keycloak-aplcache
Changes
adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationProvider.java 2(+1 -1)
adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/SpringSecurityRequestAuthenticator.java 2(+1 -1)
adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java 41(+8 -33)
adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/QueryParamPresenceRequestMatcher.java 39(+39 -0)
adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/KeycloakAuthenticationToken.java 11(+9 -2)
adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityTokenStore.java 2(+1 -1)
adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationProviderTest.java 26(+18 -8)
adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacadeTest.java 2(+1 -1)
Details
diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationProvider.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationProvider.java
index e256c04..1ac6515 100644
--- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationProvider.java
+++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationProvider.java
@@ -50,7 +50,7 @@ public class KeycloakAuthenticationProvider implements AuthenticationProvider {
for (String role : token.getAccount().getRoles()) {
grantedAuthorities.add(new KeycloakRole(role));
}
- return new KeycloakAuthenticationToken(token.getAccount(), mapAuthorities(grantedAuthorities));
+ return new KeycloakAuthenticationToken(token.getAccount(), token.isInteractive(), mapAuthorities(grantedAuthorities));
}
private Collection<? extends GrantedAuthority> mapAuthorities(
diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/SpringSecurityRequestAuthenticator.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/SpringSecurityRequestAuthenticator.java
index 9dd989f..b6c8702 100755
--- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/SpringSecurityRequestAuthenticator.java
+++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/SpringSecurityRequestAuthenticator.java
@@ -94,7 +94,7 @@ public class SpringSecurityRequestAuthenticator extends RequestAuthenticator {
logger.debug("Completing bearer authentication. Bearer roles: {} ",roles);
- SecurityContextHolder.getContext().setAuthentication(new KeycloakAuthenticationToken(account));
+ SecurityContextHolder.getContext().setAuthentication(new KeycloakAuthenticationToken(account, false));
request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext);
}
diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java
index 2e9ef40..2ffefdf 100644
--- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java
+++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.java
@@ -24,6 +24,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.keycloak.OAuth2Constants;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.KeycloakDeployment;
@@ -36,6 +37,7 @@ import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticatio
import org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator;
import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade;
import org.keycloak.adapters.springsecurity.token.AdapterTokenStoreFactory;
+import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
import org.keycloak.adapters.springsecurity.token.SpringSecurityAdapterTokenStoreFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -61,19 +63,19 @@ import org.springframework.util.Assert;
* @version $Revision: 1 $
*/
public class KeycloakAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter implements ApplicationContextAware {
-
public static final String DEFAULT_LOGIN_URL = "/sso/login";
public static final String AUTHORIZATION_HEADER = "Authorization";
- public static final String SCHEME_BEARER = "bearer ";
- public static final String SCHEME_BASIC = "basic ";
-
/**
* Request matcher that matches requests to the {@link KeycloakAuthenticationEntryPoint#DEFAULT_LOGIN_URI default login URI}
* and any request with a <code>Authorization</code> header.
*/
public static final RequestMatcher DEFAULT_REQUEST_MATCHER =
- new OrRequestMatcher(new AntPathRequestMatcher(DEFAULT_LOGIN_URL), new RequestHeaderRequestMatcher(AUTHORIZATION_HEADER));
+ new OrRequestMatcher(
+ new AntPathRequestMatcher(DEFAULT_LOGIN_URL),
+ new RequestHeaderRequestMatcher(AUTHORIZATION_HEADER),
+ new QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN)
+ );
private static final Logger log = LoggerFactory.getLogger(KeycloakAuthenticationProcessingFilter.class);
@@ -181,36 +183,10 @@ public class KeycloakAuthenticationProcessingFilter extends AbstractAuthenticati
}
}
- /**
- * Returns true if the request was made with a bearer token authorization header.
- *
- * @param request the current <code>HttpServletRequest</code>
- *
- * @return <code>true</code> if the <code>request</code> was made with a bearer token authorization header;
- * <code>false</code> otherwise.
- */
- protected boolean isBearerTokenRequest(HttpServletRequest request) {
- String authValue = request.getHeader(AUTHORIZATION_HEADER);
- return authValue != null && authValue.toLowerCase().startsWith(SCHEME_BEARER);
- }
-
- /**
- * Returns true if the request was made with a Basic authentication authorization header.
