protected boolean verifySSL() {
   if (!facade.getRequest().isSecure()
       && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) {
     log.warn("SSL is required to authenticate");
     return true;
   }
   return false;
 }
Esempio n. 2
0
  public AuthOutcome authenticate() {
    if (log.isTraceEnabled()) {
      log.trace("--> authenticate()");
    }
    BearerTokenRequestAuthenticator bearer = createBearerTokenAuthenticator();
    if (log.isTraceEnabled()) {
      log.trace("try bearer");
    }
    AuthOutcome outcome = bearer.authenticate(facade);
    if (outcome == AuthOutcome.FAILED) {
      challenge = bearer.getChallenge();
      log.debug("Bearer FAILED");
      return AuthOutcome.FAILED;
    } else if (outcome == AuthOutcome.AUTHENTICATED) {
      if (verifySSL()) return AuthOutcome.FAILED;
      completeAuthentication(bearer);
      log.debug("Bearer AUTHENTICATED");
      return AuthOutcome.AUTHENTICATED;
    } else if (deployment.isBearerOnly()) {
      challenge = bearer.getChallenge();
      log.debug("NOT_ATTEMPTED: bearer only");
      return AuthOutcome.NOT_ATTEMPTED;
    }

    if (log.isTraceEnabled()) {
      log.trace("try oauth");
    }

    if (isCached()) {
      if (verifySSL()) return AuthOutcome.FAILED;
      log.debug("AUTHENTICATED: was cached");
      return AuthOutcome.AUTHENTICATED;
    }

    OAuthRequestAuthenticator oauth = createOAuthAuthenticator();
    outcome = oauth.authenticate();
    if (outcome == AuthOutcome.FAILED) {
      challenge = oauth.getChallenge();
      return AuthOutcome.FAILED;
    } else if (outcome == AuthOutcome.NOT_ATTEMPTED) {
      challenge = oauth.getChallenge();
      return AuthOutcome.NOT_ATTEMPTED;
    }

    if (verifySSL()) return AuthOutcome.FAILED;

    completeAuthentication(oauth);

    // redirect to strip out access code and state query parameters
    facade.getResponse().setHeader("Location", oauth.getStrippedOauthParametersRequestUri());
    facade.getResponse().setStatus(302);
    facade.getResponse().end();

    log.debug("AUTHENTICATED");
    return AuthOutcome.AUTHENTICATED;
  }
 public boolean handledRequest() {
   log.debugv("AuthenticatedActionsValve.invoke {0}", facade.getRequest().getURI());
   if (corsRequest()) return true;
   String requestUri = facade.getRequest().getURI();
   if (requestUri.endsWith(AdapterConstants.K_QUERY_BEARER_TOKEN)) {
     queryBearerToken();
     return true;
   }
   return false;
 }
 protected boolean corsRequest() {
   if (!deployment.isCors()) return false;
   KeycloakSecurityContext securityContext = facade.getSecurityContext();
   String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN);
   String requestOrigin = UriUtils.getOrigin(facade.getRequest().getURI());
   log.debugv("Origin: {0} uri: {1}", origin, facade.getRequest().getURI());
   if (securityContext != null && origin != null && !origin.equals(requestOrigin)) {
     AccessToken token = securityContext.getToken();
     Set<String> allowedOrigins = token.getAllowedOrigins();
     if (log.isDebugEnabled()) {
       for (String a : allowedOrigins) log.debug("   " + a);
     }
     if (allowedOrigins == null
         || (!allowedOrigins.contains("*") && !allowedOrigins.contains(origin))) {
       if (allowedOrigins == null) {
         log.debugv("allowedOrigins was null in token");
       } else {
         log.debugv("allowedOrigins did not contain origin");
       }
       facade.getResponse().setStatus(403);
       facade.getResponse().end();
       return true;
     }
     log.debugv("returning origin: {0}", origin);
     facade.getResponse().setStatus(200);
     facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
     facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
   } else {
     log.debugv(
         "cors validation not needed as we're not a secure session or origin header was null: {0}",
         facade.getRequest().getURI());
   }
   return false;
 }
 protected void queryBearerToken() {
   log.debugv("queryBearerToken {0}", facade.getRequest().getURI());
   if (abortTokenResponse()) return;
   facade.getResponse().setStatus(200);
   facade.getResponse().setHeader("Content-Type", "text/plain");
   try {
     facade
         .getResponse()
         .getOutputStream()
         .write(facade.getSecurityContext().getTokenString().getBytes());
   } catch (IOException e) {
     throw new RuntimeException(e);
   }
   facade.getResponse().end();
 }
 protected boolean abortTokenResponse() {
   if (facade.getSecurityContext() == null) {
     log.debugv("Not logged in, sending back 401: {0}", facade.getRequest().getURI());
     facade.getResponse().setStatus(401);
     facade.getResponse().end();
     return true;
   }
   if (!deployment.isExposeToken()) {
     facade.getResponse().setStatus(200);
     facade.getResponse().end();
     return true;
   }
   // Don't allow a CORS request if we're not validating CORS requests.
   if (!deployment.isCors() && facade.getRequest().getHeader(CorsHeaders.ORIGIN) != null) {
     facade.getResponse().setStatus(200);
     facade.getResponse().end();
     return true;
   }
   return false;
 }