Example 11 with AuthOutcome
use of org.keycloak.adapters.spi.AuthOutcome in project keycloak by keycloak.
the class SamlFilter method doFilter.
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
ServletHttpFacade facade = new ServletHttpFacade(request, response);
SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
if (deployment == null || !deployment.isConfigured()) {
response.sendError(403);
log.fine("deployment not configured");
return;
}
FilterSamlSessionStore tokenStore = new FilterSamlSessionStore(request, facade, 100000, idMapper, deployment);
boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
SamlAuthenticator authenticator;
if (isEndpoint) {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new SamlEndpoint(facade, deployment, sessionStore);
}
};
} else {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new BrowserHandler(facade, deployment, sessionStore);
}
};
}
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
log.fine("AUTHENTICATED");
if (facade.isEnded()) {
return;
}
HttpServletRequestWrapper wrapper = tokenStore.getWrap();
chain.doFilter(wrapper, res);
return;
}
if (outcome == AuthOutcome.LOGGED_OUT) {
tokenStore.logoutAccount();
String logoutPage = deployment.getLogoutPage();
if (logoutPage != null) {
if (PROTOCOL_PATTERN.matcher(logoutPage).find()) {
response.sendRedirect(logoutPage);
log.log(Level.FINE, "Redirected to logout page {0}", logoutPage);
} else {
RequestDispatcher disp = req.getRequestDispatcher(logoutPage);
disp.forward(req, res);
}
return;
}
chain.doFilter(req, res);
return;
}
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
log.fine("challenge");
challenge.challenge(facade);
return;
}
if (deployment.isIsPassive() && outcome == AuthOutcome.NOT_AUTHENTICATED) {
log.fine("PASSIVE_NOT_AUTHENTICATED");
if (facade.isEnded()) {
return;
}
chain.doFilter(req, res);
return;
}
if (!facade.isEnded()) {
response.sendError(403);
}
}
Also used :
AuthChallenge(org.keycloak.adapters.spi.AuthChallenge)
SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator)
ServletHttpFacade(org.keycloak.adapters.servlet.ServletHttpFacade)
HttpFacade(org.keycloak.adapters.spi.HttpFacade)
SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore)
BrowserHandler(org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler)
SamlEndpoint(org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthOutcome(org.keycloak.adapters.spi.AuthOutcome)
DefaultSamlDeployment(org.keycloak.adapters.saml.DefaultSamlDeployment)
SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)
SamlSession(org.keycloak.adapters.saml.SamlSession)
RequestDispatcher(javax.servlet.RequestDispatcher)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SamlAuthenticationHandler(org.keycloak.adapters.saml.profile.SamlAuthenticationHandler)
ServletHttpFacade(org.keycloak.adapters.servlet.ServletHttpFacade)
HttpServletRequestWrapper(javax.servlet.http.HttpServletRequestWrapper)
Example 12 with AuthOutcome
use of org.keycloak.adapters.spi.AuthOutcome in project keycloak by keycloak.
the class AbstractSamlAuthMech method authenticate.
/**
* Call this inside your authenticate method.
*/
public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
UndertowHttpFacade facade = createFacade(exchange);
SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
if (!deployment.isConfigured()) {
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext);
SamlAuthenticator authenticator = null;
if (exchange.getRequestPath().endsWith("/saml")) {
authenticator = new UndertowSamlEndpoint(facade, deploymentContext.resolveDeployment(facade), sessionStore);
} else {
authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore);
}
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
registerNotifications(securityContext);
return AuthenticationMechanismOutcome.AUTHENTICATED;
}
if (outcome == AuthOutcome.NOT_AUTHENTICATED) {
// See KEYCLOAK-2107, AbstractSamlAuthenticationHandler
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
if (outcome == AuthOutcome.LOGGED_OUT) {
securityContext.logout();
if (deployment.getLogoutPage() != null) {
redirectLogout(deployment, exchange);
}
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
if (authenticator instanceof UndertowSamlEndpoint) {
exchange.getSecurityContext().setAuthenticationRequired();
}
}
if (outcome == AuthOutcome.FAILED) {
return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
}
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
Also used :
UndertowHttpFacade(org.keycloak.adapters.undertow.UndertowHttpFacade)
AuthChallenge(org.keycloak.adapters.spi.AuthChallenge)
SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator)
SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore)
AuthOutcome(org.keycloak.adapters.spi.AuthOutcome)
SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)
Example 13 with AuthOutcome
use of org.keycloak.adapters.spi.AuthOutcome in project keycloak by keycloak.
the class KeycloakHttpServerAuthenticationMechanism method evaluateRequest.
