use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.
the class WelcomeResource method csrfCheck.
private void csrfCheck(final MultivaluedMap<String, String> formData) {
String formStateChecker = formData.getFirst("stateChecker");
Cookie cookie = headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
if (cookie == null) {
throw new ForbiddenException();
}
String cookieStateChecker = cookie.getValue();
if (cookieStateChecker == null || !cookieStateChecker.equals(formStateChecker)) {
throw new ForbiddenException();
}
}
use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.
the class AdminRoot method getServerInfo.
/**
* General information about the server
*
* @param headers
* @return
*/
@Path("serverinfo")
public Object getServerInfo(@Context final HttpHeaders headers) {
if (request.getHttpMethod().equals(HttpMethod.OPTIONS)) {
return new AdminCorsPreflightService(request);
}
AdminAuth auth = authenticateRealmAdminRequest(headers);
if (!AdminPermissions.realms(session, auth).isAdmin()) {
throw new ForbiddenException();
}
if (auth != null) {
logger.debug("authenticated admin access for: " + auth.getUser().getUsername());
}
Cors.add(request).allowedOrigins(auth.getToken()).allowedMethods("GET", "PUT", "POST", "DELETE").auth().build(response);
ServerInfoAdminResource adminResource = new ServerInfoAdminResource();
ResteasyProviderFactory.getInstance().injectProperties(adminResource);
return adminResource;
}
use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.
the class ClientsManagementService method registerNode.
/**
* URL invoked by adapter to register new client cluster node. Each application cluster node will invoke this URL once it joins cluster
*
* @param authorizationHeader
* @param formData
* @return
*/
@Path("register-node")
@POST
@Produces(MediaType.APPLICATION_JSON)
public Response registerNode(@HeaderParam(HttpHeaders.AUTHORIZATION) String authorizationHeader, final MultivaluedMap<String, String> formData) {
if (!checkSsl()) {
throw new ForbiddenException("HTTPS required");
}
event.event(EventType.REGISTER_NODE);
if (!realm.isEnabled()) {
event.error(Errors.REALM_DISABLED);
throw new NotAuthorizedException("Realm not enabled");
}
ClientModel client = authorizeClient();
String nodeHost = getClientClusterHost(formData);
event.client(client).detail(Details.NODE_HOST, nodeHost);
logger.debugf("Registering cluster host '%s' for client '%s'", nodeHost, client.getClientId());
try {
client.registerNode(nodeHost, Time.currentTime());
} catch (RuntimeException e) {
event.error(e.getMessage());
throw e;
}
event.success();
return Response.noContent().build();
}
use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.
the class DeleteAccount method processAction.
@Override
public void processAction(RequiredActionContext context) {
KeycloakSession session = context.getSession();
EventBuilder eventBuilder = context.getEvent();
KeycloakContext keycloakContext = session.getContext();
RealmModel realm = keycloakContext.getRealm();
UserModel user = keycloakContext.getAuthenticationSession().getAuthenticatedUser();
try {
if (!clientHasDeleteAccountRole(context)) {
throw new ForbiddenException();
}
boolean removed = new UserManager(session).removeUser(realm, user);
if (removed) {
eventBuilder.event(EventType.DELETE_ACCOUNT).client(keycloakContext.getClient()).user(user).detail(Details.USERNAME, user.getUsername()).success();
cleanSession(context, RequiredActionContext.KcActionStatus.SUCCESS);
context.challenge(context.form().setAttribute("messageHeader", "").setInfo("userDeletedSuccessfully").createForm("info.ftl"));
} else {
eventBuilder.event(EventType.DELETE_ACCOUNT).client(keycloakContext.getClient()).user(user).detail(Details.USERNAME, user.getUsername()).error("User could not be deleted");
cleanSession(context, RequiredActionContext.KcActionStatus.ERROR);
context.failure();
}
} catch (ForbiddenException forbidden) {
logger.error("account client does not have the required roles for user deletion");
eventBuilder.event(EventType.DELETE_ACCOUNT_ERROR).client(keycloakContext.getClient()).user(keycloakContext.getAuthenticationSession().getAuthenticatedUser()).detail(Details.REASON, "does not have the required roles for user deletion").error(Errors.USER_DELETE_ERROR);
// deletingAccountForbidden
context.challenge(context.form().setAttribute(TRIGGERED_FROM_AIA, isCurrentActionTriggeredFromAIA(context)).setError(Messages.DELETE_ACCOUNT_LACK_PRIVILEDGES).createForm("delete-account-confirm.ftl"));
} catch (Exception exception) {
logger.error("unexpected error happened during account deletion", exception);
eventBuilder.event(EventType.DELETE_ACCOUNT_ERROR).client(keycloakContext.getClient()).user(keycloakContext.getAuthenticationSession().getAuthenticatedUser()).detail(Details.REASON, exception.getMessage()).error(Errors.USER_DELETE_ERROR);
context.challenge(context.form().setError(Messages.DELETE_ACCOUNT_ERROR).createForm("delete-account-confirm.ftl"));
}
}
use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.
the class UserResource method moveCredentialAfter.
/**
* Move a credential to a position behind another credential
* @param credentialId The credential to move
* @param newPreviousCredentialId The credential that will be the previous element in the list. If set to null, the moved credential will be the first element in the list.
*/
@Path("credentials/{credentialId}/moveAfter/{newPreviousCredentialId}")
@POST
public void moveCredentialAfter(@PathParam("credentialId") final String credentialId, @PathParam("newPreviousCredentialId") final String newPreviousCredentialId) {
auth.users().requireManage(user);
CredentialModel credential = session.userCredentialManager().getStoredCredentialById(realm, user, credentialId);
if (credential == null) {
// we do this to make sure somebody can't phish ids
if (auth.users().canQuery())
throw new NotFoundException("Credential not found");
else
throw new ForbiddenException();
}
session.userCredentialManager().moveCredentialTo(realm, user, credentialId, newPreviousCredentialId);
}
Aggregations