keycloak-aplcache
Changes
docbook/reference/en/en-US/modules/proxy.xml 189(+123 -66)
Details
docbook/reference/en/en-US/modules/proxy.xml 189(+123 -66)
diff --git a/docbook/reference/en/en-US/modules/proxy.xml b/docbook/reference/en/en-US/modules/proxy.xml
index 3a17557..20febf0 100755
--- a/docbook/reference/en/en-US/modules/proxy.xml
+++ b/docbook/reference/en/en-US/modules/proxy.xml
@@ -182,106 +182,162 @@ $ java -jar bin/launcher.jar [your-config.json]
</section>
<section>
<title>Application Config</title>
- <para>
- Next under the <literal>applications</literal> array attribute, you can define one or more applications per host you are proxying.
- <variablelist>
- <varlistentry>
- <term>base-path</term>
- <listitem>
- <para>
- The base context root for the application. Must start with '/' <emphasis>REQUIRED.</emphasis>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>error-page</term>
- <listitem>
- <para>
- If the proxy has an error, it will display the target application's error page relative URL <emphasis>OPTIONAL.</emphasis>.
- This is a relative path to the base-path. In the example above it would be <literal>/customer-portal/error.html</literal>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>adapter-config</term>
- <listitem>
- <para>
- <emphasis>REQUIRED.</emphasis>. Same configuration as any other keycloak adapter. See <link linkend='adapter-config'>Adapter Config</link>
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </para>
+ <para>
+ Next under the <literal>applications</literal> array attribute, you can define one or more applications per host you are proxying.
+ <variablelist>
+ <varlistentry>
+ <term>base-path</term>
+ <listitem>
+ <para>
+ The base context root for the application. Must start with '/' <emphasis>REQUIRED.</emphasis>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>error-page</term>
+ <listitem>
+ <para>
+ If the proxy has an error, it will display the target application's error page relative URL <emphasis>OPTIONAL.</emphasis>.
+ This is a relative path to the base-path. In the example above it would be <literal>/customer-portal/error.html</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>adapter-config</term>
+ <listitem>
+ <para>
+ <emphasis>REQUIRED.</emphasis>. Same configuration as any other keycloak adapter. See <link linkend='adapter-config'>Adapter Config</link>
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
<section>
<title>Constraint Config</title>
-
- <para>
- Next under each application you can define one or more constraints in the <literal>constraints</literal> array attribute.
- A constraint defines a URL pattern relative to the base-path. You can deny, permit, or require authentication for
- a specific URL pattern. You can specify roles allowed for that path as well. More specific constraints will take
- precedence over more general ones.
+ <para>
+ Next under each application you can define one or more constraints in the <literal>constraints</literal> array attribute.
+ A constraint defines a URL pattern relative to the base-path. You can deny, permit, or require authentication for
+ a specific URL pattern. You can specify roles allowed for that path as well. More specific constraints will take
+ precedence over more general ones.
+ <variablelist>
+ <varlistentry>
+ <term>pattern</term>
+ <listitem>
+ <para>
+ URL pattern to match relative to the base-path of the application. Must start with '/' <emphasis>REQUIRED.</emphasis>.
+ You may only have one wildcard and it must come at the end of the pattern. Valid <literal>/foo/bar/*</literal> and <literal>/foo/*.txt</literal>
+ Not valid: <literal>/*/foo/*</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>roles-allowed</term>
+ <listitem>
+ <para>
+ Array of strings of roles allowed to access this url pattern. <emphasis>OPTIONAL.</emphasis>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>methods</term>
+ <listitem>
+ <para>
+ Array of strings of HTTP methods that will exclusively match this pattern and HTTP request. <emphasis>OPTIONAL.</emphasis>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>excluded-methods</term>
+ <listitem>
+ <para>
+ Array of strings of HTTP methods that will be ignored when match this pattern. <emphasis>OPTIONAL.</emphasis>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>deny</term>
+ <listitem>
+ <para>
+ Deny all access to this URL pattern. <emphasis>OPTIONAL.</emphasis>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>permit</term>
+ <listitem>
+ <para>
+ Permit all access without requiring authentication or a role mapping. <emphasis>OPTIONAL.</emphasis>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>permit-and-inject</term>
+ <listitem>
+ <para>
+ Permit all access, but inject the headers, if user is already authenticated.<emphasis>OPTIONAL.</emphasis>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>authenticate</term>
+ <listitem>
+ <para>
+ Require authentication for this pattern, but no role mapping. <emphasis>OPTIONAL.</emphasis>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+ </section>
+ </section>
+ <section>
+ <title>Header Names Config</title>
+ <para>
+ Next under the list of applications you can override the defaults for the names of the header fields injected by the proxy (see Keycloak Identity Headers).
