inteligr8/alfresco-keycloak
1
0
Fork 0
mirror of https://github.com/bmlong137/alfresco-keycloak.git synced 2025-05-12 21:24:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improved handling of no-auth web script call in pre-authed session

Browse Source
This commit is contained in:
AFaust 2020-02-24 23:34:46 +01:00
parent 2423d365f9
commit 0deb5ee8a8
1 changed files with 57 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java
View File

@ -806,20 +806,7 @@ public class KeycloakAuthenticationFilter extends BaseAuthenticationFilter
LOGGER.trace("Skipping processKeycloakAuthenticationAndActions as user was authenticated by ticket URL parameter"); LOGGER.trace("Skipping processKeycloakAuthenticationAndActions as user was authenticated by ticket URL parameter");
skip = true; skip = true;
} }
else if (noAuthPublicRestApiWebScript) // if user was already authenticated, validate
{
LOGGER.trace(
"Skipping processKeycloakAuthenticationAndActions as request is aimed at a Public v1 ReST API which does not require authentication");
skip = true;
}
// check no-auth flag (derived e.g. from checking if target web script requires authentication) only after all pre-emptive auth
// request details have been checked
else if (Boolean.TRUE.equals(req.getAttribute(NO_AUTH_REQUIRED)))
{
LOGGER.trace(
"Skipping processKeycloakAuthenticationAndActions as filter higher up in chain determined authentication as not required");
skip = true;
}
else if (sessionUser != null) else if (sessionUser != null)
{ {
final KeycloakAccount keycloakAccount = (KeycloakAccount) session.getAttribute(KeycloakAccount.class.getName()); final KeycloakAccount keycloakAccount = (KeycloakAccount) session.getAttribute(KeycloakAccount.class.getName());
@ -827,6 +814,25 @@ public class KeycloakAuthenticationFilter extends BaseAuthenticationFilter
if (keycloakAccount != null) if (keycloakAccount != null)
{ {
skip = this.validateAndRefreshKeycloakAuthentication(req, res, sessionUser.getUserName()); skip = this.validateAndRefreshKeycloakAuthentication(req, res, sessionUser.getUserName());
if (!skip)
{
if (noAuthPublicRestApiWebScript)
{
LOGGER.trace(
"Skipping processKeycloakAuthenticationAndActions as request is aimed at a Public v1 ReST API which does not require authentication");
skip = true;
}
// check no-auth flag (derived e.g. from checking if target web script requires authentication) only after all
// pre-emptive auth
// request details have been checked
else if (Boolean.TRUE.equals(req.getAttribute(NO_AUTH_REQUIRED)))
{
LOGGER.trace(
"Skipping processKeycloakAuthenticationAndActions as filter higher up in chain determined authentication as not required");
skip = true;
}
}
} }
else if (accessToken != null) else if (accessToken != null)
{ {
@ -841,10 +847,31 @@ public class KeycloakAuthenticationFilter extends BaseAuthenticationFilter
} }
else else
{ {
LOGGER.trace( LOGGER.debug("Access token in session from previous Bearer authorization for {} has expired - invalidating session",
"Explicitly not skipping processKeycloakAuthenticationAndActions as access token in session from previous Bearer authorization for {} has expired",
AlfrescoCompatibilityUtil.maskUsername(sessionUser.getUserName())); AlfrescoCompatibilityUtil.maskUsername(sessionUser.getUserName()));
this.invalidateSession(req); this.invalidateSession(req);
if (noAuthPublicRestApiWebScript)
{
LOGGER.trace(
"Skipping processKeycloakAuthenticationAndActions as request is aimed at a Public v1 ReST API which does not require authentication");
skip = true;
}
// check no-auth flag (derived e.g. from checking if target web script requires authentication) only after all
// pre-emptive auth
// request details have been checked
else if (Boolean.TRUE.equals(req.getAttribute(NO_AUTH_REQUIRED)))
{
LOGGER.trace(
"Skipping processKeycloakAuthenticationAndActions as filter higher up in chain determined authentication as not required");
skip = true;
}
else
{
LOGGER.trace(
"Explicitly not skipping processKeycloakAuthenticationAndActions due to expired Bearer authorization for {}",
AlfrescoCompatibilityUtil.maskUsername(sessionUser.getUserName()));
}
} }
} }
else else
@ -854,6 +881,20 @@ public class KeycloakAuthenticationFilter extends BaseAuthenticationFilter
skip = true; skip = true;
} }
} }
else if (noAuthPublicRestApiWebScript)
{
LOGGER.trace(
"Skipping processKeycloakAuthenticationAndActions as request is aimed at a Public v1 ReST API which does not require authentication");
skip = true;
}
// check no-auth flag (derived e.g. from checking if target web script requires authentication) only after all pre-emptive auth
// request details have been checked
else if (Boolean.TRUE.equals(req.getAttribute(NO_AUTH_REQUIRED)))
{
LOGGER.trace(
"Skipping processKeycloakAuthenticationAndActions as filter higher up in chain determined authentication as not required");
skip = true;
}
// TODO Check for login page URL (rarely configured since Repository by default has no login page since 5.0) // TODO Check for login page URL (rarely configured since Repository by default has no login page since 5.0)
return skip; return skip;