private UserConsentModel toConsentModel(UserConsentEntity entity) { if (entity == null) { return null; } ClientModel client = realm.getClientById(entity.getClientId()); if (client == null) { throw new ModelException("Client with id " + entity.getClientId() + " is not available"); } UserConsentModel model = new UserConsentModel(client); Collection<UserConsentRoleEntity> grantedRoleEntities = entity.getGrantedRoles(); if (grantedRoleEntities != null) { for (UserConsentRoleEntity grantedRole : grantedRoleEntities) { RoleModel grantedRoleModel = realm.getRoleById(grantedRole.getRoleId()); if (grantedRoleModel != null) { model.addGrantedRole(grantedRoleModel); } } } Collection<UserConsentProtocolMapperEntity> grantedProtocolMapperEntities = entity.getGrantedProtocolMappers(); if (grantedProtocolMapperEntities != null) { for (UserConsentProtocolMapperEntity grantedProtMapper : grantedProtocolMapperEntities) { ProtocolMapperModel protocolMapper = client.getProtocolMapperById(grantedProtMapper.getProtocolMapperId()); model.addGrantedProtocolMapper(protocolMapper); } } return model; }
protected boolean isLogoutPostBindingForClient(ClientSessionModel clientSession) { ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); String logoutPostUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE); String logoutRedirectUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE); if (logoutPostUrl == null) { // if we don't have a redirect uri either, return true and default to the admin url + POST // binding if (logoutRedirectUrl == null) return true; return false; } if (samlClient.forcePostBinding()) { return true; // configured to force a post binding and post binding logout url is not null } String bindingType = clientSession.getNote(SAML_BINDING); // if the login binding was POST, return true if (SAML_POST_BINDING.equals(bindingType)) return true; if (logoutRedirectUrl == null) return true; // we don't have a redirect binding url, so use post binding return false; // redirect binding }
/** * Get offline sessions for client * * <p>Returns a list of offline user sessions associated with this client * * @param firstResult Paging offset * @param maxResults Maximum results size (defaults to 100) * @return */ @Path("offline-sessions") @GET @NoCache @Produces(MediaType.APPLICATION_JSON) public List<UserSessionRepresentation> getOfflineUserSessions( @QueryParam("first") Integer firstResult, @QueryParam("max") Integer maxResults) { auth.requireView(); if (client == null) { throw new NotFoundException("Could not find client"); } firstResult = firstResult != null ? firstResult : -1; maxResults = maxResults != null ? maxResults : Constants.DEFAULT_MAX_RESULTS; List<UserSessionRepresentation> sessions = new ArrayList<UserSessionRepresentation>(); List<UserSessionModel> userSessions = session .sessions() .getOfflineUserSessions(client.getRealm(), client, firstResult, maxResults); for (UserSessionModel userSession : userSessions) { UserSessionRepresentation rep = ModelToRepresentation.toRepresentation(userSession); // Update lastSessionRefresh with the timestamp from clientSession for (ClientSessionModel clientSession : userSession.getClientSessions()) { if (client.getId().equals(clientSession.getClient().getId())) { rep.setLastAccess(Time.toMillis(clientSession.getTimestamp())); break; } } sessions.add(rep); } return sessions; }
protected AccessToken initToken( RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientSessionModel clientSession) { AccessToken token = new AccessToken(); if (clientSession != null) token.clientSession(clientSession.getId()); token.id(KeycloakModelUtils.generateId()); token.subject(user.getId()); token.audience(client.getClientId()); token.issuedNow(); token.issuedFor(client.getClientId()); token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER)); if (session != null) { token.setSessionState(session.getId()); } if (realm.getAccessTokenLifespan() > 0) { token.expiration(Time.currentTime() + realm.getAccessTokenLifespan()); } Set<String> allowedOrigins = client.getWebOrigins(); if (allowedOrigins != null) { token.setAllowedOrigins(allowedOrigins); } return token; }
