Adapter documentation / fix confidential port

share/src/main/config/default-config.xml

@@ -31,8 +31,6 @@
             <enhance-login-form>true</enhance-login-form>
             <enable-sso-filter>true</enable-sso-filter>
             <force-keycloak-sso>false</force-keycloak-sso>
-            <!-- use 8443 as default SSL redirect based on Tomcat default server.xml configuration -->
-            <ssl-redirect-port>8443</ssl-redirect-port>
             <body-buffer-limit>10485760</body-buffer-limit>
             <session-mapper-limit>1000</session-mapper-limit>
             <ignore-default-filter>true</ignore-default-filter>
@@ -43,8 +41,9 @@
             <!-- by default use the same client as alfresco (not really "clean") -->
             <auth-server-url>http://localhost:8180/auth</auth-server-url>
             <realm>alfresco</realm>
-            <resource>alfresco</resource>
+            <resource>alfresco-share</resource>
             <ssl-required>none</ssl-required>
+            <confidential-port>-1</confidential-port>
             <!-- other than content-app / Identity Service, Share must/should be a confidential client to exchange code for access token + refresh -->
             <public-client>false</public-client>
             <credentials>

share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAuthenticationConfigElement.java

@@ -39,8 +39,6 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
 
     protected final ConfigValueHolder<Integer> bodyBufferLimit = new ConfigValueHolder<>();
 
-    protected final ConfigValueHolder<Integer> sslRedirectPort = new ConfigValueHolder<>();
-
     protected final ConfigValueHolder<Integer> sessionMapperLimit = new ConfigValueHolder<>();
 
     protected final ConfigValueHolder<Boolean> ignoreDefaultFilter = new ConfigValueHolder<>();
@@ -125,23 +123,6 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
         return this.bodyBufferLimit.getValue();
     }
 
-    /**
-     * @param sslRedirectPort
-     *            the sslRedirectPort to set
-     */
-    public void setSslRedirectPort(final Integer sslRedirectPort)
-    {
-        this.sslRedirectPort.setValue(sslRedirectPort);
-    }
-
-    /**
-     * @return the sslRedirectPort
-     */
-    public Integer getSslRedirectPort()
-    {
-        return this.sslRedirectPort.getValue();
-    }
-
     /**
      * @param sessionMapperLimit
      *            the sessionMapperLimit to set
@@ -265,16 +246,6 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
                     otherConfigElement.getBodyBufferLimit() != null ? otherConfigElement.getBodyBufferLimit() : this.getBodyBufferLimit());
         }
 
-        if (otherConfigElement.sslRedirectPort.isUnset())
-        {
-            combined.sslRedirectPort.unset();
-        }
-        else
-        {
-            combined.setSslRedirectPort(
-                    otherConfigElement.getSslRedirectPort() != null ? otherConfigElement.getSslRedirectPort() : this.getSslRedirectPort());
-        }
-
         if (otherConfigElement.sessionMapperLimit.isUnset())
         {
             combined.sessionMapperLimit.unset();
@@ -341,9 +312,6 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
         builder.append("bodyBufferLimit=");
         builder.append(this.bodyBufferLimit);
         builder.append(", ");
-        builder.append("sslRedirectPort=");
-        builder.append(this.sslRedirectPort);
-        builder.append(", ");
         builder.append("sessionMapperLimit=");
         builder.append(this.sessionMapperLimit);
         builder.append(", ");

share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAuthenticationConfigElementReader.java

@@ -65,13 +65,6 @@ public class KeycloakAuthenticationConfigElementReader implements ConfigElementR
             configElement.setBodyBufferLimit(value.isEmpty() ? null : Integer.valueOf(value));
         }
 
-        final Element sslRedirectPort = element.element("ssl-redirect-port");
-        if (sslRedirectPort != null)
-        {
-            final String value = sslRedirectPort.getTextTrim();
-            configElement.setSslRedirectPort(value.isEmpty() ? null : Integer.valueOf(value));
-        }
-
         final Element sessionMapperLimit = element.element("session-mapper-limit");
         if (sessionMapperLimit != null)
         {

share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java

@@ -556,7 +556,6 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
                 .getConfig(KeycloakConfigConstants.KEYCLOAK_CONFIG_SECTION_NAME).getConfigElement(KeycloakAuthenticationConfigElement.NAME);
 
         final Integer bodyBufferLimit = keycloakAuthConfig.getBodyBufferLimit();
-        final Integer sslRedirectPort = keycloakAuthConfig.getSslRedirectPort();
 
         final OIDCServletHttpFacade facade = new OIDCServletHttpFacade(req, res);
 
@@ -604,7 +603,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
         }
         else
         {
-            this.processFilterAuthentication(context, req, res, chain, bodyBufferLimit, sslRedirectPort, facade);
+            this.processFilterAuthentication(context, req, res, chain, bodyBufferLimit, facade);
         }
     }
 
@@ -689,8 +688,6 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
      * @param bodyBufferLimit
      *            the configured size limit to apply to any HTTP POST/PUT body buffering that may need to be applied to process the
      *            authentication via an intermediary redirect
-     * @param sslRedirectPort
-     *            the configured port to use for any forced redirection to HTTPS/SSL communication
      * @param facade
      *            the Keycloak HTTP facade
      * @throws IOException
@@ -699,8 +696,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
      *             if any error occurs during Keycloak authentication or processing of the filter chain
      */
     protected void processFilterAuthentication(final ServletContext context, final HttpServletRequest req, final HttpServletResponse res,
-            final FilterChain chain, final Integer bodyBufferLimit, final Integer sslRedirectPort, final OIDCServletHttpFacade facade)
-            throws IOException, ServletException
+            final FilterChain chain, final Integer bodyBufferLimit, final OIDCServletHttpFacade facade) throws IOException, ServletException
     {
         final OIDCFilterSessionStore tokenStore = new OIDCFilterSessionStore(req, facade,
                 bodyBufferLimit != null ? bodyBufferLimit.intValue() : DEFAULT_BODY_BUFFER_LIMIT, this.keycloakDeployment,
@@ -708,7 +704,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
 
