inteligr8/alfresco-keycloak
1
0
Fork 0
mirror of https://github.com/bmlong137/alfresco-keycloak.git synced 2025-09-10 14:11:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Re-introduce force route option

Browse Source
This commit is contained in:
AFaust
2021-12-14 18:46:25 +01:00
parent a521dd87de
commit b02eaaa896
17 changed files with 294 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
share/src/main/config/default-config.xml
View File

@@ -31,6 +31,7 @@
<enable-sso-filter>true</enable-sso-filter>
<enhance-login-form>true</enhance-login-form>
<force-keycloak-sso>false</force-keycloak-sso>
<remember-keycloak-sso>false</remember-keycloak-sso>
<body-buffer-limit>10485760</body-buffer-limit>
<session-mapper-limit>10000</session-mapper-limit>
<ignore-default-filter>true</ignore-default-filter>

59
share/src/main/java/de/acosix/alfresco/keycloak/share/config/ExtendedAdapterConfig.java Normal file
View File

@@ -0,0 +1,59 @@
/*
* Copyright 2019 - 2021 Acosix GmbH
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package de.acosix.alfresco.keycloak.share.config;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonPropertyOrder;
import org.keycloak.representations.adapters.config.AdapterConfig;
/**
* Minorly extended configuration for Java based adapters
*
* @author Axel Faust
*/
@JsonPropertyOrder({ "realm", "realm-public-key", "auth-server-url", "ssl-required", "resource", "public-client", "credentials",
"use-resource-role-mappings", "enable-cors", "cors-max-age", "cors-allowed-methods", "cors-exposed-headers", "expose-token",
"bearer-only", "autodetect-bearer-only", "connection-pool-size", "socket-timeout-millis", "connection-ttl-millis",
"connection-timeout-millis", "allow-any-hostname", "disable-trust-manager", "truststore", "truststore-password", "client-keystore",
"client-keystore-password", "client-key-password", "always-refresh-token", "register-node-at-startup", "register-node-period",
"token-store", "adapter-state-cookie-path", "principal-attribute", "proxy-url", "forced-route-url",
"turn-off-change-session-id-on-login", "token-minimum-time-to-live", "min-time-between-jwks-requests", "public-key-cache-ttl",
"policy-enforcer", "ignore-oauth-query-parameter", "verify-token-audience" })
public class ExtendedAdapterConfig extends AdapterConfig
{
@JsonProperty("forced-route-url")
protected String forcedRouteUrl;
/**
* @return the forcedRouteUrl
*/
public String getForcedRouteUrl()
{
return this.forcedRouteUrl;
}
/**
* @param forcedRouteUrl
* the forcedRouteUrl to set
*/
public void setForcedRouteUrl(final String forcedRouteUrl)
{
this.forcedRouteUrl = forcedRouteUrl;
}
}

25
share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java
View File

@@ -34,13 +34,11 @@ import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.util.EqualsHelper;
import org.alfresco.util.ParameterCheck;
import org.alfresco.util.PropertyCheck;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.extensions.config.ConfigElement;
import de.acosix.alfresco.utility.share.config.BaseCustomConfigElement;
import de.acosix.alfresco.utility.share.config.ConfigValueHolder;
/**
* @author Axel Faust
@@ -79,7 +77,7 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
primitiveWrapperTypeMap.put(primitiveTypes[i], wrapperTypes[i]);
}
Class<?> cls = AdapterConfig.class;
Class<?> cls = ExtendedAdapterConfig.class;
while (cls != null && !Object.class.equals(cls))
{
final Field[] fields = cls.getDeclaredFields();
@@ -152,8 +150,7 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
public boolean isFieldSupported(final String fieldName)
{
ParameterCheck.mandatoryString("fieldName", fieldName);
final boolean supported = CONFIG_NAMES.contains(fieldName);
return supported;
return CONFIG_NAMES.contains(fieldName);
}
/**
@@ -170,22 +167,21 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
{
throw new IllegalArgumentException(fieldName + " is not a supported field");
}
final Class<?> valueType = VALUE_TYPE_BY_CONFIG_NAME.get(fieldName);
return valueType;
return VALUE_TYPE_BY_CONFIG_NAME.get(fieldName);
}
/**
* Retrieves the configured value for a specific field. Default values inherent in the {@link AdapterConfig Keycloak classes} are not
* Retrieves the configured value for a specific field. Default values inherent in the {@link ExtendedAdapterConfig Keycloak classes}
* are not
* considered by this operation.
*
* @param fieldName
* the name of the field for which to retrieve the value
* the name of the field for which to retrieve the value
* @return the currently configured value for the field, or {@code null} if no value has been configured
*/
public Object getFieldValue(final String fieldName)
{
final Object value = this.configValueByField.get(fieldName);
return value;
return this.configValueByField.get(fieldName);
}
/**
@@ -252,8 +248,7 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
{
throw new IllegalArgumentException(fieldName + " is not a supported field");
}
final boolean unset = this.markedAsUnset.contains(fieldName);
return unset;
return this.markedAsUnset.contains(fieldName);
}
/**
@@ -261,9 +256,9 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
*
* @return the adapter configuration instance
*/
public AdapterConfig buildAdapterConfiguration()
public ExtendedAdapterConfig buildAdapterConfiguration()
{
final AdapterConfig adapterConfig = new AdapterConfig();
final ExtendedAdapterConfig adapterConfig = new ExtendedAdapterConfig();
try
{

