Example 1 with SamlSessionStore
use of org.keycloak.adapters.saml.SamlSessionStore in project keycloak by keycloak.
the class AbstractSamlAuthMech method registerNotifications.
protected void registerNotifications(final SecurityContext securityContext) {
final NotificationReceiver logoutReceiver = new NotificationReceiver() {
@Override
public void handleNotification(SecurityNotification notification) {
if (notification.getEventType() != SecurityNotification.EventType.LOGGED_OUT)
return;
HttpServerExchange exchange = notification.getExchange();
UndertowHttpFacade facade = createFacade(exchange);
SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext);
sessionStore.logoutAccount();
}
};
securityContext.registerNotificationReceiver(logoutReceiver);
}
Also used :
HttpServerExchange(io.undertow.server.HttpServerExchange)
UndertowHttpFacade(org.keycloak.adapters.undertow.UndertowHttpFacade)
NotificationReceiver(io.undertow.security.api.NotificationReceiver)
SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore)
SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)
SecurityNotification(io.undertow.security.api.SecurityNotification)
Example 2 with SamlSessionStore
use of org.keycloak.adapters.saml.SamlSessionStore in project keycloak by keycloak.
the class AbstractSamlAuthenticator method validateRequest.
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
if (log.isTraceEnabled()) {
log.trace("*** authenticate");
}
Request request = resolveRequest(req);
JettyHttpFacade facade = new JettyHttpFacade(request, (HttpServletResponse) res);
SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
if (deployment == null || !deployment.isConfigured()) {
log.debug("*** deployment isn't configured return false");
return Authentication.UNAUTHENTICATED;
}
boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
if (!mandatory && !isEndpoint)
return new DeferredAuthentication(this);
JettySamlSessionStore tokenStore = getTokenStore(request, facade, deployment);
SamlAuthenticator authenticator = null;
if (isEndpoint) {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new SamlEndpoint(facade, deployment, sessionStore);
}
};
} else {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new BrowserHandler(facade, deployment, sessionStore);
}
};
}
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
if (facade.isEnded()) {
return Authentication.SEND_SUCCESS;
}
SamlSession samlSession = tokenStore.getAccount();
Authentication authentication = register(request, samlSession);
return authentication;
}
if (outcome == AuthOutcome.LOGGED_OUT) {
logoutCurrent(request);
if (deployment.getLogoutPage() != null) {
forwardToLogoutPage(request, (HttpServletResponse) res, deployment);
}
return Authentication.SEND_CONTINUE;
}
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
challenge.challenge(facade);
}
return Authentication.SEND_CONTINUE;
}
Also used :
AuthChallenge(org.keycloak.adapters.spi.AuthChallenge)
SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator)
HttpFacade(org.keycloak.adapters.spi.HttpFacade)
JettyHttpFacade(org.keycloak.adapters.jetty.spi.JettyHttpFacade)
SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore)
BrowserHandler(org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler)
SamlEndpoint(org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint)
Request(org.eclipse.jetty.server.Request)
ServletRequest(javax.servlet.ServletRequest)
JettyHttpFacade(org.keycloak.adapters.jetty.spi.JettyHttpFacade)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
AuthOutcome(org.keycloak.adapters.spi.AuthOutcome)
SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)
SamlSession(org.keycloak.adapters.saml.SamlSession)
SamlAuthenticationHandler(org.keycloak.adapters.saml.profile.SamlAuthenticationHandler)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
UserAuthentication(org.eclipse.jetty.security.UserAuthentication)
Authentication(org.eclipse.jetty.server.Authentication)
Example 3 with SamlSessionStore
use of org.keycloak.adapters.saml.SamlSessionStore in project keycloak by keycloak.
the class SamlFilter method doFilter.
