Search in sources :

Example 11 with ForbiddenException

use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.

the class WelcomeResource method csrfCheck.

private void csrfCheck(final MultivaluedMap<String, String> formData) {
    String formStateChecker = formData.getFirst("stateChecker");
    Cookie cookie = headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
    if (cookie == null) {
        throw new ForbiddenException();
    }
    String cookieStateChecker = cookie.getValue();
    if (cookieStateChecker == null || !cookieStateChecker.equals(formStateChecker)) {
        throw new ForbiddenException();
    }
}
Also used : Cookie(javax.ws.rs.core.Cookie) ForbiddenException(org.keycloak.services.ForbiddenException)

Example 12 with ForbiddenException

use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.

the class AdminRoot method getServerInfo.

/**
 * General information about the server
 *
 * @param headers
 * @return
 */
@Path("serverinfo")
public Object getServerInfo(@Context final HttpHeaders headers) {
    if (request.getHttpMethod().equals(HttpMethod.OPTIONS)) {
        return new AdminCorsPreflightService(request);
    }
    AdminAuth auth = authenticateRealmAdminRequest(headers);
    if (!AdminPermissions.realms(session, auth).isAdmin()) {
        throw new ForbiddenException();
    }
    if (auth != null) {
        logger.debug("authenticated admin access for: " + auth.getUser().getUsername());
    }
    Cors.add(request).allowedOrigins(auth.getToken()).allowedMethods("GET", "PUT", "POST", "DELETE").auth().build(response);
    ServerInfoAdminResource adminResource = new ServerInfoAdminResource();
    ResteasyProviderFactory.getInstance().injectProperties(adminResource);
    return adminResource;
}
Also used : ForbiddenException(org.keycloak.services.ForbiddenException) ServerInfoAdminResource(org.keycloak.services.resources.admin.info.ServerInfoAdminResource) Path(javax.ws.rs.Path)

Example 13 with ForbiddenException

use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.

the class ClientsManagementService method registerNode.

/**
 * URL invoked by adapter to register new client cluster node. Each application cluster node will invoke this URL once it joins cluster
 *
 * @param authorizationHeader
 * @param formData
 * @return
 */
@Path("register-node")
@POST
@Produces(MediaType.APPLICATION_JSON)
public Response registerNode(@HeaderParam(HttpHeaders.AUTHORIZATION) String authorizationHeader, final MultivaluedMap<String, String> formData) {
    if (!checkSsl()) {
        throw new ForbiddenException("HTTPS required");
    }
    event.event(EventType.REGISTER_NODE);
    if (!realm.isEnabled()) {
        event.error(Errors.REALM_DISABLED);
        throw new NotAuthorizedException("Realm not enabled");
    }
    ClientModel client = authorizeClient();
    String nodeHost = getClientClusterHost(formData);
    event.client(client).detail(Details.NODE_HOST, nodeHost);
    logger.debugf("Registering cluster host '%s' for client '%s'", nodeHost, client.getClientId());
    try {
        client.registerNode(nodeHost, Time.currentTime());
    } catch (RuntimeException e) {
        event.error(e.getMessage());
        throw e;
    }
    event.success();
    return Response.noContent().build();
}
Also used : ClientModel(org.keycloak.models.ClientModel) ForbiddenException(org.keycloak.services.ForbiddenException) NotAuthorizedException(javax.ws.rs.NotAuthorizedException) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 14 with ForbiddenException

use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.

the class DeleteAccount method processAction.

@Override
public void processAction(RequiredActionContext context) {
    KeycloakSession session = context.getSession();
    EventBuilder eventBuilder = context.getEvent();
    KeycloakContext keycloakContext = session.getContext();
    RealmModel realm = keycloakContext.getRealm();
    UserModel user = keycloakContext.getAuthenticationSession().getAuthenticatedUser();
    try {
        if (!clientHasDeleteAccountRole(context)) {
            throw new ForbiddenException();
        }
        boolean removed = new UserManager(session).removeUser(realm, user);
        if (removed) {
            eventBuilder.event(EventType.DELETE_ACCOUNT).client(keycloakContext.getClient()).user(user).detail(Details.USERNAME, user.getUsername()).success();
            cleanSession(context, RequiredActionContext.KcActionStatus.SUCCESS);
            context.challenge(context.form().setAttribute("messageHeader", "").setInfo("userDeletedSuccessfully").createForm("info.ftl"));
        } else {
            eventBuilder.event(EventType.DELETE_ACCOUNT).client(keycloakContext.getClient()).user(user).detail(Details.USERNAME, user.getUsername()).error("User could not be deleted");
            cleanSession(context, RequiredActionContext.KcActionStatus.ERROR);
            context.failure();
        }
    } catch (ForbiddenException forbidden) {
        logger.error("account client does not have the required roles for user deletion");
        eventBuilder.event(EventType.DELETE_ACCOUNT_ERROR).client(keycloakContext.getClient()).user(keycloakContext.getAuthenticationSession().getAuthenticatedUser()).detail(Details.REASON, "does not have the required roles for user deletion").error(Errors.USER_DELETE_ERROR);
        // deletingAccountForbidden
        context.challenge(context.form().setAttribute(TRIGGERED_FROM_AIA, isCurrentActionTriggeredFromAIA(context)).setError(Messages.DELETE_ACCOUNT_LACK_PRIVILEDGES).createForm("delete-account-confirm.ftl"));
    } catch (Exception exception) {
        logger.error("unexpected error happened during account deletion", exception);
        eventBuilder.event(EventType.DELETE_ACCOUNT_ERROR).client(keycloakContext.getClient()).user(keycloakContext.getAuthenticationSession().getAuthenticatedUser()).detail(Details.REASON, exception.getMessage()).error(Errors.USER_DELETE_ERROR);
        context.challenge(context.form().setError(Messages.DELETE_ACCOUNT_ERROR).createForm("delete-account-confirm.ftl"));
    }
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) ForbiddenException(org.keycloak.services.ForbiddenException) EventBuilder(org.keycloak.events.EventBuilder) KeycloakContext(org.keycloak.models.KeycloakContext) UserManager(org.keycloak.models.UserManager) KeycloakSession(org.keycloak.models.KeycloakSession) ForbiddenException(org.keycloak.services.ForbiddenException)

Example 15 with ForbiddenException

use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.

the class UserResource method moveCredentialAfter.

/**
 * Move a credential to a position behind another credential
 * @param credentialId The credential to move
 * @param newPreviousCredentialId The credential that will be the previous element in the list. If set to null, the moved credential will be the first element in the list.
 */
@Path("credentials/{credentialId}/moveAfter/{newPreviousCredentialId}")
@POST
public void moveCredentialAfter(@PathParam("credentialId") final String credentialId, @PathParam("newPreviousCredentialId") final String newPreviousCredentialId) {
    auth.users().requireManage(user);
    CredentialModel credential = session.userCredentialManager().getStoredCredentialById(realm, user, credentialId);
    if (credential == null) {
        // we do this to make sure somebody can't phish ids
        if (auth.users().canQuery())
            throw new NotFoundException("Credential not found");
        else
            throw new ForbiddenException();
    }
    session.userCredentialManager().moveCredentialTo(realm, user, credentialId, newPreviousCredentialId);
}
Also used : ForbiddenException(org.keycloak.services.ForbiddenException) UserCredentialModel(org.keycloak.models.UserCredentialModel) CredentialModel(org.keycloak.credential.CredentialModel) NotFoundException(javax.ws.rs.NotFoundException) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Aggregations

ForbiddenException (org.keycloak.services.ForbiddenException)17 Path (javax.ws.rs.Path)9 NotFoundException (javax.ws.rs.NotFoundException)7 POST (javax.ws.rs.POST)4 ClientModel (org.keycloak.models.ClientModel)4 Consumes (javax.ws.rs.Consumes)3 CredentialModel (org.keycloak.credential.CredentialModel)3 UserCredentialModel (org.keycloak.models.UserCredentialModel)3 UserModel (org.keycloak.models.UserModel)3 NotAuthorizedException (javax.ws.rs.NotAuthorizedException)2 PUT (javax.ws.rs.PUT)2 Produces (javax.ws.rs.Produces)2 Cookie (javax.ws.rs.core.Cookie)2 Response (javax.ws.rs.core.Response)2 ModelDuplicateException (org.keycloak.models.ModelDuplicateException)2 ModelException (org.keycloak.models.ModelException)2 RealmModel (org.keycloak.models.RealmModel)2 UserSessionModel (org.keycloak.models.UserSessionModel)2 ErrorResponse (org.keycloak.services.ErrorResponse)2 RealmManager (org.keycloak.services.managers.RealmManager)2