Search in sources :

Example 1 with SamlSessionStore

use of org.keycloak.adapters.saml.SamlSessionStore in project keycloak by keycloak.

the class AbstractSamlAuthMech method registerNotifications.

protected void registerNotifications(final SecurityContext securityContext) {
    final NotificationReceiver logoutReceiver = new NotificationReceiver() {

        @Override
        public void handleNotification(SecurityNotification notification) {
            if (notification.getEventType() != SecurityNotification.EventType.LOGGED_OUT)
                return;
            HttpServerExchange exchange = notification.getExchange();
            UndertowHttpFacade facade = createFacade(exchange);
            SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
            SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext);
            sessionStore.logoutAccount();
        }
    };
    securityContext.registerNotificationReceiver(logoutReceiver);
}
Also used : HttpServerExchange(io.undertow.server.HttpServerExchange) UndertowHttpFacade(org.keycloak.adapters.undertow.UndertowHttpFacade) NotificationReceiver(io.undertow.security.api.NotificationReceiver) SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) SecurityNotification(io.undertow.security.api.SecurityNotification)

Example 2 with SamlSessionStore

use of org.keycloak.adapters.saml.SamlSessionStore in project keycloak by keycloak.

the class AbstractSamlAuthenticator method validateRequest.

@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    if (log.isTraceEnabled()) {
        log.trace("*** authenticate");
    }
    Request request = resolveRequest(req);
    JettyHttpFacade facade = new JettyHttpFacade(request, (HttpServletResponse) res);
    SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        log.debug("*** deployment isn't configured return false");
        return Authentication.UNAUTHENTICATED;
    }
    boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
    if (!mandatory && !isEndpoint)
        return new DeferredAuthentication(this);
    JettySamlSessionStore tokenStore = getTokenStore(request, facade, deployment);
    SamlAuthenticator authenticator = null;
    if (isEndpoint) {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {

            @Override
            protected void completeAuthentication(SamlSession account) {
            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new SamlEndpoint(facade, deployment, sessionStore);
            }
        };
    } else {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {

            @Override
            protected void completeAuthentication(SamlSession account) {
            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new BrowserHandler(facade, deployment, sessionStore);
            }
        };
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        if (facade.isEnded()) {
            return Authentication.SEND_SUCCESS;
        }
        SamlSession samlSession = tokenStore.getAccount();
        Authentication authentication = register(request, samlSession);
        return authentication;
    }
    if (outcome == AuthOutcome.LOGGED_OUT) {
        logoutCurrent(request);
        if (deployment.getLogoutPage() != null) {
            forwardToLogoutPage(request, (HttpServletResponse) res, deployment);
        }
        return Authentication.SEND_CONTINUE;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        challenge.challenge(facade);
    }
    return Authentication.SEND_CONTINUE;
}
Also used : AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator) HttpFacade(org.keycloak.adapters.spi.HttpFacade) JettyHttpFacade(org.keycloak.adapters.jetty.spi.JettyHttpFacade) SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore) BrowserHandler(org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler) SamlEndpoint(org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint) Request(org.eclipse.jetty.server.Request) ServletRequest(javax.servlet.ServletRequest) JettyHttpFacade(org.keycloak.adapters.jetty.spi.JettyHttpFacade) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) SamlSession(org.keycloak.adapters.saml.SamlSession) SamlAuthenticationHandler(org.keycloak.adapters.saml.profile.SamlAuthenticationHandler) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication)

Example 3 with SamlSessionStore

use of org.keycloak.adapters.saml.SamlSessionStore in project keycloak by keycloak.

the class SamlFilter method doFilter.

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    ServletHttpFacade facade = new ServletHttpFacade(request, response);
    SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        response.sendError(403);
        log.fine("deployment not configured");
        return;
    }
    FilterSamlSessionStore tokenStore = new FilterSamlSessionStore(request, facade, 100000, idMapper, deployment);
    boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
    SamlAuthenticator authenticator;
    if (isEndpoint) {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {

            @Override
            protected void completeAuthentication(SamlSession account) {
            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new SamlEndpoint(facade, deployment, sessionStore);
            }
        };
    } else {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {

            @Override
            protected void completeAuthentication(SamlSession account) {
            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new BrowserHandler(facade, deployment, sessionStore);
            }
        };
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        log.fine("AUTHENTICATED");
        if (facade.isEnded()) {
            return;
        }
        HttpServletRequestWrapper wrapper = tokenStore.getWrap();
        chain.doFilter(wrapper, res);
        return;
    }
    if (outcome == AuthOutcome.LOGGED_OUT) {
        tokenStore.logoutAccount();
        String logoutPage = deployment.getLogoutPage();
        if (logoutPage != null) {
            if (PROTOCOL_PATTERN.matcher(logoutPage).find()) {
                response.sendRedirect(logoutPage);
                log.log(Level.FINE, "Redirected to logout page {0}", logoutPage);
            } else {
                RequestDispatcher disp = req.getRequestDispatcher(logoutPage);
                disp.forward(req, res);
            }
            return;
        }
        chain.doFilter(req, res);
        return;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        log.fine("challenge");
        challenge.challenge(facade);
        return;
    }
    if (deployment.isIsPassive() && outcome == AuthOutcome.NOT_AUTHENTICATED) {
        log.fine("PASSIVE_NOT_AUTHENTICATED");
        if (facade.isEnded()) {
            return;
        }
        chain.doFilter(req, res);
        return;
    }
    if (!facade.isEnded()) {
        response.sendError(403);
    }
}
Also used : AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator) ServletHttpFacade(org.keycloak.adapters.servlet.ServletHttpFacade) HttpFacade(org.keycloak.adapters.spi.HttpFacade) SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore) BrowserHandler(org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler) SamlEndpoint(org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) DefaultSamlDeployment(org.keycloak.adapters.saml.DefaultSamlDeployment) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) SamlSession(org.keycloak.adapters.saml.SamlSession) RequestDispatcher(javax.servlet.RequestDispatcher) HttpServletRequest(javax.servlet.http.HttpServletRequest) SamlAuthenticationHandler(org.keycloak.adapters.saml.profile.SamlAuthenticationHandler) ServletHttpFacade(org.keycloak.adapters.servlet.ServletHttpFacade) HttpServletRequestWrapper(javax.servlet.http.HttpServletRequestWrapper)

Example 4 with SamlSessionStore

use of org.keycloak.adapters.saml.SamlSessionStore in project keycloak by keycloak.

the class SamlAuthenticatorValve method createSessionStore.

@Override
protected SamlSessionStore createSessionStore(Request request, HttpFacade facade, SamlDeployment resolvedDeployment) {
    SamlSessionStore store;
    store = new TomcatSamlSessionStore(userSessionManagement, createPrincipalFactory(), mapper, request, this, facade, resolvedDeployment);
    return store;
}
Also used : SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore)

Example 5 with SamlSessionStore

use of org.keycloak.adapters.saml.SamlSessionStore in project keycloak by keycloak.

the class AbstractSamlAuthMech method authenticate.

/**
 * Call this inside your authenticate method.
 */
public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
    UndertowHttpFacade facade = createFacade(exchange);
    SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (!deployment.isConfigured()) {
        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }
    SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext);
    SamlAuthenticator authenticator = null;
    if (exchange.getRequestPath().endsWith("/saml")) {
        authenticator = new UndertowSamlEndpoint(facade, deploymentContext.resolveDeployment(facade), sessionStore);
    } else {
        authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore);
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        registerNotifications(securityContext);
        return AuthenticationMechanismOutcome.AUTHENTICATED;
    }
    if (outcome == AuthOutcome.NOT_AUTHENTICATED) {
        // See KEYCLOAK-2107, AbstractSamlAuthenticationHandler
        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }
    if (outcome == AuthOutcome.LOGGED_OUT) {
        securityContext.logout();
        if (deployment.getLogoutPage() != null) {
            redirectLogout(deployment, exchange);
        }
        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
        if (authenticator instanceof UndertowSamlEndpoint) {
            exchange.getSecurityContext().setAuthenticationRequired();
        }
    }
    if (outcome == AuthOutcome.FAILED) {
        return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }
    return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
Also used : UndertowHttpFacade(org.keycloak.adapters.undertow.UndertowHttpFacade) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator) SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)

Aggregations

SamlSessionStore (org.keycloak.adapters.saml.SamlSessionStore)5 SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)4 SamlAuthenticator (org.keycloak.adapters.saml.SamlAuthenticator)3 AuthChallenge (org.keycloak.adapters.spi.AuthChallenge)3 AuthOutcome (org.keycloak.adapters.spi.AuthOutcome)3 SamlSession (org.keycloak.adapters.saml.SamlSession)2 SamlAuthenticationHandler (org.keycloak.adapters.saml.profile.SamlAuthenticationHandler)2 BrowserHandler (org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler)2 SamlEndpoint (org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint)2 HttpFacade (org.keycloak.adapters.spi.HttpFacade)2 UndertowHttpFacade (org.keycloak.adapters.undertow.UndertowHttpFacade)2 NotificationReceiver (io.undertow.security.api.NotificationReceiver)1 SecurityNotification (io.undertow.security.api.SecurityNotification)1 HttpServerExchange (io.undertow.server.HttpServerExchange)1 RequestDispatcher (javax.servlet.RequestDispatcher)1 ServletRequest (javax.servlet.ServletRequest)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletRequestWrapper (javax.servlet.http.HttpServletRequestWrapper)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 UserAuthentication (org.eclipse.jetty.security.UserAuthentication)1