Search in sources :

Example 11 with AuthOutcome

use of org.keycloak.adapters.spi.AuthOutcome in project keycloak by keycloak.

the class SamlFilter method doFilter.

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    ServletHttpFacade facade = new ServletHttpFacade(request, response);
    SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        response.sendError(403);
        log.fine("deployment not configured");
        return;
    }
    FilterSamlSessionStore tokenStore = new FilterSamlSessionStore(request, facade, 100000, idMapper, deployment);
    boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
    SamlAuthenticator authenticator;
    if (isEndpoint) {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {

            @Override
            protected void completeAuthentication(SamlSession account) {
            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new SamlEndpoint(facade, deployment, sessionStore);
            }
        };
    } else {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {

            @Override
            protected void completeAuthentication(SamlSession account) {
            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new BrowserHandler(facade, deployment, sessionStore);
            }
        };
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        log.fine("AUTHENTICATED");
        if (facade.isEnded()) {
            return;
        }
        HttpServletRequestWrapper wrapper = tokenStore.getWrap();
        chain.doFilter(wrapper, res);
        return;
    }
    if (outcome == AuthOutcome.LOGGED_OUT) {
        tokenStore.logoutAccount();
        String logoutPage = deployment.getLogoutPage();
        if (logoutPage != null) {
            if (PROTOCOL_PATTERN.matcher(logoutPage).find()) {
                response.sendRedirect(logoutPage);
                log.log(Level.FINE, "Redirected to logout page {0}", logoutPage);
            } else {
                RequestDispatcher disp = req.getRequestDispatcher(logoutPage);
                disp.forward(req, res);
            }
            return;
        }
        chain.doFilter(req, res);
        return;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        log.fine("challenge");
        challenge.challenge(facade);
        return;
    }
    if (deployment.isIsPassive() && outcome == AuthOutcome.NOT_AUTHENTICATED) {
        log.fine("PASSIVE_NOT_AUTHENTICATED");
        if (facade.isEnded()) {
            return;
        }
        chain.doFilter(req, res);
        return;
    }
    if (!facade.isEnded()) {
        response.sendError(403);
    }
}
Also used : AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator) ServletHttpFacade(org.keycloak.adapters.servlet.ServletHttpFacade) HttpFacade(org.keycloak.adapters.spi.HttpFacade) SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore) BrowserHandler(org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler) SamlEndpoint(org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) DefaultSamlDeployment(org.keycloak.adapters.saml.DefaultSamlDeployment) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) SamlSession(org.keycloak.adapters.saml.SamlSession) RequestDispatcher(javax.servlet.RequestDispatcher) HttpServletRequest(javax.servlet.http.HttpServletRequest) SamlAuthenticationHandler(org.keycloak.adapters.saml.profile.SamlAuthenticationHandler) ServletHttpFacade(org.keycloak.adapters.servlet.ServletHttpFacade) HttpServletRequestWrapper(javax.servlet.http.HttpServletRequestWrapper)

Example 12 with AuthOutcome

use of org.keycloak.adapters.spi.AuthOutcome in project keycloak by keycloak.

the class AbstractSamlAuthMech method authenticate.

/**
 * Call this inside your authenticate method.
 */
public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
    UndertowHttpFacade facade = createFacade(exchange);
    SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (!deployment.isConfigured()) {
        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }
    SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext);
    SamlAuthenticator authenticator = null;
    if (exchange.getRequestPath().endsWith("/saml")) {
        authenticator = new UndertowSamlEndpoint(facade, deploymentContext.resolveDeployment(facade), sessionStore);
    } else {
        authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore);
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        registerNotifications(securityContext);
        return AuthenticationMechanismOutcome.AUTHENTICATED;
    }
    if (outcome == AuthOutcome.NOT_AUTHENTICATED) {
        // See KEYCLOAK-2107, AbstractSamlAuthenticationHandler
        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }
    if (outcome == AuthOutcome.LOGGED_OUT) {
        securityContext.logout();
        if (deployment.getLogoutPage() != null) {
            redirectLogout(deployment, exchange);
        }
        return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
        if (authenticator instanceof UndertowSamlEndpoint) {
            exchange.getSecurityContext().setAuthenticationRequired();
        }
    }
    if (outcome == AuthOutcome.FAILED) {
        return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }
    return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
Also used : UndertowHttpFacade(org.keycloak.adapters.undertow.UndertowHttpFacade) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator) SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)

Example 13 with AuthOutcome

use of org.keycloak.adapters.spi.AuthOutcome in project keycloak by keycloak.

the class KeycloakHttpServerAuthenticationMechanism method evaluateRequest.

@Override
public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
    LOGGER.debugf("Evaluating request for path [%s]", request.getRequestURI());
    SamlDeploymentContext deploymentContext = getDeploymentContext(request);
    if (deploymentContext == null) {
        LOGGER.debugf("Ignoring request for path [%s] from mechanism [%s]. No deployment context found.", request.getRequestURI(), getMechanismName());
        request.noAuthenticationInProgress();
        return;
    }
    ElytronHttpFacade httpFacade = new ElytronHttpFacade(request, getSessionIdMapper(request), getSessionIdMapperUpdater(request), deploymentContext, callbackHandler);
    SamlDeployment deployment = httpFacade.getDeployment();
    if (!deployment.isConfigured()) {
        request.noAuthenticationInProgress();
        return;
    }
    if (deployment.getLogoutPage() != null && httpFacade.getRequest().getRelativePath().contains(deployment.getLogoutPage())) {
        LOGGER.debugf("Ignoring request for [%s] and logout page [%s].", request.getRequestURI(), deployment.getLogoutPage());
        httpFacade.authenticationCompleteAnonymous();
        return;
    }
    SamlAuthenticator authenticator;
    if (httpFacade.getRequest().getRelativePath().endsWith("/saml")) {
        authenticator = new ElytronSamlEndpoint(httpFacade, deployment);
    } else {
        authenticator = new ElytronSamlAuthenticator(httpFacade, deployment, callbackHandler);
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        httpFacade.authenticationComplete();
        return;
    }
    if (outcome == AuthOutcome.NOT_AUTHENTICATED) {
        httpFacade.noAuthenticationInProgress(null);
        return;
    }
    if (outcome == AuthOutcome.LOGGED_OUT) {
        if (deployment.getLogoutPage() != null) {
            redirectLogout(deployment, httpFacade);
        }
        httpFacade.authenticationInProgress();
        return;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        httpFacade.noAuthenticationInProgress(challenge);
        return;
    }
    if (outcome == AuthOutcome.FAILED) {
        httpFacade.authenticationFailed();
        return;
    }
    httpFacade.authenticationInProgress();
}
Also used : SamlDeploymentContext(org.keycloak.adapters.saml.SamlDeploymentContext) AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)

Example 14 with AuthOutcome

use of org.keycloak.adapters.spi.AuthOutcome in project alfresco-repository by Alfresco.

the class IdentityServiceRemoteUserMapper method extractUserFromHeader.

/**
 * Extracts the user name from the JWT in the given request.
 *
 * @param request The request containing the JWT
 * @return The user name or null if it can not be determined
 */
private String extractUserFromHeader(HttpServletRequest request) {
    String userName = null;
    IdentityServiceHttpFacade facade = new IdentityServiceHttpFacade(request);
    // try authenticating with bearer token first
    if (logger.isDebugEnabled()) {
        logger.debug("Trying bearer token...");
    }
    AlfrescoBearerTokenRequestAuthenticator tokenAuthenticator = new AlfrescoBearerTokenRequestAuthenticator(this.keycloakDeployment);
    AuthOutcome tokenOutcome = tokenAuthenticator.authenticate(facade);
    if (logger.isDebugEnabled()) {
        logger.debug("Bearer token outcome: " + tokenOutcome);
    }
    if (tokenOutcome == AuthOutcome.FAILED && !isValidationFailureSilent) {
        throw new AuthenticationException("Token validation failed: " + tokenAuthenticator.getValidationFailureDescription());
    }
    if (tokenOutcome == AuthOutcome.AUTHENTICATED) {
        userName = extractUserFromToken(tokenAuthenticator.getToken());
    } else {
        if (logger.isDebugEnabled()) {
            logger.debug("User could not be authenticated by IdentityServiceRemoteUserMapper.");
        }
    }
    return userName;
}
Also used : AuthenticationException(org.alfresco.repo.security.authentication.AuthenticationException) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome)

Aggregations

AuthOutcome (org.keycloak.adapters.spi.AuthOutcome)14 AuthChallenge (org.keycloak.adapters.spi.AuthChallenge)12 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)6 AdapterTokenStore (org.keycloak.adapters.AdapterTokenStore)4 AuthenticatedActionsHandler (org.keycloak.adapters.AuthenticatedActionsHandler)4 SamlAuthenticator (org.keycloak.adapters.saml.SamlAuthenticator)4 SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)4 PreAuthActionsHandler (org.keycloak.adapters.PreAuthActionsHandler)3 RequestAuthenticator (org.keycloak.adapters.RequestAuthenticator)3 SamlSessionStore (org.keycloak.adapters.saml.SamlSessionStore)3 HttpFacade (org.keycloak.adapters.spi.HttpFacade)3 ServletRequest (javax.servlet.ServletRequest)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 HttpServletRequestWrapper (javax.servlet.http.HttpServletRequestWrapper)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 UserAuthentication (org.eclipse.jetty.security.UserAuthentication)2 DeferredAuthentication (org.eclipse.jetty.security.authentication.DeferredAuthentication)2 Authentication (org.eclipse.jetty.server.Authentication)2 Request (org.eclipse.jetty.server.Request)2 SamlSession (org.keycloak.adapters.saml.SamlSession)2