@Override
public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
LOGGER.debugf("Evaluating request for path [%s]", request.getRequestURI());
SamlDeploymentContext deploymentContext = getDeploymentContext(request);
if (deploymentContext == null) {
LOGGER.debugf("Ignoring request for path [%s] from mechanism [%s]. No deployment context found.", request.getRequestURI(), getMechanismName());
request.noAuthenticationInProgress();
return;
}
ElytronHttpFacade httpFacade = new ElytronHttpFacade(request, getSessionIdMapper(request), getSessionIdMapperUpdater(request), deploymentContext, callbackHandler);
SamlDeployment deployment = httpFacade.getDeployment();
if (!deployment.isConfigured()) {
request.noAuthenticationInProgress();
return;
}
if (deployment.getLogoutPage() != null && httpFacade.getRequest().getRelativePath().contains(deployment.getLogoutPage())) {
LOGGER.debugf("Ignoring request for [%s] and logout page [%s].", request.getRequestURI(), deployment.getLogoutPage());
httpFacade.authenticationCompleteAnonymous();
return;
}
SamlAuthenticator authenticator;
if (httpFacade.getRequest().getRelativePath().endsWith("/saml")) {
authenticator = new ElytronSamlEndpoint(httpFacade, deployment);
} else {
authenticator = new ElytronSamlAuthenticator(httpFacade, deployment, callbackHandler);
}
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
httpFacade.authenticationComplete();
return;
}
if (outcome == AuthOutcome.NOT_AUTHENTICATED) {
httpFacade.noAuthenticationInProgress(null);
return;
}
if (outcome == AuthOutcome.LOGGED_OUT) {
if (deployment.getLogoutPage() != null) {
redirectLogout(deployment, httpFacade);
}
httpFacade.authenticationInProgress();
return;
}
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
httpFacade.noAuthenticationInProgress(challenge);
return;
}
if (outcome == AuthOutcome.FAILED) {
httpFacade.authenticationFailed();
return;
}
httpFacade.authenticationInProgress();
}
Also used :
SamlDeploymentContext(org.keycloak.adapters.saml.SamlDeploymentContext)
AuthChallenge(org.keycloak.adapters.spi.AuthChallenge)
SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator)
AuthOutcome(org.keycloak.adapters.spi.AuthOutcome)
SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)
Example 14 with AuthOutcome
use of org.keycloak.adapters.spi.AuthOutcome in project alfresco-repository by Alfresco.
the class IdentityServiceRemoteUserMapper method extractUserFromHeader.
/**
* Extracts the user name from the JWT in the given request.
*
* @param request The request containing the JWT
* @return The user name or null if it can not be determined
*/
private String extractUserFromHeader(HttpServletRequest request) {
String userName = null;
IdentityServiceHttpFacade facade = new IdentityServiceHttpFacade(request);
// try authenticating with bearer token first
if (logger.isDebugEnabled()) {
logger.debug("Trying bearer token...");
}
AlfrescoBearerTokenRequestAuthenticator tokenAuthenticator = new AlfrescoBearerTokenRequestAuthenticator(this.keycloakDeployment);
AuthOutcome tokenOutcome = tokenAuthenticator.authenticate(facade);
if (logger.isDebugEnabled()) {
logger.debug("Bearer token outcome: " + tokenOutcome);
}
if (tokenOutcome == AuthOutcome.FAILED && !isValidationFailureSilent) {
throw new AuthenticationException("Token validation failed: " + tokenAuthenticator.getValidationFailureDescription());
}
if (tokenOutcome == AuthOutcome.AUTHENTICATED) {
userName = extractUserFromToken(tokenAuthenticator.getToken());
} else {
if (logger.isDebugEnabled()) {
logger.debug("User could not be authenticated by IdentityServiceRemoteUserMapper.");
}
}
return userName;
}
Also used :
AuthenticationException(org.alfresco.repo.security.authentication.AuthenticationException)
AuthOutcome(org.keycloak.adapters.spi.AuthOutcome)
Aggregations
AuthOutcome (org.keycloak.adapters.spi.AuthOutcome)14
AuthChallenge (org.keycloak.adapters.spi.AuthChallenge)12
KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)6
AdapterTokenStore (org.keycloak.adapters.AdapterTokenStore)4
AuthenticatedActionsHandler (org.keycloak.adapters.AuthenticatedActionsHandler)4
SamlAuthenticator (org.keycloak.adapters.saml.SamlAuthenticator)4
SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)4
PreAuthActionsHandler (org.keycloak.adapters.PreAuthActionsHandler)3
RequestAuthenticator (org.keycloak.adapters.RequestAuthenticator)3
SamlSessionStore (org.keycloak.adapters.saml.SamlSessionStore)3
HttpFacade (org.keycloak.adapters.spi.HttpFacade)3
ServletRequest (javax.servlet.ServletRequest)2
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
HttpServletRequestWrapper (javax.servlet.http.HttpServletRequestWrapper)2
HttpServletResponse (javax.servlet.http.HttpServletResponse)2
UserAuthentication (org.eclipse.jetty.security.UserAuthentication)2
DeferredAuthentication (org.eclipse.jetty.security.authentication.DeferredAuthentication)2
Authentication (org.eclipse.jetty.server.Authentication)2
Request (org.eclipse.jetty.server.Request)2
SamlSession (org.keycloak.adapters.saml.SamlSession)2
