@@ -581,6 +607,10 @@ public class TokenService {
public Response processOAuth(final MultivaluedMap<String, String> formData) {
OAuthFlows oauth = Flows.oauth(realm, request, uriInfo, authManager, tokenManager);
+ if (!checkSsl()) {
+ return oauth.forwardToSecurityFailure("HTTPS required");
+ }
+
String code = formData.getFirst("code");
JWSInput input = new JWSInput(code);
boolean verifiedCode = false;
@@ -628,4 +658,20 @@ public class TokenService {
}
}
+ private boolean checkSsl() {
+ if (realm.isSslNotRequired()) {
+ return true;
+ }
+
+ if (uriInfo.getBaseUri().getScheme().equals("https")) {
+ return true;
+ }
+
+ if ("https".equals(headers.getHeaderString("X-Forwarded-Proto"))) {
+ return true;
+ }
+
+ return false;
+ }
+
}