private ClientSessionCode parseClientSessionCode(String code) { ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realm); if (clientCode != null && clientCode.isValid(AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { ClientSessionModel clientSession = clientCode.getClientSession(); if (clientSession != null) { ClientModel client = clientSession.getClient(); if (client == null) { throw new IdentityBrokerException("Invalid client"); } logger.debugf("Got authorization code from client [%s].", client.getClientId()); } logger.debugf("Authorization code is valid."); return clientCode; } throw new IdentityBrokerException( "Invalid code, please login again through your application."); }
protected void addComposites(AccessToken token, RoleModel role) { AccessToken.Access access = null; if (role.getContainer() instanceof RealmModel) { access = token.getRealmAccess(); if (token.getRealmAccess() == null) { access = new AccessToken.Access(); token.setRealmAccess(access); } else if (token.getRealmAccess().getRoles() != null && token.getRealmAccess().isUserInRole(role.getName())) return; } else { ClientModel app = (ClientModel) role.getContainer(); access = token.getResourceAccess(app.getClientId()); if (access == null) { access = token.addAccess(app.getClientId()); if (app.isSurrogateAuthRequired()) access.verifyCaller(true); } else if (access.isUserInRole(role.getName())) return; } access.addRole(role.getName()); if (!role.isComposite()) return; for (RoleModel composite : role.getComposites()) { addComposites(token, composite); } }
private String[] getReferrer() { String referrer = uriInfo.getQueryParameters().getFirst("referrer"); if (referrer == null) { return null; } String referrerUri = uriInfo.getQueryParameters().getFirst("referrer_uri"); ClientModel referrerClient = realm.getClientByClientId(referrer); if (referrerClient != null) { if (referrerUri != null) { referrerUri = RedirectUtils.verifyRedirectUri(uriInfo, referrerUri, realm, referrerClient); } else { referrerUri = ResolveRelative.resolveRelativeUri( uriInfo.getRequestUri(), client.getRootUrl(), referrerClient.getBaseUrl()); } if (referrerUri != null) { return new String[] {referrer, referrerUri}; } } else if (referrerUri != null) { referrerClient = realm.getClientByClientId(referrer); if (client != null) { referrerUri = RedirectUtils.verifyRedirectUri(uriInfo, referrerUri, realm, referrerClient); if (referrerUri != null) { return new String[] {referrer, referrerUri}; } } } return null; }
/** * Revoke consent and offline tokens for particular client from user * * @param id User id * @param clientId Client id */ @Path("{id}/consents/{client}") @DELETE @NoCache public void revokeConsent( final @PathParam("id") String id, final @PathParam("client") String clientId) { auth.requireManage(); UserModel user = session.users().getUserById(id, realm); if (user == null) { throw new NotFoundException("User not found"); } ClientModel client = realm.getClientByClientId(clientId); boolean revokedConsent = user.revokeConsentForClient(client.getId()); boolean revokedOfflineToken = new UserSessionManager(session).revokeOfflineToken(user, client); if (revokedConsent) { // Logout clientSessions for this user and client AuthenticationManager.backchannelUserFromClient( session, realm, user, client, uriInfo, headers); } if (!revokedConsent && !revokedOfflineToken) { throw new NotFoundException("Consent nor offline token not found"); } adminEvent.operation(OperationType.ACTION).resourcePath(uriInfo).success(); }