         // use 8443 as default SSL redirect based on Tomcat default server.xml configuration
         final FilterRequestAuthenticator authenticator = new FilterRequestAuthenticator(this.keycloakDeployment, tokenStore, facade, req,
-                sslRedirectPort != null ? sslRedirectPort.intValue() : 8443);
+                this.keycloakDeployment.getConfidentialPort());
         final AuthOutcome authOutcome = authenticator.authenticate();
 
         if (authOutcome == AuthOutcome.AUTHENTICATED)
@@ -814,7 +810,6 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
                 .getConfig(KeycloakConfigConstants.KEYCLOAK_CONFIG_SECTION_NAME).getConfigElement(KeycloakAuthenticationConfigElement.NAME);
 
         final Integer bodyBufferLimit = keycloakAuthConfig.getBodyBufferLimit();
-        final Integer sslRedirectPort = keycloakAuthConfig.getSslRedirectPort();
 
         // fake a request that will yield a redirect
         final HttpServletRequest wrappedReq = new HttpServletRequestWrapper(req)
@@ -838,9 +833,9 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
         final OIDCFilterSessionStore tokenStore = new OIDCFilterSessionStore(req, captureFacade,
                 bodyBufferLimit != null ? bodyBufferLimit.intValue() : DEFAULT_BODY_BUFFER_LIMIT, this.keycloakDeployment, null);
 
-        // use 8443 as default SSL redirect based on Tomcat default server.xml configuration
-        final OAuthRequestAuthenticator authenticator = new OAuthRequestAuthenticator(null, captureFacade, this.keycloakDeployment,
-                sslRedirectPort != null ? sslRedirectPort.intValue() : 8443, tokenStore);
+        final int sslPort = this.determineLikelySslPort(req);
+        final OAuthRequestAuthenticator authenticator = new OAuthRequestAuthenticator(null, captureFacade, this.keycloakDeployment, sslPort,
+                tokenStore);
 
         final AuthOutcome authOutcome = authenticator.authenticate();
         if (authOutcome != AuthOutcome.NOT_ATTEMPTED)
@@ -1781,6 +1776,38 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
         }
     }
 
+    /**
+     * Determines the likely SSL port to be used in redirects from the incoming request. This operation should only be used to determine a
+     * technical default value in lieu of an explicitly configured value.
+     *
+     * @param req
+     *            the incoming request
+     * @return the assumed SSL port to be used in redirects
+     */
+    protected int determineLikelySslPort(final HttpServletRequest req)
+    {
+        int rqPort = req.getServerPort();
+        final String forwardedPort = req.getHeader("X-Forwarded-Port");
+        if (forwardedPort != null && forwardedPort.matches("^\\d+$"))
+        {
+            rqPort = Integer.parseInt(forwardedPort);
+        }
+        final int sslPort;
+        if (rqPort == 80 || rqPort == 443)
+        {
+            sslPort = 443;
+        }
+        else if (req.isSecure() && "https".equals(req.getScheme()))
+        {
+            sslPort = rqPort;
+        }
+        else
+        {
+            sslPort = 8443;
+        }
+        return sslPort;
+    }
+
     /**
      * Sets up a forced route for the Keycloak-library backing HTTP client if configured. This may be necessary to deal with situations
      * where Share cannot use the public address of the authentication server (used in authentication redirects) to talk with the server

share/src/test/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigTest.java

@@ -52,7 +52,6 @@ public class KeycloakAdapterConfigTest
         Assert.assertTrue(keycloakAuthConfig.getEnhanceLoginForm());
         Assert.assertTrue(keycloakAuthConfig.getEnableSsoFilter());
         Assert.assertFalse(keycloakAuthConfig.getForceKeycloakSso());
-        Assert.assertEquals(Integer.valueOf(8443), keycloakAuthConfig.getSslRedirectPort());
         Assert.assertEquals(Integer.valueOf(10485760), keycloakAuthConfig.getBodyBufferLimit());
         Assert.assertEquals(Integer.valueOf(1000), keycloakAuthConfig.getSessionMapperLimit());
 
@@ -99,7 +98,6 @@ public class KeycloakAdapterConfigTest
         Assert.assertFalse(keycloakAuthConfig.getEnhanceLoginForm());
         Assert.assertFalse(keycloakAuthConfig.getEnableSsoFilter());
         Assert.assertFalse(keycloakAuthConfig.getForceKeycloakSso());
-        Assert.assertEquals(Integer.valueOf(8443), keycloakAuthConfig.getSslRedirectPort());
         Assert.assertEquals(Integer.valueOf(10485760), keycloakAuthConfig.getBodyBufferLimit());
         Assert.assertEquals(Integer.valueOf(2000), keycloakAuthConfig.getSessionMapperLimit());
 

share/src/test/resources/default-config.xml

@@ -40,6 +40,7 @@
             <alfresco-resource-name>alfresco</alfresco-resource-name>
         </keycloak-auth-config>
         <keycloak-adapter-config>
+            <directAuthHost>http://keycloak:8080</directAuthHost>
             <!-- by default use the same client as alfresco (not really "clean") -->
             <auth-server-url>http://localhost:8180/auth</auth-server-url>
             <realm>alfresco</realm>