Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
GRANDGERARD Gilles
keycloak-protocol-cas
Commits
f75caf00
Commit
f75caf00
authored
Jul 26, 2017
by
Matthias Piepkorn
Browse files
adapt to changes in Keycloak 3.2 (fixes #6)
parent
8c9be26e
Changes
7
Hide whitespace changes
Inline
Side-by-side
.travis.yml
View file @
f75caf00
...
...
@@ -13,10 +13,10 @@ services:
-
docker
env
:
-
KEYCLOAK_VERSION=2.5.5.Final
-
KEYCLOAK_VERSION=3.0.0.Final
-
KEYCLOAK_VERSION=3.1.0.Final
#
- KEYCLOAK_VERSION=3.2.
0
.Final
#
- KEYCLOAK_VERSION=2.5.5.Final
#
- KEYCLOAK_VERSION=3.0.0.Final
#
- KEYCLOAK_VERSION=3.1.0.Final
-
KEYCLOAK_VERSION=3.2.
1
.Final
before_install
:
-
docker pull jboss/keycloak:$KEYCLOAK_VERSION
...
...
pom.xml
View file @
f75caf00
...
...
@@ -27,7 +27,7 @@
<description
/>
<properties>
<keycloak.version>
2.5.1
.Final
</keycloak.version>
<keycloak.version>
3.2.0
.Final
</keycloak.version>
<jboss.logging.version>
3.3.0.Final
</jboss.logging.version>
<jboss.logging.tools.version>
2.0.1.Final
</jboss.logging.tools.version>
<junit.version>
4.12
</junit.version>
...
...
src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
View file @
f75caf00
...
...
@@ -11,6 +11,8 @@ import org.keycloak.protocol.LoginProtocol;
import
org.keycloak.protocol.cas.utils.LogoutHelper
;
import
org.keycloak.services.managers.ClientSessionCode
;
import
org.keycloak.services.managers.ResourceAdminManager
;
import
org.keycloak.sessions.AuthenticationSessionModel
;
import
org.keycloak.sessions.CommonClientSessionModel
;
import
javax.ws.rs.core.HttpHeaders
;
import
javax.ws.rs.core.Response
;
...
...
@@ -84,12 +86,12 @@ public class CASLoginProtocol implements LoginProtocol {
}
@Override
public
Response
authenticated
(
UserSessionModel
userSession
,
ClientSession
C
ode
accessCode
)
{
ClientSession
M
ode
l
c
lientSession
=
accessCode
.
get
ClientSession
(
);
public
Response
authenticated
(
UserSessionModel
userSession
,
Authenticated
ClientSession
M
ode
l
clientSession
)
{
ClientSession
C
ode
<
AuthenticatedC
lientSession
Model
>
accessCode
=
new
ClientSession
Code
<>(
session
,
realm
,
clientSession
);
String
service
=
clientSession
.
getRedirectUri
();
//TODO validate service
accessCode
.
setAction
(
ClientSessionModel
.
Action
.
CODE_TO_TOKEN
.
name
());
accessCode
.
setAction
(
Common
ClientSessionModel
.
Action
.
CODE_TO_TOKEN
.
name
());
KeycloakUriBuilder
uriBuilder
=
KeycloakUriBuilder
.
fromUri
(
service
);
uriBuilder
.
queryParam
(
TICKET_RESPONSE_PARAM
,
SERVICE_TICKET_PREFIX
+
accessCode
.
getCode
());
...
...
@@ -100,12 +102,12 @@ public class CASLoginProtocol implements LoginProtocol {
}
@Override
public
Response
sendError
(
Client
SessionModel
client
Session
,
Error
error
)
{
public
Response
sendError
(
Authentication
SessionModel
auth
Session
,
Error
error
)
{
return
Response
.
serverError
().
entity
(
error
).
build
();
}
@Override
public
void
backchannelLogout
(
UserSessionModel
userSession
,
ClientSessionModel
clientSession
)
{
public
void
backchannelLogout
(
UserSessionModel
userSession
,
Authenticated
ClientSessionModel
clientSession
)
{
String
logoutUrl
=
clientSession
.
getRedirectUri
();
String
serviceTicket
=
clientSession
.
getNote
(
CASLoginProtocol
.
SESSION_SERVICE_TICKET
);
//check if session is fully authenticated (i.e. serviceValidate has been called)
...
...
@@ -127,7 +129,7 @@ public class CASLoginProtocol implements LoginProtocol {
}
@Override
public
Response
frontchannelLogout
(
UserSessionModel
userSession
,
ClientSessionModel
clientSession
)
{
public
Response
frontchannelLogout
(
UserSessionModel
userSession
,
Authenticated
ClientSessionModel
clientSession
)
{
// todo oidc redirect support
throw
new
RuntimeException
(
"NOT IMPLEMENTED"
);
}
...
...
@@ -148,8 +150,8 @@ public class CASLoginProtocol implements LoginProtocol {
}
@Override
public
boolean
requireReauthentication
(
UserSessionModel
userSession
,
Client
SessionModel
client
Session
)
{
return
"true"
.
equals
(
client
Session
.
getNote
(
CASLoginProtocol
.