public Set<String> validateRegisteredNodes(ClientModel client) { Map<String, Integer> registeredNodes = client.getRegisteredNodes(); if (registeredNodes == null || registeredNodes.isEmpty()) { return Collections.emptySet(); } int currentTime = Time.currentTime(); Set<String> validatedNodes = new TreeSet<String>(); if (client.getNodeReRegistrationTimeout() > 0) { List<String> toRemove = new LinkedList<String>(); for (Map.Entry<String, Integer> entry : registeredNodes.entrySet()) { Integer lastReRegistration = entry.getValue(); if (lastReRegistration + client.getNodeReRegistrationTimeout() < currentTime) { toRemove.add(entry.getKey()); } else { validatedNodes.add(entry.getKey()); } } // Remove time-outed nodes for (String node : toRemove) { client.unregisterNode(node); } } else { // Periodic node reRegistration is disabled, so allow all nodes validatedNodes.addAll(registeredNodes.keySet()); } return validatedNodes; }
public static String verifyRedirectUri( UriInfo uriInfo, String redirectUri, RealmModel realm, ClientModel client) { if (client != null) return verifyRedirectUri( uriInfo, client.getRootUrl(), redirectUri, realm, client.getRedirectUris()); return null; }
@Override public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) { ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); String logoutUrl = getLogoutServiceUrl(uriInfo, client, SAML_POST_BINDING); if (logoutUrl == null) { logger.warnv( "Can't do backchannel logout. No SingleLogoutService POST Binding registered for client: {1}", client.getClientId()); return; } SAML2LogoutRequestBuilder logoutBuilder = createLogoutRequest(logoutUrl, clientSession, client); String logoutRequestString = null; try { JaxrsSAML2BindingBuilder binding = createBindingBuilder(samlClient); logoutRequestString = binding.postBinding(logoutBuilder.buildDocument()).encoded(); } catch (Exception e) { logger.warn("failed to send saml logout", e); return; } HttpClient httpClient = session.getProvider(HttpClientProvider.class).getHttpClient(); for (int i = 0; i < 2; i++) { // follow redirects once try { List<NameValuePair> formparams = new ArrayList<NameValuePair>(); formparams.add( new BasicNameValuePair(GeneralConstants.SAML_REQUEST_KEY, logoutRequestString)); formparams.add( new BasicNameValuePair("BACK_CHANNEL_LOGOUT", "BACK_CHANNEL_LOGOUT")); // for Picketlink // todo remove // this UrlEncodedFormEntity form = new UrlEncodedFormEntity(formparams, "UTF-8"); HttpPost post = new HttpPost(logoutUrl); post.setEntity(form); HttpResponse response = httpClient.execute(post); try { int status = response.getStatusLine().getStatusCode(); if (status == 302 && !logoutUrl.endsWith("/")) { String redirect = response.getFirstHeader(HttpHeaders.LOCATION).getValue(); String withSlash = logoutUrl + "/"; if (withSlash.equals(redirect)) { logoutUrl = withSlash; continue; } } } finally { HttpEntity entity = response.getEntity(); if (entity != null) { InputStream is = entity.getContent(); if (is != null) is.close(); } } } catch (IOException e) { logger.warn("failed to send saml logout", e); } break; } }
private static Set<String> getValidateRedirectUris(UriInfo uriInfo, RealmModel realm) { Set<String> redirects = new HashSet<>(); for (ClientModel client : realm.getClients()) { redirects.addAll( resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris())); } return redirects; }
@Override public boolean equals(Object o) { if (this == o) return true; if (o == null || !(o instanceof ClientModel)) return false; ClientModel that = (ClientModel) o; return that.getId().equals(getId()); }
public ApplicationsBean(KeycloakSession session, RealmModel realm, UserModel user) { Set<ClientModel> offlineClients = new UserSessionManager(session).findClientsWithOfflineToken(realm, user); List<ClientModel> realmClients = realm.getClients(); for (ClientModel client : realmClients) { // Don't show bearerOnly clients if (client.isBearerOnly()) { continue; } Set<RoleModel> availableRoles = TokenManager.getAccess(null, false, client, user); // Don't show applications, which user doesn't have access into (any available roles) if (availableRoles.isEmpty()) { continue; } List<RoleModel> realmRolesAvailable = new LinkedList<RoleModel>(); MultivaluedHashMap<String, ClientRoleEntry> resourceRolesAvailable = new MultivaluedHashMap<String, ClientRoleEntry>(); processRoles(availableRoles, realmRolesAvailable, resourceRolesAvailable); List<RoleModel> realmRolesGranted = new