49
share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAuthenticationConfigElement.java
View File

@@ -37,6 +37,8 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
protected final ConfigValueHolder<Boolean> forceKeycloakSso = new ConfigValueHolder<>();
protected final ConfigValueHolder<Boolean> rememberKeycloakSso = new ConfigValueHolder<>();
protected final ConfigValueHolder<Integer> bodyBufferLimit = new ConfigValueHolder<>();
protected final ConfigValueHolder<Integer> sessionMapperLimit = new ConfigValueHolder<>();
@@ -57,7 +59,7 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
/**
* @param enhanceLoginForm
* the enhanceLoginForm to set
* the enhanceLoginForm to set
*/
public void setEnhanceLoginForm(final Boolean enhanceLoginForm)
{
@@ -74,7 +76,7 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
/**
* @param enableSsoFilter
* the enableSsoFilter to set
* the enableSsoFilter to set
*/
public void setEnableSsoFilter(final Boolean enableSsoFilter)
{
@@ -91,7 +93,7 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
/**
* @param forceKeycloakSso
* the forceKeycloakSso to set
* the forceKeycloakSso to set
*/
public void setForceKeycloakSso(final Boolean forceKeycloakSso)
{
@@ -106,9 +108,26 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
return this.forceKeycloakSso.getValue();
}
/**
* @param rememberKeycloakSso
* the rememberKeycloakSso to set
*/
public void setRememberKeycloakSso(final Boolean rememberKeycloakSso)
{
this.rememberKeycloakSso.setValue(rememberKeycloakSso);
}
/**
* @return the rememberKeycloakSso
*/
public Boolean getRememberKeycloakSso()
{
return this.rememberKeycloakSso.getValue();
}
/**
* @param bodyBufferLimit
* the bodyBufferLimit to set
* the bodyBufferLimit to set
*/
public void setBodyBufferLimit(final Integer bodyBufferLimit)
{
@@ -125,7 +144,7 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
/**
* @param sessionMapperLimit
* the sessionMapperLimit to set
* the sessionMapperLimit to set
*/
public void setSessionMapperLimit(final Integer sessionMapperLimit)
{
@@ -142,7 +161,7 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
/**
* @param ignoreDefaultFilter
* the ignoreDefaultFilter to set
* the ignoreDefaultFilter to set
*/
public void setIgnoreDefaultFilter(final Boolean ignoreDefaultFilter)
{
@@ -159,7 +178,7 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
/**
* @param performTokenExchange
* the performTokenExchange to set
* the performTokenExchange to set
*/
public void setPerformTokenExchange(final Boolean performTokenExchange)
{
@@ -176,7 +195,7 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
/**
* @param alfrescoResourceName
* the alfrescoResourceName to set
* the alfrescoResourceName to set
*/
public void setAlfrescoResourceName(final String alfrescoResourceName)
{
@@ -236,6 +255,17 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
: this.getForceKeycloakSso());
}
if (otherConfigElement.rememberKeycloakSso.isUnset())
{
combined.rememberKeycloakSso.unset();
}
else
{
combined.setRememberKeycloakSso(
otherConfigElement.getRememberKeycloakSso() != null ? otherConfigElement.getRememberKeycloakSso()
: this.getRememberKeycloakSso());
}
if (otherConfigElement.bodyBufferLimit.isUnset())
{
combined.bodyBufferLimit.unset();
@@ -309,6 +339,9 @@ public class KeycloakAuthenticationConfigElement extends BaseCustomConfigElement
builder.append("forceKeycloakSso=");
builder.append(this.forceKeycloakSso);
builder.append(", ");
builder.append("rememberKeycloakSso=");
builder.append(this.rememberKeycloakSso);
builder.append(", ");
builder.append("bodyBufferLimit=");
builder.append(this.bodyBufferLimit);
builder.append(", ");