+ This mapping is optional.
<variablelist>
<varlistentry>
- <term>pattern</term>
+ <term>keycloak-subject</term>
<listitem>
<para>
- URL pattern to match relative to the base-path of the application. Must start with '/' <emphasis>REQUIRED.</emphasis>.
- You may only have one wildcard and it must come at the end of the pattern. Valid <literal>/foo/bar/*</literal> and <literal>/foo/*.txt</literal>
- Not valid: <literal>/*/foo/*</literal>.
+ e.g. MYAPP_USER_ID
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>roles-allowed</term>
+ <term>kkeycloak-username</term>
<listitem>
<para>
- Array of strings of roles allowed to access this url pattern. <emphasis>OPTIONAL.</emphasis>.
+ e.g. MYAPP_USER_NAME
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>methods</term>
+ <term>keycloak-email</term>
<listitem>
<para>
- Array of strings of HTTP methods that will exclusively match this pattern and HTTP request. <emphasis>OPTIONAL.</emphasis>.
+ e.g. MYAPP_USER_EMAIL
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>excluded-methods</term>
+ <term>keycloak-name</term>
<listitem>
<para>
- Array of strings of HTTP methods that will be ignored when match this pattern. <emphasis>OPTIONAL.</emphasis>.
+ e.g. MYAPP_USER_ID
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>deny</term>
+ <term>keycloak-access-token</term>
<listitem>
<para>
- Deny all access to this URL pattern. <emphasis>OPTIONAL.</emphasis>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>permit</term>
- <listitem>
- <para>
- Permit all access without requiring authentication or a role mapping. <emphasis>OPTIONAL.</emphasis>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>authenticate</term>
- <listitem>
- <para>
- Require authentication for this pattern, but no role mapping. <emphasis>OPTIONAL.</emphasis>.
+ e.g. MYAPP_ACCESS_TOKEN
</para>
</listitem>
</varlistentry>
</variablelist>
- </para>
- </section>
+ </para>
</section>
</section>
<section>
@@ -333,6 +389,7 @@ $ java -jar bin/launcher.jar [your-config.json]
</listitem>
</varlistentry>
</variablelist>
+ Header field names can be configured using a map of <term>header-names</term> in configuration file.
</para>
</section>
</chapter>
\ No newline at end of file
diff --git a/proxy/proxy-server/src/main/java/org/keycloak/proxy/ConstraintAuthorizationHandler.java b/proxy/proxy-server/src/main/java/org/keycloak/proxy/ConstraintAuthorizationHandler.java
index 5108149..0bc2346 100755
--- a/proxy/proxy-server/src/main/java/org/keycloak/proxy/ConstraintAuthorizationHandler.java
+++ b/proxy/proxy-server/src/main/java/org/keycloak/proxy/ConstraintAuthorizationHandler.java
@@ -45,7 +45,7 @@ public class ConstraintAuthorizationHandler implements HttpHandler {
}
if (match != null) {
- if(SecurityInfo.EmptyRoleSemantic.INJECT_IF_AUTHENTICATED.equals(match.getEmptyRoleSemantic())) {
+ if(SecurityInfo.EmptyRoleSemantic.PERMIT_AND_INJECT_IF_AUTHENTICATED.equals(match.getEmptyRoleSemantic())) {
authenticatedRequest(account, exchange);
return;
} else {
diff --git a/proxy/proxy-server/src/main/java/org/keycloak/proxy/ConstraintMatcherHandler.java b/proxy/proxy-server/src/main/java/org/keycloak/proxy/ConstraintMatcherHandler.java
index f1347bb..31a187c 100755
--- a/proxy/proxy-server/src/main/java/org/keycloak/proxy/ConstraintMatcherHandler.java
+++ b/proxy/proxy-server/src/main/java/org/keycloak/proxy/ConstraintMatcherHandler.java
@@ -49,7 +49,8 @@ public class ConstraintMatcherHandler implements HttpHandler {
return;
}
- if (match.getRequiredRoles().isEmpty() && match.getEmptyRoleSemantic() == SecurityInfo.EmptyRoleSemantic.INJECT_IF_AUTHENTICATED) {
+ if (match.getRequiredRoles().isEmpty()
+ && match.getEmptyRoleSemantic() == SecurityInfo.EmptyRoleSemantic.PERMIT_AND_INJECT_IF_AUTHENTICATED) {
boolean successfulAuthenticatedMethodFound = isSuccessfulAuthenticatedMethodFound(exchange);
diff --git a/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyConfig.java b/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyConfig.java
index e0cdbab..b211fde 100755
--- a/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyConfig.java
+++ b/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyConfig.java
@@ -219,8 +219,8 @@ public class ProxyConfig {
protected boolean permit;
@JsonProperty("authenticate")
protected boolean authenticate;
- @JsonProperty("inject-if-authenticated")
- protected boolean injectIfAuthenticated;
+ @JsonProperty("permit-and-inject")
+ protected boolean permitAndInject;
public String getPattern() {
return pattern;
@@ -262,12 +262,12 @@ public class ProxyConfig {
this.authenticate = authenticate;
}
- public boolean isInjectIfAuthenticated() {
- return injectIfAuthenticated;
+ public boolean isPermitAndInject() {
+ return permitAndInject;
}
- public void setInjectIfAuthenticated(boolean injectIfAuthenticated) {
- this.injectIfAuthenticated = injectIfAuthenticated;
+ public void setPermitAndInject(boolean permitAndInject) {
+ this.permitAndInject = permitAndInject;
}
public Set<String> getMethods() {
diff --git a/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyServerBuilder.java b/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyServerBuilder.java
index 7e9eb2d..d689e59 100755
--- a/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyServerBuilder.java
+++ b/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyServerBuilder.java
@@ -175,7 +175,7 @@ public class ProxyServerBuilder {
}
public ConstraintBuilder injectIfAuthenticated() {
- semantic = SecurityInfo.EmptyRoleSemantic.INJECT_IF_AUTHENTICATED;
+ semantic = SecurityInfo.EmptyRoleSemantic.PERMIT_AND_INJECT_IF_AUTHENTICATED;
return this;
}
@@ -383,7 +383,7 @@ public class ProxyServerBuilder {
if (constraint.isDeny()) constraintBuilder.deny();
if (constraint.isPermit()) constraintBuilder.permit();
if (constraint.isAuthenticate()) constraintBuilder.authenticate();
- if (constraint.isInjectIfAuthenticated()) constraintBuilder.injectIfAuthenticated();
+ if (constraint.isPermitAndInject()) constraintBuilder.injectIfAuthenticated();
constraintBuilder.add();
}
}
diff --git a/proxy/proxy-server/src/main/java/org/keycloak/proxy/SecurityInfo.java b/proxy/proxy-server/src/main/java/org/keycloak/proxy/SecurityInfo.java
index a2eb420..f7f98af 100755
--- a/proxy/proxy-server/src/main/java/org/keycloak/proxy/SecurityInfo.java
+++ b/proxy/proxy-server/src/main/java/org/keycloak/proxy/SecurityInfo.java
@@ -51,7 +51,7 @@ public class SecurityInfo<T extends SecurityInfo> implements Cloneable {
/**
* Permit access in any case, but provide authorization info only if authorized.
*/
- INJECT_IF_AUTHENTICATED;
+ PERMIT_AND_INJECT_IF_AUTHENTICATED;
}
private volatile EmptyRoleSemantic emptyRoleSemantic = EmptyRoleSemantic.DENY;