keycloak-aplcache
Changes
distribution/appliance-dist/pom.xml 6(+6 -0)
distribution/pom.xml 1(+1 -0)
distribution/tomcat7-adapter-zip/pom.xml 53(+53 -0)
distribution/war-dist/assembly.xml 1(+1 -0)
distribution/war-dist/pom.xml 6(+6 -0)
integration/tomcat7/adapter/pom.xml 1(+0 -1)
Details
diff --git a/core/src/main/java/org/keycloak/RSATokenVerifier.java b/core/src/main/java/org/keycloak/RSATokenVerifier.java
index da258c3..da23ff9 100755
--- a/core/src/main/java/org/keycloak/RSATokenVerifier.java
+++ b/core/src/main/java/org/keycloak/RSATokenVerifier.java
@@ -35,7 +35,7 @@ public class RSATokenVerifier {
if (user == null) {
throw new VerificationException("Token user was null.");
}
- if (!realm.equals(token.getAudience())) {
+ if (!realm.equals(token.getIssuer())) {
throw new VerificationException("Token audience doesn't match domain.");
}
diff --git a/core/src/test/java/org/keycloak/RSAVerifierTest.java b/core/src/test/java/org/keycloak/RSAVerifierTest.java
index 5e87780..cb39c6f 100755
--- a/core/src/test/java/org/keycloak/RSAVerifierTest.java
+++ b/core/src/test/java/org/keycloak/RSAVerifierTest.java
@@ -72,7 +72,7 @@ public class RSAVerifierTest {
token = new AccessToken();
token.subject("CN=Client")
- .audience("domain")
+ .issuer("domain")
.addAccess("service").addRole("admin");
}
@@ -213,7 +213,7 @@ public class RSAVerifierTest {
public void testTokenAuth() throws Exception {
token = new AccessToken();
token.subject("CN=Client")
- .audience("domain")
+ .issuer("domain")
.addAccess("service").addRole("admin").verifyCaller(true);
String encoded = new JWSBuilder()
diff --git a/distribution/appliance-dist/assembly.xml b/distribution/appliance-dist/assembly.xml
index 73f33c7..0e788d8 100755
--- a/distribution/appliance-dist/assembly.xml
+++ b/distribution/appliance-dist/assembly.xml
@@ -85,6 +85,7 @@
<include>org.keycloak:keycloak-wildfly-adapter-dist:zip</include>
<include>org.keycloak:keycloak-as7-adapter-dist:zip</include>
<include>org.keycloak:keycloak-eap6-adapter-dist:zip</include>
+ <include>org.keycloak:keycloak-tomcat7-adapter-dist:zip</include>
</includes>
<outputDirectory>adapters</outputDirectory>
</dependencySet>
distribution/appliance-dist/pom.xml 6(+6 -0)
diff --git a/distribution/appliance-dist/pom.xml b/distribution/appliance-dist/pom.xml
index c75c5fc..28105f6 100755
--- a/distribution/appliance-dist/pom.xml
+++ b/distribution/appliance-dist/pom.xml
@@ -28,6 +28,12 @@
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
+ <artifactId>keycloak-tomcat7-adapter-dist</artifactId>
+ <version>${project.version}</version>
+ <type>zip</type>
+ </dependency>
+ <dependency>
+ <groupId>org.keycloak</groupId>
<artifactId>keycloak-eap6-adapter-dist</artifactId>
<version>${project.version}</version>
<type>zip</type>
distribution/pom.xml 1(+1 -0)
diff --git a/distribution/pom.xml b/distribution/pom.xml
index c958393..be012fa 100755
--- a/distribution/pom.xml
+++ b/distribution/pom.xml
@@ -27,6 +27,7 @@
<modules>
<module>modules</module>
<module>as7-adapter-zip</module>
+ <module>tomcat7-adapter-zip</module>
<module>eap6-adapter-zip</module>
<module>wildfly-adapter-zip</module>
<module>examples-docs-zip</module>
diff --git a/distribution/tomcat7-adapter-zip/assembly.xml b/distribution/tomcat7-adapter-zip/assembly.xml
new file mode 100755
index 0000000..46a3065
--- /dev/null
+++ b/distribution/tomcat7-adapter-zip/assembly.xml
@@ -0,0 +1,20 @@
+<assembly>
+ <id>war-dist</id>
+
+ <formats>
+ <format>zip</format>
+ </formats>
+ <includeBaseDirectory>false</includeBaseDirectory>
+