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
ServletHttpFacade facade = new ServletHttpFacade(request, response);
SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
if (deployment == null || !deployment.isConfigured()) {
response.sendError(403);
log.fine("deployment not configured");
return;
}
FilterSamlSessionStore tokenStore = new FilterSamlSessionStore(request, facade, 100000, idMapper, deployment);
boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
SamlAuthenticator authenticator;
if (isEndpoint) {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new SamlEndpoint(facade, deployment, sessionStore);
}
};
} else {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new BrowserHandler(facade, deployment, sessionStore);
}
};
}
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
log.fine("AUTHENTICATED");
if (facade.isEnded()) {
return;
}
HttpServletRequestWrapper wrapper = tokenStore.getWrap();
chain.doFilter(wrapper, res);
return;
}
if (outcome == AuthOutcome.LOGGED_OUT) {
tokenStore.logoutAccount();
String logoutPage = deployment.getLogoutPage();
if (logoutPage != null) {
if (PROTOCOL_PATTERN.matcher(logoutPage).find()) {
response.sendRedirect(logoutPage);
log.log(Level.FINE, "Redirected to logout page {0}", logoutPage);
} else {
RequestDispatcher disp = req.getRequestDispatcher(logoutPage);
disp.forward(req, res);
}
return;
}
chain.doFilter(req, res);
return;
}
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
log.fine("challenge");
challenge.challenge(facade);
return;
}
if (deployment.isIsPassive() && outcome == AuthOutcome.NOT_AUTHENTICATED) {
log.fine("PASSIVE_NOT_AUTHENTICATED");
if (facade.isEnded()) {
return;
}
chain.doFilter(req, res);
return;
}
if (!facade.isEnded()) {
response.sendError(403);
}
}
Also used :
AuthChallenge(org.keycloak.adapters.spi.AuthChallenge)
SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator)
ServletHttpFacade(org.keycloak.adapters.servlet.ServletHttpFacade)
HttpFacade(org.keycloak.adapters.spi.HttpFacade)
SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore)
BrowserHandler(org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler)
SamlEndpoint(org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthOutcome(org.keycloak.adapters.spi.AuthOutcome)
DefaultSamlDeployment(org.keycloak.adapters.saml.DefaultSamlDeployment)
SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)
SamlSession(org.keycloak.adapters.saml.SamlSession)
RequestDispatcher(javax.servlet.RequestDispatcher)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SamlAuthenticationHandler(org.keycloak.adapters.saml.profile.SamlAuthenticationHandler)
ServletHttpFacade(org.keycloak.adapters.servlet.ServletHttpFacade)
HttpServletRequestWrapper(javax.servlet.http.HttpServletRequestWrapper)
Example 4 with SamlSessionStore
use of org.keycloak.adapters.saml.SamlSessionStore in project keycloak by keycloak.
the class SamlAuthenticatorValve method createSessionStore.
@Override
protected SamlSessionStore createSessionStore(Request request, HttpFacade facade, SamlDeployment resolvedDeployment) {
SamlSessionStore store;
store = new TomcatSamlSessionStore(userSessionManagement, createPrincipalFactory(), mapper, request, this, facade, resolvedDeployment);
return store;
}
Also used :
SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore)
Example 5 with SamlSessionStore
use of org.keycloak.adapters.saml.SamlSessionStore in project keycloak by keycloak.
the class AbstractSamlAuthMech method authenticate.
/**
* Call this inside your authenticate method.
*/
public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
UndertowHttpFacade facade = createFacade(exchange);
SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
if (!deployment.isConfigured()) {
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext);
SamlAuthenticator authenticator = null;
if (exchange.getRequestPath().endsWith("/saml")) {
authenticator = new UndertowSamlEndpoint(facade, deploymentContext.resolveDeployment(facade), sessionStore);
} else {
authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore);
}
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
registerNotifications(securityContext);
return AuthenticationMechanismOutcome.AUTHENTICATED;
}
if (outcome == AuthOutcome.NOT_AUTHENTICATED) {
// See KEYCLOAK-2107, AbstractSamlAuthenticationHandler
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
if (outcome == AuthOutcome.LOGGED_OUT) {
securityContext.logout();
if (deployment.getLogoutPage() != null) {
redirectLogout(deployment, exchange);
}
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
if (authenticator instanceof UndertowSamlEndpoint) {
exchange.getSecurityContext().setAuthenticationRequired();
}
}
if (outcome == AuthOutcome.FAILED) {
return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
}
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
Also used :
UndertowHttpFacade(org.keycloak.adapters.undertow.UndertowHttpFacade)
AuthChallenge(org.keycloak.adapters.spi.AuthChallenge)
SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator)
SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore)
AuthOutcome(org.keycloak.adapters.spi.AuthOutcome)
SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)
Aggregations
SamlSessionStore (org.keycloak.adapters.saml.SamlSessionStore)5
SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)4
SamlAuthenticator (org.keycloak.adapters.saml.SamlAuthenticator)3
AuthChallenge (org.keycloak.adapters.spi.AuthChallenge)3
AuthOutcome (org.keycloak.adapters.spi.AuthOutcome)3
SamlSession (org.keycloak.adapters.saml.SamlSession)2
SamlAuthenticationHandler (org.keycloak.adapters.saml.profile.SamlAuthenticationHandler)2
BrowserHandler (org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler)2
SamlEndpoint (org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint)2
HttpFacade (org.keycloak.adapters.spi.HttpFacade)2
UndertowHttpFacade (org.keycloak.adapters.undertow.UndertowHttpFacade)2
NotificationReceiver (io.undertow.security.api.NotificationReceiver)1
SecurityNotification (io.undertow.security.api.SecurityNotification)1
HttpServerExchange (io.undertow.server.HttpServerExchange)1
RequestDispatcher (javax.servlet.RequestDispatcher)1
ServletRequest (javax.servlet.ServletRequest)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
HttpServletRequestWrapper (javax.servlet.http.HttpServletRequestWrapper)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
UserAuthentication (org.eclipse.jetty.security.UserAuthentication)1