- *
- * @param request the current <code>HttpServletRequest</code>
- * @return <code>true</code> if the <code>request</code> was made with a Basic authentication authorization header;
- * <code>false</code> otherwise.
- */
- protected boolean isBasicAuthRequest(HttpServletRequest request) {
- String authValue = request.getHeader(AUTHORIZATION_HEADER);
- return authValue != null && authValue.toLowerCase().startsWith(SCHEME_BASIC);
- }
-
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
Authentication authResult) throws IOException, ServletException {
-
- if (!(this.isBearerTokenRequest(request) || this.isBasicAuthRequest(request))) {
+ if (authResult instanceof KeycloakAuthenticationToken && ((KeycloakAuthenticationToken) authResult).isInteractive()) {
super.successfulAuthentication(request, response, chain, authResult);
return;
}
@@ -231,7 +207,6 @@ public class KeycloakAuthenticationProcessingFilter extends AbstractAuthenticati
} finally {
SecurityContextHolder.clearContext();
}
-
}
@Override
diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/QueryParamPresenceRequestMatcher.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/QueryParamPresenceRequestMatcher.java
new file mode 100644
index 0000000..7616463
--- /dev/null
+++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/QueryParamPresenceRequestMatcher.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.adapters.springsecurity.filter;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+/**
+ * Spring RequestMatcher that checks for the presence of a query parameter.
+ *
+ * @author <a href="mailto:glavoie@gmail.com">Gabriel Lavoie</a>
+ */
+public class QueryParamPresenceRequestMatcher implements RequestMatcher {
+ private String param;
+
+ public QueryParamPresenceRequestMatcher(String param) {
+ this.param = param;
+ }
+
+ @Override
+ public boolean matches(HttpServletRequest httpServletRequest) {
+ return param != null && httpServletRequest.getParameter(param) != null;
+ }
+}
diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/KeycloakAuthenticationToken.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/KeycloakAuthenticationToken.java
index 95db510..fad2782 100755
--- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/KeycloakAuthenticationToken.java
+++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/KeycloakAuthenticationToken.java
@@ -38,24 +38,27 @@ import java.util.Collection;
public class KeycloakAuthenticationToken extends AbstractAuthenticationToken implements Authentication {
private Principal principal;
+ private boolean interactive;
/**
* Creates a new, unauthenticated Keycloak security token for the given account.
*/
- public KeycloakAuthenticationToken(KeycloakAccount account) {
+ public KeycloakAuthenticationToken(KeycloakAccount account, boolean interactive) {
super(null);
Assert.notNull(account, "KeycloakAccount cannot be null");
Assert.notNull(account.getPrincipal(), "KeycloakAccount.getPrincipal() cannot be null");
this.principal = account.getPrincipal();
this.setDetails(account);
+ this.interactive = interactive;
}
- public KeycloakAuthenticationToken(KeycloakAccount account, Collection<? extends GrantedAuthority> authorities) {
+ public KeycloakAuthenticationToken(KeycloakAccount account, boolean interactive, Collection<? extends GrantedAuthority> authorities) {
super(authorities);
Assert.notNull(account, "KeycloakAccount cannot be null");
Assert.notNull(account.getPrincipal(), "KeycloakAccount.getPrincipal() cannot be null");
this.principal = account.getPrincipal();
this.setDetails(account);
+ this.interactive = interactive;
setAuthenticated(true);
}
@@ -72,4 +75,8 @@ public class KeycloakAuthenticationToken extends AbstractAuthenticationToken imp
public OidcKeycloakAccount getAccount() {
return (OidcKeycloakAccount) this.getDetails();
}
+
+ public boolean isInteractive() {
+ return interactive;
+ }
}
diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityTokenStore.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityTokenStore.java
index d05a730..ea2a1f6 100755
--- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityTokenStore.java
+++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/token/SpringSecurityTokenStore.java
@@ -105,7 +105,7 @@ public class SpringSecurityTokenStore implements AdapterTokenStore {
}