+ <dependencySets>
+ <dependencySet>
+ <unpack>false</unpack>
+ <useTransitiveDependencies>true</useTransitiveDependencies>
+ <useTransitiveFiltering>true</useTransitiveFiltering>
+ <includes>
+ <include>org.keycloak:keycloak-tomcat7-adapter</include>
+ </includes>
+ <outputDirectory></outputDirectory>
+ </dependencySet>
+ </dependencySets>
+</assembly>
distribution/tomcat7-adapter-zip/pom.xml 53(+53 -0)
diff --git a/distribution/tomcat7-adapter-zip/pom.xml b/distribution/tomcat7-adapter-zip/pom.xml
new file mode 100755
index 0000000..52b829c
--- /dev/null
+++ b/distribution/tomcat7-adapter-zip/pom.xml
@@ -0,0 +1,53 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <artifactId>keycloak-parent</artifactId>
+ <groupId>org.keycloak</groupId>
+ <version>1.1.0-Alpha1-SNAPSHOT</version>
+ <relativePath>../../pom.xml</relativePath>
+ </parent>
+
+ <artifactId>keycloak-tomcat7-adapter-dist</artifactId>
+ <packaging>pom</packaging>
+ <name>Keycloak Tomcat 7 Adapter Distro</name>
+ <description/>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.keycloak</groupId>
+ <artifactId>keycloak-tomcat7-adapter</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+ <build>
+ <plugins>
+ <plugin>
+ <artifactId>maven-assembly-plugin</artifactId>
+ <version>2.4</version>
+ <executions>
+ <execution>
+ <id>assemble</id>
+ <phase>package</phase>
+ <goals>
+ <goal>single</goal>
+ </goals>
+ <configuration>
+ <descriptors>
+ <descriptor>assembly.xml</descriptor>
+ </descriptors>
+ <outputDirectory>
+ target
+ </outputDirectory>
+ <workDirectory>
+ target/assembly/work
+ </workDirectory>
+ <appendAssemblyId>false</appendAssemblyId>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
distribution/war-dist/assembly.xml 1(+1 -0)
diff --git a/distribution/war-dist/assembly.xml b/distribution/war-dist/assembly.xml
index 7d45e6f..adf071b 100755
--- a/distribution/war-dist/assembly.xml
+++ b/distribution/war-dist/assembly.xml
@@ -31,6 +31,7 @@
<include>org.keycloak:keycloak-wildfly-adapter-dist:zip</include>
<include>org.keycloak:keycloak-as7-adapter-dist:zip</include>
<include>org.keycloak:keycloak-eap6-adapter-dist:zip</include>
+ <include>org.keycloak:keycloak-tomcat7-adapter-dist:zip</include>
</includes>
<outputDirectory>adapters</outputDirectory>
</dependencySet>
distribution/war-dist/pom.xml 6(+6 -0)
diff --git a/distribution/war-dist/pom.xml b/distribution/war-dist/pom.xml
index b7cc797..fb03295 100755
--- a/distribution/war-dist/pom.xml
+++ b/distribution/war-dist/pom.xml
@@ -28,6 +28,12 @@
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
+ <artifactId>keycloak-tomcat7-adapter-dist</artifactId>
+ <version>${project.version}</version>
+ <type>zip</type>
+ </dependency>
+ <dependency>
+ <groupId>org.keycloak</groupId>
<artifactId>keycloak-eap6-adapter-dist</artifactId>
<version>${project.version}</version>
<type>zip</type>
diff --git a/docbook/reference/en/en-US/master.xml b/docbook/reference/en/en-US/master.xml
index c0d39db..6a70415 100755
--- a/docbook/reference/en/en-US/master.xml
+++ b/docbook/reference/en/en-US/master.xml
@@ -11,6 +11,7 @@
<!ENTITY AdapterConfig SYSTEM "modules/adapter-config.xml">
<!ENTITY JBossAdapter SYSTEM "modules/jboss-adapter.xml">
<!ENTITY JavascriptAdapter SYSTEM "modules/javascript-adapter.xml">
+ <!ENTITY TomcatAdapter SYSTEM "modules/tomcat-adapter.xml">
<!ENTITY InstalledApplications SYSTEM "modules/installed-applications.xml">
<!ENTITY Logout SYSTEM "modules/logout.xml">
<!ENTITY SAML SYSTEM "modules/saml.xml">
@@ -83,6 +84,7 @@ This one is short
</para>
&AdapterConfig;