RENEW_PARAM
));
public
boolean
requireReauthentication
(
UserSessionModel
userSession
,
Authentication
SessionModel
auth
Session
)
{
return
"true"
.
equals
(
auth
Session
.
get
Client
Note
(
CASLoginProtocol
.
RENEW_PARAM
));
}
@Override
...
...
src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
View file @
f75caf00
...
...
@@ -6,7 +6,6 @@ import org.keycloak.events.Errors;
import
org.keycloak.events.EventBuilder
;
import
org.keycloak.events.EventType
;
import
org.keycloak.models.ClientModel
;
import
org.keycloak.models.ClientSessionModel
;
import
org.keycloak.models.RealmModel
;
import
org.keycloak.protocol.AuthorizationEndpointBase
;
import
org.keycloak.protocol.cas.CASLoginProtocol
;
...
...
@@ -14,6 +13,7 @@ import org.keycloak.protocol.oidc.utils.RedirectUtils;
import
org.keycloak.services.ErrorPageException
;
import
org.keycloak.services.messages.Messages
;
import
org.keycloak.services.util.CacheControlUtil
;
import
org.keycloak.sessions.AuthenticationSessionModel
;
import
javax.ws.rs.GET
;
import
javax.ws.rs.core.MultivaluedMap
;
...
...
@@ -23,7 +23,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
private
static
final
Logger
logger
=
Logger
.
getLogger
(
AuthorizationEndpoint
.
class
);
private
ClientModel
client
;
private
ClientSessionModel
client
Session
;
private
AuthenticationSessionModel
authentication
Session
;
private
String
redirectUri
;
public
AuthorizationEndpoint
(
RealmModel
realm
,
EventBuilder
event
)
{
...
...
@@ -42,30 +42,23 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
checkRealm
();
checkClient
(
service
);
createClientSession
();
AuthorizationEndpointChecks
checks
=
getOrCreateAuthenticationSession
(
client
,
null
);
if
(
checks
.
response
!=
null
)
{
return
checks
.
response
;
}
authenticationSession
=
checks
.
authSession
;
updateAuthenticationSession
();
// So back button doesn't work
CacheControlUtil
.
noBackButtonCacheControlHeader
();
if
(
renew
)
{
client
Session
.
setNote
(
CASLoginProtocol
.
RENEW_PARAM
,
"true"
);
authentication
Session
.
set
Client
Note
(
CASLoginProtocol
.
RENEW_PARAM
,
"true"
);
}
this
.
event
.
event
(
EventType
.
LOGIN
);
return
handleBrowserAuthenticationRequest
(
clientSession
,
new
CASLoginProtocol
(
session
,
realm
,
uriInfo
,
headers
,
event
),
gateway
,
false
);
}
private
void
checkSsl
()
{
if
(!
uriInfo
.
getBaseUri
().
getScheme
().
equals
(
"https"
)
&&
realm
.
getSslRequired
().
isRequired
(
clientConnection
))
{
event
.
error
(
Errors
.
SSL_REQUIRED
);
throw
new
ErrorPageException
(
session
,
Messages
.
HTTPS_REQUIRED
);
}
}
private
void
checkRealm
()
{
if
(!
realm
.
isEnabled
())
{
event
.
error
(
Errors
.
REALM_DISABLED
);
throw
new
ErrorPageException
(
session
,
Messages
.
REALM_NOT_ENABLED
);
}
return
handleBrowserAuthenticationRequest
(
authenticationSession
,
new
CASLoginProtocol
(
session
,
realm
,
uriInfo
,
headers
,
event
),
gateway
,
false
);
}
private
void
checkClient
(
String
service
)
{
...
...
@@ -96,10 +89,14 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
session
.
getContext
().
setClient
(
client
);
}
private
void
createClientSession
()
{
clientSession
=
session
.
sessions
().
createClientSession
(
realm
,
client
);
clientSession
.
setAuthMethod
(
CASLoginProtocol
.
LOGIN_PROTOCOL
);
clientSession
.
setRedirectUri
(
redirectUri
);
clientSession
.
setAction
(
ClientSessionModel
.
Action
.
AUTHENTICATE
.
name
());
private
void
updateAuthenticationSession
()
{
authenticationSession
.
setProtocol
(
CASLoginProtocol
.
LOGIN_PROTOCOL
);
authenticationSession
.
setRedirectUri
(
redirectUri
);
authenticationSession
.
setAction
(
AuthenticationSessionModel
.
Action
.
AUTHENTICATE
.
name
());
}
@Override
protected
boolean
isNewRequest
(
AuthenticationSessionModel
authSession
,
ClientModel
clientFromRequest
,
String
requestState
)
{
return
true
;
}
}
src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java
View file @
f75caf00
...
...
