Search in sources :

Example 1 with PreAuthActionsHandler

use of org.keycloak.adapters.PreAuthActionsHandler in project keycloak by keycloak.

the class AbstractKeycloakJettyAuthenticator method validateRequest.

@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    if (log.isTraceEnabled()) {
        log.trace("*** authenticate");
    }
    Request request = resolveRequest(req);
    OIDCJettyHttpFacade facade = new OIDCJettyHttpFacade(request, (HttpServletResponse) res);
    KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        log.debug("*** deployment isn't configured return false");
        return Authentication.UNAUTHENTICATED;
    }
    PreAuthActionsHandler handler = new PreAuthActionsHandler(createSessionManagement(request), deploymentContext, facade);
    if (handler.handleRequest()) {
        return Authentication.SEND_SUCCESS;
    }
    if (!mandatory)
        return new DeferredAuthentication(this);
    AdapterTokenStore tokenStore = getTokenStore(request, facade, deployment);
    nodesRegistrationManagement.tryRegister(deployment);
    tokenStore.checkCurrentToken();
    JettyRequestAuthenticator authenticator = createRequestAuthenticator(request, facade, deployment, tokenStore);
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        if (facade.isEnded()) {
            return Authentication.SEND_SUCCESS;
        }
        Authentication authentication = register(request, authenticator.principal);
        AuthenticatedActionsHandler authenticatedActionsHandler = new AuthenticatedActionsHandler(deployment, facade);
        if (authenticatedActionsHandler.handledRequest()) {
            return Authentication.SEND_SUCCESS;
        }
        return authentication;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        challenge.challenge(facade);
    }
    return Authentication.SEND_CONTINUE;
}
Also used : AuthenticatedActionsHandler(org.keycloak.adapters.AuthenticatedActionsHandler) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) Request(org.eclipse.jetty.server.Request) ServletRequest(javax.servlet.ServletRequest) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) PreAuthActionsHandler(org.keycloak.adapters.PreAuthActionsHandler) AdapterTokenStore(org.keycloak.adapters.AdapterTokenStore)

Example 2 with PreAuthActionsHandler

use of org.keycloak.adapters.PreAuthActionsHandler in project keycloak by keycloak.

the class KeycloakHttpServerAuthenticationMechanism method preActions.

private boolean preActions(ElytronHttpFacade httpFacade, AdapterDeploymentContext deploymentContext) {
    NodesRegistrationManagement nodesRegistrationManagement = new NodesRegistrationManagement();
    nodesRegistrationManagement.tryRegister(httpFacade.getDeployment());
    PreAuthActionsHandler preActions = new PreAuthActionsHandler(UserSessionManagement.class.cast(httpFacade.getTokenStore()), deploymentContext, httpFacade);
    return preActions.handleRequest();
}
Also used : UserSessionManagement(org.keycloak.adapters.spi.UserSessionManagement) NodesRegistrationManagement(org.keycloak.adapters.NodesRegistrationManagement) PreAuthActionsHandler(org.keycloak.adapters.PreAuthActionsHandler)

Example 3 with PreAuthActionsHandler

use of org.keycloak.adapters.PreAuthActionsHandler in project keycloak by keycloak.

the class KeycloakOIDCFilter method doFilter.

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    log.fine("Keycloak OIDC Filter");
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    if (shouldSkip(request)) {
        chain.doFilter(req, res);
        return;
    }
    OIDCServletHttpFacade facade = new OIDCServletHttpFacade(request, response);
    KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        response.sendError(403);
        log.fine("deployment not configured");
        return;
    }
    PreAuthActionsHandler preActions = new PreAuthActionsHandler(new IdMapperUserSessionManagement(), deploymentContext, facade);
    if (preActions.handleRequest()) {
        // System.err.println("**************** preActions.handleRequest happened!");
        return;
    }
    nodesRegistrationManagement.tryRegister(deployment);
    OIDCFilterSessionStore tokenStore = new OIDCFilterSessionStore(request, facade, 100000, deployment, idMapper);
    tokenStore.checkCurrentToken();
    FilterRequestAuthenticator authenticator = new FilterRequestAuthenticator(deployment, tokenStore, facade, request, 8443);
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        log.fine("AUTHENTICATED");
        if (facade.isEnded()) {
            return;
        }
        AuthenticatedActionsHandler actions = new AuthenticatedActionsHandler(deployment, facade);
        if (actions.handledRequest()) {
            return;
        } else {
            HttpServletRequestWrapper wrapper = tokenStore.buildWrapper();
            chain.doFilter(wrapper, res);
            return;
        }
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        log.fine("challenge");
        challenge.challenge(facade);
        return;
    }
    response.sendError(403);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) AuthenticatedActionsHandler(org.keycloak.adapters.AuthenticatedActionsHandler) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) HttpServletRequestWrapper(javax.servlet.http.HttpServletRequestWrapper) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) PreAuthActionsHandler(org.keycloak.adapters.PreAuthActionsHandler)

Example 4 with PreAuthActionsHandler

use of org.keycloak.adapters.PreAuthActionsHandler in project keycloak by keycloak.

the class UndertowKeycloakConsumer method handleRequest.

@Override
public void handleRequest(HttpServerExchange httpExchange) throws Exception {
    if (shouldSkip(httpExchange.getRequestPath())) {
        super.handleRequest(httpExchange);
        return;
    }
    // perform only non-blocking operation on exchange
    if (httpExchange.isInIoThread()) {
        httpExchange.dispatch(this);
        return;
    }
    OIDCUndertowHttpFacade facade = new OIDCUndertowHttpFacade(httpExchange);
    KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        httpExchange.setStatusCode(StatusCodes.FORBIDDEN);
        LOG.fine("deployment not configured");
        return;
    }
    LOG.fine("executing PreAuthActionsHandler");
    SessionManagementBridge bridge = new SessionManagementBridge(userSessionManagement, sessionManager);
    PreAuthActionsHandler preAuth = new PreAuthActionsHandler(bridge, deploymentContext, facade);
    if (preAuth.handleRequest())
        return;
    SecurityContext securityContext = httpExchange.getSecurityContext();
    if (securityContext == null) {
        securityContext = new SecurityContextImpl(httpExchange, IDENTITY_MANAGER);
    }
    AdapterTokenStore tokenStore = getTokenStore(httpExchange, facade, deployment, securityContext);
    tokenStore.checkCurrentToken();
    LOG.fine("executing AuthenticatedActionsHandler");
    RequestAuthenticator authenticator = new UndertowRequestAuthenticator(facade, deployment, confidentialPort, securityContext, httpExchange, tokenStore);
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        LOG.fine("AUTHENTICATED");
        if (httpExchange.isResponseComplete()) {
            return;
        }
        AuthenticatedActionsHandler actions = new AuthenticatedActionsHandler(deployment, facade);
        if (actions.handledRequest()) {
            return;
        } else {
            final Account authenticatedAccount = securityContext.getAuthenticatedAccount();
            if (authenticatedAccount instanceof KeycloakUndertowAccount) {
                final KeycloakUndertowAccount kua = (KeycloakUndertowAccount) authenticatedAccount;
                httpExchange.putAttachment(KEYCLOAK_PRINCIPAL_KEY, (KeycloakPrincipal) kua.getPrincipal());
            }
            Set<String> roles = authenticatedAccount.getRoles();
            if (roles == null) {
                roles = Collections.EMPTY_SET;
            }
            LOG.log(Level.FINE, "Allowed roles: {0}, current roles: {1}", new Object[] { allowedRoles, roles });
            if (isRoleAllowed(roles, httpExchange)) {
                super.handleRequest(httpExchange);
            } else {
                httpExchange.setStatusCode(StatusCodes.FORBIDDEN);
            }
            return;
        }
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        LOG.fine("challenge");
        challenge.challenge(facade);
        return;
    }
    httpExchange.setStatusCode(StatusCodes.FORBIDDEN);
}
Also used : AuthenticatedActionsHandler(org.keycloak.adapters.AuthenticatedActionsHandler) Account(io.undertow.security.idm.Account) KeycloakUndertowAccount(org.keycloak.adapters.undertow.KeycloakUndertowAccount) SecurityContextImpl(io.undertow.security.impl.SecurityContextImpl) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) UndertowRequestAuthenticator(org.keycloak.adapters.undertow.UndertowRequestAuthenticator) RequestAuthenticator(org.keycloak.adapters.RequestAuthenticator) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) PreAuthActionsHandler(org.keycloak.adapters.PreAuthActionsHandler) KeycloakUndertowAccount(org.keycloak.adapters.undertow.KeycloakUndertowAccount) OIDCUndertowHttpFacade(org.keycloak.adapters.undertow.OIDCUndertowHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) SecurityContext(io.undertow.security.api.SecurityContext) SessionManagementBridge(org.keycloak.adapters.undertow.SessionManagementBridge) UndertowRequestAuthenticator(org.keycloak.adapters.undertow.UndertowRequestAuthenticator) AdapterTokenStore(org.keycloak.adapters.AdapterTokenStore)

Example 5 with PreAuthActionsHandler

use of org.keycloak.adapters.PreAuthActionsHandler in project keycloak by keycloak.

the class KeycloakPreAuthActionsFilter method doFilter.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpFacade facade = new SimpleHttpFacade((HttpServletRequest) request, (HttpServletResponse) response);
    KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null) {
        return;
    }
    if (deployment.isConfigured()) {
        nodesRegistrationManagement.tryRegister(deploymentContext.resolveDeployment(facade));
    }
    PreAuthActionsHandler handler = preAuthActionsHandlerFactory.createPreAuthActionsHandler(facade);
    if (handler.handleRequest()) {
        log.debug("Pre-auth filter handled request: {}", ((HttpServletRequest) request).getRequestURI());
    } else {
        chain.doFilter(request, response);
    }
}
Also used : HttpFacade(org.keycloak.adapters.spi.HttpFacade) SimpleHttpFacade(org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) SimpleHttpFacade(org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade) PreAuthActionsHandler(org.keycloak.adapters.PreAuthActionsHandler)

Aggregations

PreAuthActionsHandler (org.keycloak.adapters.PreAuthActionsHandler)8 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)4 AuthenticatedActionsHandler (org.keycloak.adapters.AuthenticatedActionsHandler)3 AuthChallenge (org.keycloak.adapters.spi.AuthChallenge)3 AuthOutcome (org.keycloak.adapters.spi.AuthOutcome)3 AdapterTokenStore (org.keycloak.adapters.AdapterTokenStore)2 SecurityContext (io.undertow.security.api.SecurityContext)1 Account (io.undertow.security.idm.Account)1 SecurityContextImpl (io.undertow.security.impl.SecurityContextImpl)1 ServletRequestContext (io.undertow.servlet.handlers.ServletRequestContext)1 ServletRequest (javax.servlet.ServletRequest)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletRequestWrapper (javax.servlet.http.HttpServletRequestWrapper)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 UserAuthentication (org.eclipse.jetty.security.UserAuthentication)1 DeferredAuthentication (org.eclipse.jetty.security.authentication.DeferredAuthentication)1 Authentication (org.eclipse.jetty.server.Authentication)1 Request (org.eclipse.jetty.server.Request)1 NodesRegistrationManagement (org.keycloak.adapters.NodesRegistrationManagement)1 RequestAuthenticator (org.keycloak.adapters.RequestAuthenticator)1