LinkedList<RoleModel>(); MultivaluedHashMap<String, ClientRoleEntry> resourceRolesGranted = new MultivaluedHashMap<String, ClientRoleEntry>(); List<String> claimsGranted = new LinkedList<String>(); if (client.isConsentRequired()) { UserConsentModel consent = user.getConsentByClient(client.getId()); if (consent != null) { processRoles(consent.getGrantedRoles(), realmRolesGranted, resourceRolesGranted); for (ProtocolMapperModel protocolMapper : consent.getGrantedProtocolMappers()) { claimsGranted.add(protocolMapper.getConsentText()); } } } List<String> additionalGrants = new ArrayList<>(); if (offlineClients.contains(client)) { additionalGrants.add("${offlineToken}"); } ApplicationEntry appEntry = new ApplicationEntry( realmRolesAvailable, resourceRolesAvailable, realmRolesGranted, resourceRolesGranted, client, claimsGranted, additionalGrants); applications.add(appEntry); } }
private ClientSessionModel createClientSession( UserModel user, String redirectUri, String clientId) { if (!user.isEnabled()) { throw new WebApplicationException( ErrorResponse.error("User is disabled", Response.Status.BAD_REQUEST)); } if (redirectUri != null && clientId == null) { throw new WebApplicationException( ErrorResponse.error("Client id missing", Response.Status.BAD_REQUEST)); } if (clientId == null) { clientId = Constants.ACCOUNT_MANAGEMENT_CLIENT_ID; } ClientModel client = realm.getClientByClientId(clientId); if (client == null || !client.isEnabled()) { throw new WebApplicationException( ErrorResponse.error(clientId + " not enabled", Response.Status.BAD_REQUEST)); } String redirect; if (redirectUri != null) { redirect = RedirectUtils.verifyRedirectUri(uriInfo, redirectUri, realm, client); if (redirect == null) { throw new WebApplicationException( ErrorResponse.error("Invalid redirect uri.", Response.Status.BAD_REQUEST)); } } else { redirect = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); } UserSessionModel userSession = session .sessions() .createUserSession( realm, user, user.getUsername(), clientConnection.getRemoteAddr(), "form", false, null, null); // audit.session(userSession); ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); clientSession.setRedirectUri(redirect); clientSession.setUserSession(userSession); return clientSession; }
/** * Get consents granted by the user * * @param id User id * @return */ @Path("{id}/consents") @GET @NoCache @Produces(MediaType.APPLICATION_JSON) public List<Map<String, Object>> getConsents(final @PathParam("id") String id) { auth.requireView(); UserModel user = session.users().getUserById(id, realm); if (user == null) { throw new NotFoundException("User not found"); } List<Map<String, Object>> result = new LinkedList<>(); Set<ClientModel> offlineClients = new UserSessionManager(session).findClientsWithOfflineToken(realm, user); for (ClientModel client : realm.getClients()) { UserConsentModel consent = user.getConsentByClient(client.getId()); boolean hasOfflineToken = offlineClients.contains(client); if (consent == null && !hasOfflineToken) { continue; } UserConsentRepresentation rep = (consent == null) ? null : ModelToRepresentation.toRepresentation(consent); Map<String, Object> currentRep = new HashMap<>(); currentRep.put("clientId", client.getClientId()); currentRep.put( "grantedProtocolMappers", (rep == null ? Collections.emptyMap() : rep.getGrantedProtocolMappers())); currentRep.put( "grantedRealmRoles", (rep == null ? Collections.emptyList() : rep.getGrantedRealmRoles())); currentRep.put( "grantedClientRoles", (rep == null ? Collections.emptyMap() : rep.getGrantedClientRoles())); List<Map<String, String>> additionalGrants = new LinkedList<>(); if (hasOfflineToken) { Map<String, String> offlineTokens = new HashMap<>(); offlineTokens.put("client", client.getId()); // TODO: translate offlineTokens.put("key", "Offline Token"); additionalGrants.add(offlineTokens); } currentRep.put("additionalGrants", additionalGrants); result.add(currentRep); } return result; }
private boolean showClientCredentialsAdapterConfig(ClientModel client) { if (client.isPublicClient()) { return false; } if (client.isBearerOnly() && client.getNodeReRegistrationTimeout() <= 0) { return false; } return true; }
private void grantPermissionsToRealmCreator(RealmModel realm) { if (auth.hasRealmRole(AdminRoles.ADMIN)) { return; } RealmModel adminRealm = new RealmManager(session).getKeycloakAdminstrationRealm(); ClientModel realmAdminApp = realm.getMasterAdminClient(); for (String r : AdminRoles.ALL_REALM_ROLES) { RoleModel role = realmAdminApp.getRole(r); auth.getUser().grantRole(role); } }
public String toJBossSubsystemConfig( RealmModel realmModel, ClientModel clientModel, URI baseUri) { StringBuffer buffer = new StringBuffer(); buffer.append("<secure-deployment name=\"WAR MODULE NAME.war\">\n"); buffer.append(" <realm>").append(realmModel.getName()).append("</realm>\n"); buffer .append(" <auth-server-url>") .append(baseUri.toString()) .append("</auth-server-url>\n"); if (clientModel.isBearerOnly()) { buffer.append(" <bearer-only>true</bearer-only>\n"); } else if (clientModel.isPublicClient()) { buffer.append(" <public-client>true</public-client>\n"); } buffer .append(" <ssl-required>") .append(realmModel.getSslRequired().name()) .append("</ssl-required>\n"); buffer.append(" <resource>").append(clientModel.getClientId()).append("</resource>\n"); String cred = clientModel.getSecret(); if (showClientCredentialsAdapterConfig(clientModel)) { Map<String, Object> adapterConfig = getClientCredentialsAdapterConfig(clientModel); for (Map.Entry<String, Object> entry : adapterConfig.entrySet()) { buffer.append(" <credential name=\"" + entry.getKey() + "\">"); Object value = entry.getValue(); if (value instanceof Map) { buffer.append("\n"); Map<String, Object> asMap = (Map<String, Object>) value; for (Map.Entry<String, Object> credEntry : asMap.entrySet()) { buffer.append( " <" + credEntry.getKey() + ">" + credEntry.getValue().toString() + "</" + credEntry.getKey() + ">\n"); } buffer.append(" </credential>\n"); } else { buffer.append(value.toString()).append("</credential>\n"); } } } if (clientModel.getRoles().size() > 0) { buffer.append(" <use-resource-role-mappings>true</use-resource-role-mappings>\n"); } buffer.append("</secure-deployment>\n"); return buffer.toString(); }
@Test public void testGetById() { Assert.assertEquals(realm1, model.getRealm("id1")); Assert.assertEquals(realm1, model.getRealmByName("realm1")); Assert.assertEquals(realm2, model.getRealm("id2")); Assert.assertEquals(realm2, model.getRealmByName("realm2")); ClientModel r1app1 = realm1.getClientByClientId("app1"); ClientModel r1app2 = realm1.getClientByClientId("app2"); ClientModel r2app1 = realm2.getClientByClientId("app1"); ClientModel r2app2 = realm2.getClientByClientId("app2"); Assert.assertEquals(r1app1, realm1.getClientById(r1app1.getId())); Assert.assertNull(realm2.getClientById(r1app1.getId())); ClientModel r2cl1 = realm2.getClientByClientId("cl1"); Assert.assertEquals(r2cl1.getId(), realm2.getClientById(r2cl1.getId()).getId()); Assert.assertNull(realm1.getClientByClientId(r2cl1.getId())); RoleModel r1App1Role = r1app1.getRole("app1Role1"); Assert.assertEquals(r1App1Role, realm1.getRoleById(r1App1Role.getId())); Assert.assertNull(realm2.getRoleById(r1App1Role.getId())); RoleModel r2Role1 = realm2.getRole("role2"); Assert.assertNull(realm1.getRoleById(r2Role1.getId())); Assert.assertEquals(r2Role1, realm2.getRoleById(r2Role1.getId())); }
public static String getLogoutServiceUrl( UriInfo uriInfo, ClientModel client, String bindingType) { String logoutServiceUrl = null; if (SAML_POST_BINDING.equals(bindingType)) { logoutServiceUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE); } else { logoutServiceUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE); } if (logoutServiceUrl == null && client instanceof ClientModel) logoutServiceUrl = ((ClientModel) client).getManagementUrl(); if (logoutServiceUrl == null || logoutServiceUrl.trim().equals("")) return null; return ResourceAdminManager.resolveUri( uriInfo.getRequestUri(), client.getRootUrl(), logoutServiceUrl); }