@@ -30,7 +30,7 @@ public class ServiceValidateEndpoint extends ValidateEndpoint {
protected
Response
successResponse
()
{
UserSessionModel
userSession
=
clientSession
.
getUserSession
();
Set
<
ProtocolMapperModel
>
mappings
=
new
ClientSessionCode
(
session
,
realm
,
clientSession
).
getRequestedProtocolMappers
();
Set
<
ProtocolMapperModel
>
mappings
=
new
ClientSessionCode
<>
(
session
,
realm
,
clientSession
).
getRequestedProtocolMappers
();
KeycloakSessionFactory
sessionFactory
=
session
.
getKeycloakSessionFactory
();
Map
<
String
,
Object
>
attributes
=
new
HashMap
<>();
for
(
ProtocolMapperModel
mapping
:
mappings
)
{
...
...
src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
View file @
f75caf00
...
...
@@ -43,7 +43,7 @@ public class ValidateEndpoint {
protected
RealmModel
realm
;
protected
EventBuilder
event
;
protected
ClientModel
client
;
protected
ClientSessionModel
clientSession
;
protected
Authenticated
ClientSessionModel
clientSession
;
public
ValidateEndpoint
(
RealmModel
realm
,
EventBuilder
event
)
{
this
.
realm
=
realm
;
...
...
@@ -131,23 +131,27 @@ public class ValidateEndpoint {
String
code
=
ticket
.
substring
(
CASLoginProtocol
.
SERVICE_TICKET_PREFIX
.
length
());
ClientSessionCode
.
ParseResult
parseResult
=
ClientSessionCode
.
parseResult
(
code
,
session
,
realm
);
if
(
parseResult
.
isClientSessionNotFound
()
||
parseResult
.
isIllegalHash
())
{
String
[]
parts
=
code
.
split
(
"\\."
);
if
(
parts
.
length
==
2
)
{
event
.
detail
(
Details
.
CODE_ID
,
parts
[
1
]);
}
String
[]
parts
=
code
.
split
(
"\\."
);
if
(
parts
.
length
==
4
)
{
event
.
detail
(
Details
.
CODE_ID
,
parts
[
2
]);
}
ClientSessionCode
.
ParseResult
<
AuthenticatedClientSessionModel
>
parseResult
=
ClientSessionCode
.
parseResult
(
code
,
session
,
realm
,
AuthenticatedClientSessionModel
.
class
);
if
(
parseResult
.
isAuthSessionNotFound
()
||
parseResult
.
isIllegalHash
())
{
event
.
error
(
Errors
.
INVALID_CODE
);
if
(
parseResult
.
getClientSession
()
!=
null
)
{
session
.
sessions
().
removeClientSession
(
realm
,
parseResult
.
getClientSession
());
// Attempt to use same code twice should invalidate existing clientSession
AuthenticatedClientSessionModel
clientSession
=
parseResult
.
getClientSession
();
if
(
clientSession
!=
null
)
{
clientSession
.
setUserSession
(
null
);
}
throw
new
CASValidationException
(
CASErrorCode
.
INVALID_TICKET
,
"Code not valid"
,
Response
.
Status
.
BAD_REQUEST
);
}
clientSession
=
parseResult
.
getClientSession
();
event
.
detail
(
Details
.
CODE_ID
,
clientSession
.
getId
());
if
(!
parseResult
.
getCode
().
isValid
(
ClientSessionModel
.
Action
.
CODE_TO_TOKEN
.
name
(),
ClientSessionCode
.
ActionType
.
CLIENT
))
{
if
(!
parseResult
.
getCode
().
isValid
(
Authenticated
ClientSessionModel
.
Action
.
CODE_TO_TOKEN
.
name
(),
ClientSessionCode
.
ActionType
.
CLIENT
))
{
event
.
error
(
Errors
.
INVALID_CODE
);
throw
new
CASValidationException
(
CASErrorCode
.
INVALID_TICKET
,
"Code is expired"
,
Response
.
Status
.
BAD_REQUEST
);
}
...
...
src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java
View file @
f75caf00
...
...
@@ -80,9 +80,9 @@ abstract class AbstractUserRoleMappingMapper extends AbstractCASProtocolMapper {
// get a set of all realm roles assigned to the user or its group
Stream
<
RoleModel
>
clientUserRoles
=
getAllUserRolesStream
(
user
).
filter
(
restriction
);
boolean
dontLimitScope
=
userSession
.
getClientSessions
().
stream
().
anyMatch
(
cs
->
cs
.
getClient
().
isFullScopeAllowed
());
boolean
dontLimitScope
=
userSession
.
get
Authenticated
ClientSessions
().
values
().
stream
().
anyMatch
(
cs
->
cs
.
getClient
().
isFullScopeAllowed
());
if
(!
dontLimitScope
)
{
Set
<
RoleModel
>
clientRoles
=
userSession
.
getClientSessions
().
stream
()
Set
<
RoleModel
>
clientRoles
=
userSession
.
get
Authenticated
ClientSessions
().
values
().
stream
()
.
flatMap
(
cs
->
cs
.
getClient
().
getScopeMappings
().
stream
())
.
collect
(
Collectors
.
toSet
());
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment