Adapter documentation / fix confidential port

2025-09-10 14:11:09 +00:00 · 2020-10-20 21:27:24 +02:00
parent f34b6eed2d
commit a31309296a
13 changed files with 191 additions and 84 deletions
--- a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml
+++ b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml
@@ -30,9 +30,9 @@

    <bean id="keycloakDeployment" class="${project.artifactId}.spring.KeycloakDeploymentBeanFactory">
        <property name="adapterConfig" ref="keycloakAdapterConfig" />
-        <property name="connectionTimeout" value="${keycloak.authentication.connectionTimeout}" />
-        <property name="socketTimeout" value="${keycloak.authentication.socketTimeout}" />
-        <property name="directAuthHost" value="${keycloak.authentication.directAuthHost}" />
+        <property name="connectionTimeout" value="${keycloak.adapter.connectionTimeout}" />
+        <property name="socketTimeout" value="${keycloak.adapter.socketTimeout}" />
+        <property name="directAuthHost" value="${keycloak.adapter.directAuthHost}" />
    </bean>

    <bean id="sessionIdMapper" class="${project.artifactId}.authentication.SimpleCacheBackedSessionIdMapper">
@@ -135,7 +135,6 @@
        <property name="originalRequestUrlHeaderName" value="${keycloak.authentication.sso.originalRequestUrlHeaderName}" />
        <property name="noKeycloakHandlingHeaderName" value="x-${moduleId}-no-keycloak-handling" />
        <property name="bodyBufferLimit" value="${keycloak.authentication.bodyBufferLimit}" />
-        <property name="sslRedirectPort" value="${keycloak.authentication.sslRedirectPort}" />
        <property name="keycloakDeployment" ref="keycloakDeployment" />
        <property name="sessionIdMapper" ref="sessionIdMapper" />

--- a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties
+++ b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties
@@ -13,19 +13,20 @@ keycloak.authentication.mapPersonPropertiesOnLogin=true
 keycloak.authentication.authenticateFTP=true
 keycloak.authentication.silentRemoteUserValidationFailure=true

-keycloak.authentication.connectionTimeout=-1
-keycloak.authentication.socketTimeout=-1
-keycloak.authentication.sslRedirectPort=8443
 keycloak.authentication.bodyBufferLimit=10485760

 # override for a direct route to the auth server host
 # useful primarily for Docker-ized deployments where container running Alfresco cannot resolve the auth server via the public DNS name
-keycloak.authentication.directAuthHost=
+keycloak.adapter.directAuthHost=
+# other custom adapter properties not part of default Keycloak adapter library
+keycloak.adapter.connectionTimeout=-1
+keycloak.adapter.socketTimeout=-1

 keycloak.adapter.auth-server-url=http://localhost:8180/auth
 keycloak.adapter.realm=alfresco
 keycloak.adapter.resource=alfresco
 keycloak.adapter.ssl-required=none
+keycloak.adapter.confidential-port=-1
 keycloak.adapter.public-client=false
 keycloak.adapter.credentials.provider=secret
 keycloak.adapter.credentials.secret=
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java
@@ -126,10 +126,6 @@ public class KeycloakAuthenticationFilter extends BaseAuthenticationFilter

    protected int bodyBufferLimit = DEFAULT_BODY_BUFFER_LIMIT;

-    // use 8443 as default SSL redirect based on Tomcat default server.xml configuration
-    // can't rely on SysAdminParams#getAlfrescoPort either because that may be proxied / non-SSL
-    protected int sslRedirectPort = 8443;
-
    protected KeycloakDeployment keycloakDeployment;

    protected SessionIdMapper sessionIdMapper;
@@ -250,15 +246,6 @@ public class KeycloakAuthenticationFilter extends BaseAuthenticationFilter
        this.bodyBufferLimit = bodyBufferLimit;
    }

-    /**
-     * @param sslRedirectPort
-     *            the sslRedirectPort to set
-     */
-    public void setSslRedirectPort(final int sslRedirectPort)
-    {
-        this.sslRedirectPort = sslRedirectPort;
-    }
-
    /**
     * @param keycloakDeployment
     *            the keycloakDeployment to set
@@ -540,8 +527,11 @@ public class KeycloakAuthenticationFilter extends BaseAuthenticationFilter

        final OIDCFilterSessionStore tokenStore = new OIDCFilterSessionStore(req, facade,
                this.bodyBufferLimit > 0 ? this.bodyBufferLimit : DEFAULT_BODY_BUFFER_LIMIT, this.keycloakDeployment, this.sessionIdMapper);
+
+        final int sslPort = this.determineLikelySslPort(req);
+
        final FilterRequestAuthenticator authenticator = new FilterRequestAuthenticator(this.keycloakDeployment, tokenStore, facade, req,
-                this.sslRedirectPort);
+                sslPort);
        final AuthOutcome authOutcome = authenticator.authenticate();

        if (authOutcome == AuthOutcome.AUTHENTICATED)
@@ -1252,6 +1242,38 @@ public class KeycloakAuthenticationFilter extends BaseAuthenticationFilter
        }
    }

+    /**
+     * Determines the likely SSL port to be used in redirects from the incoming request. This operation should only be used to determine a
+     * technical default value in lieu of an explicitly configured value.
+     *
+     * @param req
+     *            the incoming request
+     * @return the assumed SSL port to be used in redirects
+     */
+    protected int determineLikelySslPort(final HttpServletRequest req)
+    {
+        int rqPort = req.getServerPort();
+        final String forwardedPort = req.getHeader("X-Forwarded-Port");
+        if (forwardedPort != null && forwardedPort.matches("^\\d+$"))
+        {
+            rqPort = Integer.parseInt(forwardedPort);
+        }
+        final int sslPort;
+        if (rqPort == 80 || rqPort == 443)
+        {
+            sslPort = 443;
+        }
+        else if (req.isSecure() && "https".equals(req.getScheme()))
+        {
+            sslPort = rqPort;
+        }
+        else
+        {
+            sslPort = 8443;
+        }
+        return sslPort;
+    }
+
    /**
     * {@inheritDoc}
     */
--- a/repository/src/test/docker/alfresco/extension/alfresco-global.addition.properties
+++ b/repository/src/test/docker/alfresco/extension/alfresco-global.addition.properties
@@ -25,7 +25,7 @@ keycloak.adapter.credentials.provider=secret
 keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708

 # localhost in auth-server-url won't work for direct access in a Docker deployment
-keycloak.authentication.directAuthHost=http://keycloak:8080
+keycloak.adapter.directAuthHost=http://keycloak:8080

 keycloak.synchronization.userFilter.containedInGroup.property.groupPaths=/Test A
 keycloak.synchronization.groupFilter.containedInGroup.property.groupPaths=/Test A