logger.debug("Saving account info {}", account);
- SecurityContextHolder.getContext().setAuthentication(new KeycloakAuthenticationToken(account));
+ SecurityContextHolder.getContext().setAuthentication(new KeycloakAuthenticationToken(account, true));
}
@Override
diff --git a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationProviderTest.java b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationProviderTest.java
index 06757bb..9515b4b 100644
--- a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationProviderTest.java
+++ b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationProviderTest.java
@@ -44,6 +44,7 @@ import static org.mockito.Mockito.mock;
public class KeycloakAuthenticationProviderTest {
private KeycloakAuthenticationProvider provider = new KeycloakAuthenticationProvider();
private KeycloakAuthenticationToken token;
+ private KeycloakAuthenticationToken interactiveToken;
private Set<String> roles = Sets.newSet("user", "admin");
@Before
@@ -52,18 +53,18 @@ public class KeycloakAuthenticationProviderTest {
RefreshableKeycloakSecurityContext securityContext = mock(RefreshableKeycloakSecurityContext.class);
KeycloakAccount account = new SimpleKeycloakAccount(principal, roles, securityContext);
- token = new KeycloakAuthenticationToken(account);
+ token = new KeycloakAuthenticationToken(account, false);
+ interactiveToken = new KeycloakAuthenticationToken(account, true);
}
@Test
public void testAuthenticate() throws Exception {
- Authentication result = provider.authenticate(token);
- assertNotNull(result);
- assertEquals(roles, AuthorityUtils.authorityListToSet(result.getAuthorities()));
- assertTrue(result.isAuthenticated());
- assertNotNull(result.getPrincipal());
- assertNotNull(result.getCredentials());
- assertNotNull(result.getDetails());
+ assertAuthenticationResult(provider.authenticate(token));
+ }
+
+ @Test
+ public void testAuthenticateInteractive() throws Exception {
+ assertAuthenticationResult(provider.authenticate(interactiveToken));
}
@Test
@@ -83,4 +84,13 @@ public class KeycloakAuthenticationProviderTest {
assertEquals(Sets.newSet("ROLE_USER", "ROLE_ADMIN"),
AuthorityUtils.authorityListToSet(result.getAuthorities()));
}
+
+ private void assertAuthenticationResult(Authentication result) {
+ assertNotNull(result);
+ assertEquals(roles, AuthorityUtils.authorityListToSet(result.getAuthorities()));
+ assertTrue(result.isAuthenticated());
+ assertNotNull(result.getPrincipal());
+ assertNotNull(result.getCredentials());
+ assertNotNull(result.getDetails());
+ }
}
diff --git a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacadeTest.java b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacadeTest.java
index 28c6ce8..451fdc8 100644
--- a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacadeTest.java
+++ b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/facade/SimpleHttpFacadeTest.java
@@ -28,7 +28,7 @@ public class SimpleHttpFacadeTest {
Principal principal = mock(Principal.class);
RefreshableKeycloakSecurityContext keycloakSecurityContext = mock(RefreshableKeycloakSecurityContext.class);
KeycloakAccount account = new SimpleKeycloakAccount(principal, roles, keycloakSecurityContext);
- KeycloakAuthenticationToken token = new KeycloakAuthenticationToken(account);
+ KeycloakAuthenticationToken token = new KeycloakAuthenticationToken(account, false);
springSecurityContext.setAuthentication(token);
}
diff --git a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilterTest.java b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilterTest.java
index a6a378a..b845219 100755
--- a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilterTest.java
+++ b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilterTest.java
@@ -53,7 +53,6 @@ import java.util.UUID;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.any;
-import static org.mockito.Mockito.anyString;
import static org.mockito.Mockito.eq;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
@@ -125,34 +124,6 @@ public class KeycloakAuthenticationProcessingFilterTest {
}
@Test
- public void testIsBearerTokenRequest() throws Exception {
- assertFalse(filter.isBearerTokenRequest(request));
- this.setBearerAuthHeader(request);
- assertTrue(filter.isBearerTokenRequest(request));
- }
-
- @Test
- public void testIsBearerTokenRequestCaseInsensitive() throws Exception {
- assertFalse(filter.isBearerTokenRequest(request));
- this.setAuthorizationHeader(request, "bearer");
- assertTrue(filter.isBearerTokenRequest(request));
- }
-
- @Test
- public void testIsBasicAuthRequest() throws Exception {
- assertFalse(filter.isBasicAuthRequest(request));
- this.setBasicAuthHeader(request);
- assertTrue(filter.isBasicAuthRequest(request));
- }
-
- @Test
- public void testIsBasicAuthRequestCaseInsensitive() throws Exception {
- assertFalse(filter.isBasicAuthRequest(request));
- this.setAuthorizationHeader(request, "basic");
- assertTrue(filter.isBasicAuthRequest(request));
- }
-
- @Test
public void testAttemptAuthenticationExpectRedirect() throws Exception {
when(keycloakDeployment.getAuthUrl()).thenReturn(KeycloakUriBuilder.fromUri("http://localhost:8080/auth"));
when(keycloakDeployment.getResourceName()).thenReturn("resource-name");
@@ -180,7 +151,7 @@ public class KeycloakAuthenticationProcessingFilterTest {
@Test
public void testSuccessfulAuthenticationInteractive() throws Exception {
- Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, authorities);
+ Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, true, authorities);
filter.successfulAuthentication(request, response, chain, authentication);
verify(successHandler).onAuthenticationSuccess(eq(request), eq(response), eq(authentication));
@@ -189,7 +160,7 @@ public class KeycloakAuthenticationProcessingFilterTest {
@Test
public void testSuccessfulAuthenticationBearer() throws Exception {
- Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, authorities);
+ Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, false, authorities);
this.setBearerAuthHeader(request);
filter.successfulAuthentication(request, response, chain, authentication);
@@ -200,7 +171,7 @@ public class KeycloakAuthenticationProcessingFilterTest {
@Test
public void testSuccessfulAuthenticationBasicAuth() throws Exception {
- Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, authorities);
+ Authentication authentication = new KeycloakAuthenticationToken(keycloakAccount, false, authorities);
this.setBasicAuthHeader(request);
filter.successfulAuthentication(request, response, chain, authentication);
diff --git a/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/QueryParamPresenceRequestMatcherTest.java b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/QueryParamPresenceRequestMatcherTest.java
new file mode 100644
index 0000000..0e02856
--- /dev/null
+++ b/adapters/oidc/spring-security/src/test/java/org/keycloak/adapters/springsecurity/filter/QueryParamPresenceRequestMatcherTest.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.adapters.springsecurity.filter;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Collections;
+import java.util.Map;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.http.HttpMethod;
+import org.springframework.mock.web.MockHttpServletRequest;
+
+public class QueryParamPresenceRequestMatcherTest {
+ private static final String ROOT_CONTEXT_PATH = "";
+
+ private static final String VALID_PARAMETER = "access_token";
+
+ private QueryParamPresenceRequestMatcher matcher = new QueryParamPresenceRequestMatcher(VALID_PARAMETER);
+
+ private MockHttpServletRequest request;
+
+ @Before
+ public void setUp() throws Exception {
+ request = new MockHttpServletRequest();
+ }
+
+ @Test
+ public void testDoesNotMatchWithoutQueryParameter() throws Exception {
+ prepareRequest(HttpMethod.GET, ROOT_CONTEXT_PATH, "some/random/uri", Collections.EMPTY_MAP);
+ assertFalse(matcher.matches(request));
+ }
+
+ @Test
+ public void testMatchesWithValidParameter() throws Exception {
+ prepareRequest(HttpMethod.GET, ROOT_CONTEXT_PATH, "some/random/uri", Collections.singletonMap(VALID_PARAMETER, (Object) "123"));
+ assertTrue(matcher.matches(request));
+ }
+
+ @Test
+ public void testDoesNotMatchWithInvalidParameter() throws Exception {
+ prepareRequest(HttpMethod.GET, ROOT_CONTEXT_PATH, "some/random/uri", Collections.singletonMap("some_parameter", (Object) "123"));
+ assertFalse(matcher.matches(request));
+ }
+
+ private void prepareRequest(HttpMethod method, String contextPath, String uri, Map<String, Object> params) {
+ request.setMethod(method.name());
+ request.setContextPath(contextPath);
+ request.setRequestURI(contextPath + "/" + uri);
+ request.setParameters(params);
+ }
+}