protected boolean corsRequest() { if (!deployment.isCors()) return false; KeycloakSecurityContext securityContext = facade.getSecurityContext(); String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN); String requestOrigin = UriUtils.getOrigin(facade.getRequest().getURI()); log.debugv("Origin: {0} uri: {1}", origin, facade.getRequest().getURI()); if (securityContext != null && origin != null && !origin.equals(requestOrigin)) { AccessToken token = securityContext.getToken(); Set<String> allowedOrigins = token.getAllowedOrigins(); if (log.isDebugEnabled()) { for (String a : allowedOrigins) log.debug(" " + a); } if (allowedOrigins == null || (!allowedOrigins.contains("*") && !allowedOrigins.contains(origin))) { if (allowedOrigins == null) { log.debugv("allowedOrigins was null in token"); } else { log.debugv("allowedOrigins did not contain origin"); } facade.getResponse().setStatus(403); facade.getResponse().end(); return true; } log.debugv("returning origin: {0}", origin); facade.getResponse().setStatus(200); facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin); facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true"); } else { log.debugv( "cors validation not needed as we're not a secure session or origin header was null: {0}", facade.getRequest().getURI()); } return false; }
protected void queryBearerToken() { log.debugv("queryBearerToken {0}", facade.getRequest().getURI()); if (abortTokenResponse()) return; facade.getResponse().setStatus(200); facade.getResponse().setHeader("Content-Type", "text/plain"); try { facade .getResponse() .getOutputStream() .write(facade.getSecurityContext().getTokenString().getBytes()); } catch (IOException e) { throw new RuntimeException(e); } facade.getResponse().end(); }
protected boolean abortTokenResponse() { if (facade.getSecurityContext() == null) { log.debugv("Not logged in, sending back 401: {0}", facade.getRequest().getURI()); facade.getResponse().setStatus(401); facade.getResponse().end(); return true; } if (!deployment.isExposeToken()) { facade.getResponse().setStatus(200); facade.getResponse().end(); return true; } // Don't allow a CORS request if we're not validating CORS requests. if (!deployment.isCors() && facade.getRequest().getHeader(CorsHeaders.ORIGIN) != null) { facade.getResponse().setStatus(200); facade.getResponse().end(); return true; } return false; }