use of org.keycloak.adapters.spi.AuthOutcome in project keycloak by keycloak.
the class SamlFilter method doFilter.
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
ServletHttpFacade facade = new ServletHttpFacade(request, response);
SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
if (deployment == null || !deployment.isConfigured()) {
response.sendError(403);
log.fine("deployment not configured");
return;
}
FilterSamlSessionStore tokenStore = new FilterSamlSessionStore(request, facade, 100000, idMapper, deployment);
boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
SamlAuthenticator authenticator;
if (isEndpoint) {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new SamlEndpoint(facade, deployment, sessionStore);
}
};
} else {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new BrowserHandler(facade, deployment, sessionStore);
}
};
}
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
log.fine("AUTHENTICATED");
if (facade.isEnded()) {
return;
}
HttpServletRequestWrapper wrapper = tokenStore.getWrap();
chain.doFilter(wrapper, res);
return;
}
if (outcome == AuthOutcome.LOGGED_OUT) {
tokenStore.logoutAccount();
String logoutPage = deployment.getLogoutPage();
if (logoutPage != null) {
if (PROTOCOL_PATTERN.matcher(logoutPage).find()) {
response.sendRedirect(logoutPage);
log.log(Level.FINE, "Redirected to logout page {0}", logoutPage);
} else {
RequestDispatcher disp = req.getRequestDispatcher(logoutPage);
disp.forward(req, res);
}
return;
}
chain.doFilter(req, res);
return;
}
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
log.fine("challenge");
challenge.challenge(facade);
return;
}
if (deployment.isIsPassive() && outcome == AuthOutcome.NOT_AUTHENTICATED) {
log.fine("PASSIVE_NOT_AUTHENTICATED");
if (facade.isEnded()) {
return;
}
chain.doFilter(req, res);
return;
}
if (!facade.isEnded()) {
response.sendError(403);
}
}
use of org.keycloak.adapters.spi.AuthOutcome in project keycloak by keycloak.
the class AbstractSamlAuthMech method authenticate.
/**
* Call this inside your authenticate method.
*/
public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
UndertowHttpFacade facade = createFacade(exchange);
SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
if (!deployment.isConfigured()) {
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext);
SamlAuthenticator authenticator = null;
if (exchange.getRequestPath().endsWith("/saml")) {
authenticator = new UndertowSamlEndpoint(facade, deploymentContext.resolveDeployment(facade), sessionStore);
} else {
authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore);
}
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
registerNotifications(securityContext);
return AuthenticationMechanismOutcome.AUTHENTICATED;
}
if (outcome == AuthOutcome.NOT_AUTHENTICATED) {
// See KEYCLOAK-2107, AbstractSamlAuthenticationHandler
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
if (outcome == AuthOutcome.LOGGED_OUT) {
securityContext.logout();
if (deployment.getLogoutPage() != null) {
redirectLogout(deployment, exchange);
}
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
if (authenticator instanceof UndertowSamlEndpoint) {
exchange.getSecurityContext().setAuthenticationRequired();
}
}
if (outcome == AuthOutcome.FAILED) {
return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
}
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
use of org.keycloak.adapters.spi.AuthOutcome in project keycloak by keycloak.
the class KeycloakHttpServerAuthenticationMechanism method evaluateRequest.
@Override
public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
LOGGER.debugf("Evaluating request for path [%s]", request.getRequestURI());
SamlDeploymentContext deploymentContext = getDeploymentContext(request);
if (deploymentContext == null) {
LOGGER.debugf("Ignoring request for path [%s] from mechanism [%s]. No deployment context found.", request.getRequestURI(), getMechanismName());
request.noAuthenticationInProgress();
return;
}
ElytronHttpFacade httpFacade = new ElytronHttpFacade(request, getSessionIdMapper(request), getSessionIdMapperUpdater(request), deploymentContext, callbackHandler);
SamlDeployment deployment = httpFacade.getDeployment();
if (!deployment.isConfigured()) {
request.noAuthenticationInProgress();
return;
}
if (deployment.getLogoutPage() != null && httpFacade.getRequest().getRelativePath().contains(deployment.getLogoutPage())) {
LOGGER.debugf("Ignoring request for [%s] and logout page [%s].", request.getRequestURI(), deployment.getLogoutPage());
httpFacade.authenticationCompleteAnonymous();
return;
}
SamlAuthenticator authenticator;
if (httpFacade.getRequest().getRelativePath().endsWith("/saml")) {
authenticator = new ElytronSamlEndpoint(httpFacade, deployment);
} else {
authenticator = new ElytronSamlAuthenticator(httpFacade, deployment, callbackHandler);
}
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
httpFacade.authenticationComplete();
return;
}
if (outcome == AuthOutcome.NOT_AUTHENTICATED) {
httpFacade.noAuthenticationInProgress(null);
return;
}
if (outcome == AuthOutcome.LOGGED_OUT) {
if (deployment.getLogoutPage() != null) {
redirectLogout(deployment, httpFacade);
}
httpFacade.authenticationInProgress();
return;
}
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
httpFacade.noAuthenticationInProgress(challenge);
return;
}
if (outcome == AuthOutcome.FAILED) {
httpFacade.authenticationFailed();
return;
}
httpFacade.authenticationInProgress();
}
use of org.keycloak.adapters.spi.AuthOutcome in project alfresco-repository by Alfresco.
the class IdentityServiceRemoteUserMapper method extractUserFromHeader.
/**
* Extracts the user name from the JWT in the given request.
*
* @param request The request containing the JWT
* @return The user name or null if it can not be determined
*/
private String extractUserFromHeader(HttpServletRequest request) {
String userName = null;
IdentityServiceHttpFacade facade = new IdentityServiceHttpFacade(request);
// try authenticating with bearer token first
if (logger.isDebugEnabled()) {
logger.debug("Trying bearer token...");
}
AlfrescoBearerTokenRequestAuthenticator tokenAuthenticator = new AlfrescoBearerTokenRequestAuthenticator(this.keycloakDeployment);
AuthOutcome tokenOutcome = tokenAuthenticator.authenticate(facade);
if (logger.isDebugEnabled()) {
logger.debug("Bearer token outcome: " + tokenOutcome);
}
if (tokenOutcome == AuthOutcome.FAILED && !isValidationFailureSilent) {
throw new AuthenticationException("Token validation failed: " + tokenAuthenticator.getValidationFailureDescription());
}
if (tokenOutcome == AuthOutcome.AUTHENTICATED) {
userName = extractUserFromToken(tokenAuthenticator.getToken());
} else {
if (logger.isDebugEnabled()) {
logger.debug("User could not be authenticated by IdentityServiceRemoteUserMapper.");
}
}
return userName;
}
Aggregations