keycloak-aplcache

Map group members of authenticated subject into subject info. This …

5/24/2018 9:16:06 AM

commit contains a POC for the issue "Roles get lost after security context was propagated back to wildfly-swarm, if using jwt for authentication" (KEYCLOAK-7309).

Dennis Bayer

Commit: 6a2a121

Tree: 3b84a88

Parents: 9dc5709

Changes

adapters/oidc/wildfly/wildfly-adapter/src/main/java/org/keycloak/adapters/wildfly/WildflyRequestAuthenticator.java 41(+41 -0)

Details

adapters/oidc/wildfly/wildfly-adapter/src/main/java/org/keycloak/adapters/wildfly/WildflyRequestAuthenticator.java 41(+41 -0)

diff --git a/adapters/oidc/wildfly/wildfly-adapter/src/main/java/org/keycloak/adapters/wildfly/WildflyRequestAuthenticator.java b/adapters/oidc/wildfly/wildfly-adapter/src/main/java/org/keycloak/adapters/wildfly/WildflyRequestAuthenticator.java
index c87b138..fea697e 100644
--- a/adapters/oidc/wildfly/wildfly-adapter/src/main/java/org/keycloak/adapters/wildfly/WildflyRequestAuthenticator.java
+++ b/adapters/oidc/wildfly/wildfly-adapter/src/main/java/org/keycloak/adapters/wildfly/WildflyRequestAuthenticator.java
@@ -25,6 +25,10 @@ import org.jboss.security.SecurityConstants;
 import org.jboss.security.SecurityContextAssociation;
 import org.jboss.security.SimpleGroup;
 import org.jboss.security.SimplePrincipal;
+import org.jboss.security.SubjectInfo;
+import org.jboss.security.identity.RoleGroup;
+import org.jboss.security.identity.plugins.SimpleRole;
+import org.jboss.security.identity.plugins.SimpleRoleGroup;
 import org.keycloak.adapters.AdapterTokenStore;
 import org.keycloak.adapters.KeycloakDeployment;
 import org.keycloak.adapters.spi.HttpFacade;
@@ -87,6 +91,13 @@ public class WildflyRequestAuthenticator extends ServletRequestAuthenticator {
         org.jboss.security.SecurityContext sc = SecurityContextAssociation.getSecurityContext();
         Principal userPrincipal = getPrincipal(subject);
         sc.getUtil().createSubjectInfo(userPrincipal, account, subject);
+
+        // Roles of subjectInfo are null, because is was constructed by
+        // org.jboss.security.identity.extensions.CredentialIdentityFactory
+        //   .createIdentity(Principal [=userPrincipal], Object [=account], Role [=null]).
+        // Therefore the roles are only contained in the authenticatedSubject (member of subjectInfo)
+        // and subsequent logics do only access subjectInfo#roles instead of authenticatedSubject#roles.
+        mapGroupMembersOfAuthenticatedSubjectIntoSubjectInfo(sc.getSubjectInfo());
     }
 
     /**
@@ -150,4 +161,34 @@ public class WildflyRequestAuthenticator extends ServletRequestAuthenticator {
         return roleSets;
     }
 
+	private static void mapGroupMembersOfAuthenticatedSubjectIntoSubjectInfo(SubjectInfo subjectInfo) {
+        if (subjectInfo == null) {
+            return;
+        }
+
+        Subject authenticatedSubject = subjectInfo.getAuthenticatedSubject();
+        if (authenticatedSubject == null) {
+            return;
+        }
+
+        // Get role group of subjectInfo in order to add roles of authenticatedSubject.
+        RoleGroup scRoles = subjectInfo.getRoles();
+        if (scRoles == null) {
+            scRoles = new SimpleRoleGroup("Roles");
+            subjectInfo.setRoles(scRoles);
+        }
+
+        // Get group roles of authenticatedSubject and add them into subjectInfo
+        Iterator<Principal> principalItr = authenticatedSubject.getPrincipals().iterator();
+        while (principalItr.hasNext()) {
+            Principal principal = principalItr.next();
+            if (principal instanceof Group) {
+                Enumeration<? extends Principal> members = ((Group) principal).members();
+                while (members.hasMoreElements()) {
+                    Principal role = members.nextElement();
+                    scRoles.addRole(new SimpleRole(role.getName()));
+                }
+            }
+        }
+    }
 }