private void createObjects(RealmModel realm) { ClientModel app1 = realm.addClient("app1"); realm.addClient("app2"); realmManager.getSession().users().addUser(realm, "user1"); realmManager.getSession().users().addUser(realm, "user2"); realm.addRole("role1"); realm.addRole("role2"); app1.addRole("app1Role1"); app1.addScopeMapping(realm.getRole("role1")); realm.addClient("cl1"); }
@Override public void postInit(KeycloakSessionFactory factory) { factory.register( event -> { if (event instanceof ClientRemovedEvent) { KeycloakSession keycloakSession = ((ClientRemovedEvent) event).getKeycloakSession(); AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class); PolicyStore policyStore = provider.getStoreFactory().getPolicyStore(); ClientModel removedClient = ((ClientRemovedEvent) event).getClient(); policyStore .findByType(getId()) .forEach( policy -> { List<String> clients = new ArrayList<>(); for (String clientId : getClients(policy)) { if (!clientId.equals(removedClient.getId())) { clients.add(clientId); } } try { if (clients.isEmpty()) { policyStore .findDependentPolicies(policy.getId()) .forEach( dependentPolicy -> { dependentPolicy.removeAssociatedPolicy(policy); }); policyStore.delete(policy.getId()); } else { policy .getConfig() .put("clients", JsonSerialization.writeValueAsString(clients)); } } catch (IOException e) { throw new RuntimeException( "Error while synchronizing clients with policy [" + policy.getName() + "].", e); } }); } }); }
@Override public void config( RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { ClientModel app = appRealm.addClient("resource-owner"); app.setSecret("secret"); UserModel user = session.users().addUser(appRealm, "direct-login"); user.setEmail("direct-login@localhost"); user.setEnabled(true); userId = user.getId(); session .users() .updateCredential(appRealm, user, UserCredentialModel.password("password")); }
@Override public Set<RoleModel> getClientRoleMappings(ClientModel app) { Set<RoleModel> roleMappings = getRoleMappings(); Set<RoleModel> roles = new HashSet<RoleModel>(); for (RoleModel role : roleMappings) { RoleContainerModel container = role.getContainer(); if (container instanceof ClientModel) { ClientModel appModel = (ClientModel) container; if (appModel.getId().equals(app.getId())) { roles.add(role); } } } return roles; }
@Override public RoleModel addRole(String id, String name) { getDelegateForUpdate(); RoleModel role = updated.addRole(id, name); cacheSession.registerRoleInvalidation(role.getId()); return role; }
@Override public RoleModel getRole(String name) { if (updated != null) return updated.getRole(name); String id = cached.getRoles().get(name); if (id == null) return null; return cacheSession.getRoleById(id, cachedRealm); }
@Override public Map<String, String> getAttributes() { if (updated != null) return updated.getAttributes(); Map<String, String> copy = new HashMap<String, String>(); copy.putAll(cached.getAttributes()); return copy; }
public Set<RoleModel> getScopeMappings() { if (updated != null) return updated.getScopeMappings(); Set<RoleModel> roles = new HashSet<RoleModel>(); for (String id : cached.getScope()) { roles.add(cacheSession.getRoleById(id, getRealm())); } return roles; }
/** * Get client session stats * * <p>Returns a JSON map. The key is the client id, the value is the number of sessions that * currently are active with that client. Only clients that actually have a session associated * with them will be in this map. * * @return */ @Path("client-session-stats") @GET @NoCache @Produces(MediaType.APPLICATION_JSON) public List<Map<String, String>> getClientSessionStats() { auth.requireView(); List<Map<String, String>> data = new LinkedList<Map<String, String>>(); for (ClientModel client : realm.getClients()) { int size = session.sessions().getActiveUserSessions(client.getRealm(), client); if (size == 0) continue; Map<String, String> map = new HashMap<String, String>(); map.put("id", client.getId()); map.put("clientId", client.getClientId()); map.put("active", size + ""); data.add(map); } return data; }