&JBossAdapter;
+ &TomcatAdapter;
&JavascriptAdapter;
&InstalledApplications;
&Logout;
diff --git a/docbook/reference/en/en-US/modules/jboss-adapter.xml b/docbook/reference/en/en-US/modules/jboss-adapter.xml
index c141397..795b74f 100755
--- a/docbook/reference/en/en-US/modules/jboss-adapter.xml
+++ b/docbook/reference/en/en-US/modules/jboss-adapter.xml
@@ -10,7 +10,7 @@
<section id="jboss-adapter-installation">
<title>Adapter Installation</title>
<para>
- This is a adapter zip file for AS7, EAP, and Wildfly in the <literal>adapters/</literal> directory in the Keycloak
+ There is a adapter zip file for AS7, EAP, and Wildfly in the <literal>adapters/</literal> directory in the Keycloak
distribution.
</para>
<para>
@@ -135,7 +135,7 @@ public class CustomerService {
</section>
<section>
- <title>Per WAR Configuration</title>
+ <title>Required Per WAR Configuration</title>
<para>
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
</para>
diff --git a/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml b/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml
index 7773789..78d947c 100755
--- a/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml
+++ b/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml
@@ -5,8 +5,8 @@
<itemizedlist>
<listitem>UserSessionModel JPA and Mongo storage schema has changed as these interfaces have been refactored</listitem>
<listitem>
- Upgrade your adapters as REST API has changed. We're still supporting older adapters for now, but in future
- versions this backward compatibility will be removed.
+ Upgrade your adapters. We interpreted JSON Web Token and OIDC ID Token specification incorrectly. 'aud'
+ claim must be the client id, we were storing the realm name in there and validating it.
</listitem>
</itemizedlist>
</sect1>
diff --git a/docbook/reference/en/en-US/modules/Overview.xml b/docbook/reference/en/en-US/modules/Overview.xml
index 3361e0d..9ef7451 100755
--- a/docbook/reference/en/en-US/modules/Overview.xml
+++ b/docbook/reference/en/en-US/modules/Overview.xml
@@ -98,7 +98,7 @@
Multitenancy support. You can host and manage multiple realms for multiple organizations.
</listitem>
<listitem>
- Supports JBoss AS7, EAP 6.x, Wildfly and Pure JavaScript applications. Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
+ Supports JBoss AS7, EAP 6.x, Wildfly, Tomcat 7 and Pure JavaScript applications. Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
</listitem>
</itemizedlist>
</para>
diff --git a/docbook/reference/en/en-US/modules/tomcat-adapter.xml b/docbook/reference/en/en-US/modules/tomcat-adapter.xml
new file mode 100755
index 0000000..b9c0043
--- /dev/null
+++ b/docbook/reference/en/en-US/modules/tomcat-adapter.xml
@@ -0,0 +1,94 @@
+<section id="tomcat-adapter">
+ <title>Tomcat 7 Adapter</title>
+ <para>
+ To be able to secure WAR apps deployed on Tomcat 7 you must install the Keycloak Tomcat 7 adapter
+ into your Tomcat installation. You then have to provide some extra configuration in each WAR you deploy to
+ Tomcat. Let's go over these steps.
+ </para>
+ <section id="tomcat-adapter-installation">
+ <title>Adapter Installation</title>
+ <para>
+ There is a adapter zip file for Tomcat 7 in the <literal>adapters/</literal> directory in the Keycloak appliance
+ or war distribution. You must unzip this file into Tomcat's <literal>lib/</literal> directory. Including
+ adapter's jars within your WEB-INF/lib directory will not work! The Keycloak adapter is implemented as a Valve
+ and valve code must reside in Tomcat's main lib/ directory.
+ </para>
+ <para>
+<programlisting>
+$ cd $TOMCAT_HOME/lib
+$ unzip keycloak-tomcat7-adapter-dist.zip
+</programlisting>
+ </para>
+ </section>
+
+ <section>
+ <title>Required Per WAR Configuration</title>
+ <para>
+ This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
+ </para>
+ <para>
+ The first thing you must do is create a <literal>META-INF/context.xml</literal> file in your WAR package. This is
+ a Tomcat specific config file and you must define a Keycloak specific Valve.
+ </para>
+ <programlisting>
+<![CDATA[
+<Context path="/your-context-path">
+ <Valve className="org.keycloak.adapters.tomcat7.KeycloakAuthenticatorValve"/>
+</Context>]]>
+ </programlisting>
+ <para>
+ Next you must create
+ a <literal>keycloak.json</literal> adapter config file within the <literal>WEB-INF</literal> directory
+ of your WAR. The format of this config file is describe in the <link linkend='adapter-config'>general adapter configuration</link>
+ section.
+ </para>
+ <para>
+ Finally you must specify both a <literal>login-config</literal> and use standard servlet security to specify
+ role-base constraints on your URLs. Here's an example:
+ </para>
+ <para>
+<programlisting>
+<![CDATA[
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>customer-portal</module-name>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Customers</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>user</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <security-constraint>
+ <web-resource-collection>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>this is ignored currently/realm-name>
+ </login-config>
+
+ <security-role>
+ <role-name>admin</role-name>
+ </security-role>
+ <security-role>
+ <role-name>user</role-name>
+ </security-role>
+</web-app>
+]]>
+</programlisting>
+ </para>
+ </section>
+</section>
\ No newline at end of file
integration/tomcat7/adapter/pom.xml 1(+0 -1)
diff --git a/integration/tomcat7/adapter/pom.xml b/integration/tomcat7/adapter/pom.xml
index 5f27a92..5b32cd5 100755
--- a/integration/tomcat7/adapter/pom.xml
+++ b/integration/tomcat7/adapter/pom.xml
@@ -18,7 +18,6 @@
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>
<version>${jboss.logging.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
index 33485b0..4434a54 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@@ -222,7 +222,7 @@ public class TokenManager {
IDToken token = new IDToken();
token.id(KeycloakModelUtils.generateId());
token.subject(user.getId());
- token.audience(realm.getName());
+ token.audience(claimer.getClientId());
token.issuedNow();
token.issuedFor(client.getUsername());
token.issuer(realm.getName());
@@ -239,7 +239,7 @@ public class TokenManager {
AccessToken token = new AccessToken();
token.id(KeycloakModelUtils.generateId());
token.subject(user.getId());
- token.audience(realm.getName());
+ token.audience(client.getClientId());
token.issuedNow();
token.issuedFor(client.getClientId());
token.issuer(realm.getName());
@@ -343,7 +343,7 @@ public class TokenManager {
idToken = new IDToken();
idToken.id(KeycloakModelUtils.generateId());
idToken.subject(accessToken.getSubject());
- idToken.audience(realm.getName());
+ idToken.audience(client.getClientId());
idToken.issuedNow();
idToken.issuedFor(accessToken.getIssuedFor());
idToken.issuer(accessToken.getIssuer());
diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
index a8e4b6b..9dbfbea 100755
--- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@@ -107,7 +107,7 @@ public class AuthenticationManager {
token.id(KeycloakModelUtils.generateId());
token.issuedNow();
token.subject(user.getId());
- token.audience(realm.getName());
+ token.issuer(realm.getName());
if (session != null) {
token.setSessionState(session.getId());
}
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
index 79f5f9e..8368fc3 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
@@ -140,7 +140,7 @@ public class AdminRoot {
} catch (IOException e) {
throw new UnauthorizedException("Bearer token format error");
}
- String realmName = token.getAudience();
+ String realmName = token.getIssuer();
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.getRealmByName(realmName);
if (realm == null) {