7
share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAuthenticationConfigElementReader.java
View File

@@ -58,6 +58,13 @@ public class KeycloakAuthenticationConfigElementReader implements ConfigElementR
configElement.setForceKeycloakSso(value.isEmpty() ? null : Boolean.valueOf(value));
}
final Element rememberKeycloakSso = element.element("remember-keycloak-sso");
if (rememberKeycloakSso != null)
{
final String value = rememberKeycloakSso.getTextTrim();
configElement.setRememberKeycloakSso(value.isEmpty() ? null : Boolean.valueOf(value));
}
final Element bodyBufferLimit = element.element("body-buffer-limit");
if (bodyBufferLimit != null)
{

60
share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
View File

@@ -22,6 +22,7 @@ import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
@@ -48,12 +49,17 @@ import org.alfresco.util.EqualsHelper;
import org.alfresco.util.PropertyCheck;
import org.alfresco.web.site.servlet.SSOAuthenticationFilter;
import org.apache.http.HttpEntity;
import org.apache.http.HttpHost;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.HttpClient;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.params.ConnRoutePNames;
import org.apache.http.conn.params.ConnRouteParams;
import org.apache.http.conn.routing.HttpRoute;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.params.HttpParams;
import org.apache.http.util.EntityUtils;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.OAuth2Constants;
@@ -84,7 +90,6 @@ import org.keycloak.common.util.Time;
import org.keycloak.constants.ServiceUrlConstants;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.util.JsonSerialization;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -115,6 +120,7 @@ import org.springframework.extensions.webscripts.servlet.DependencyInjectedFilte
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import de.acosix.alfresco.keycloak.share.config.ExtendedAdapterConfig;
import de.acosix.alfresco.keycloak.share.config.KeycloakAdapterConfigElement;
import de.acosix.alfresco.keycloak.share.config.KeycloakAuthenticationConfigElement;
import de.acosix.alfresco.keycloak.share.config.KeycloakConfigConstants;
@@ -127,6 +133,7 @@ import de.acosix.alfresco.keycloak.share.util.RefreshableAccessTokenHolder;
*
* @author Axel Faust
*/
@SuppressWarnings("deprecation")
public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, InitializingBean, ApplicationContextAware
{
@@ -227,6 +234,8 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
protected boolean forceSso = false;
protected boolean rememberSso = false;
protected boolean ignoreDefaultFilter = false;
protected KeycloakDeployment keycloakDeployment;
@@ -316,6 +325,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
this.filterEnabled = Boolean.TRUE.equals(keycloakAuthConfig.getEnableSsoFilter());
this.loginFormEnhancementEnabled = Boolean.TRUE.equals(keycloakAuthConfig.getEnhanceLoginForm());
this.forceSso = Boolean.TRUE.equals(keycloakAuthConfig.getForceKeycloakSso());
this.rememberSso = Boolean.TRUE.equals(keycloakAuthConfig.getRememberKeycloakSso());
this.ignoreDefaultFilter = Boolean.TRUE.equals(keycloakAuthConfig.getIgnoreDefaultFilter());
}
else
@@ -503,8 +513,15 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
protected void initFromAdapterConfig(final KeycloakAdapterConfigElement keycloakAdapterConfig)
{
final AdapterConfig adapterConfiguration = keycloakAdapterConfig.buildAdapterConfiguration();
final ExtendedAdapterConfig adapterConfiguration = keycloakAdapterConfig.buildAdapterConfiguration();
this.keycloakDeployment = KeycloakDeploymentBuilder.build(adapterConfiguration);
final String forcedRouteUrl = adapterConfiguration.getForcedRouteUrl();
if (forcedRouteUrl != null && !forcedRouteUrl.isEmpty())
{
final HttpClient client = this.keycloakDeployment.getClient();
this.configureForcedRouteIfNecessary(client, forcedRouteUrl);
this.keycloakDeployment.setClient(client);
}
this.deploymentContext = new AdapterDeploymentContext(this.keycloakDeployment);
}
@@ -531,12 +548,15 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
tokenStore.logout();
final Cookie keycloakCookie = new Cookie(KEYCLOAK_AUTHENTICATED_COOKIE, "false");
keycloakCookie.setPath(context.getContextPath());
keycloakCookie.setMaxAge(0);
keycloakCookie.setHttpOnly(true);
keycloakCookie.setSecure(req.isSecure());
res.addCookie(keycloakCookie);
if (this.rememberSso)
{
final Cookie keycloakCookie = new Cookie(KEYCLOAK_AUTHENTICATED_COOKIE, "false");
keycloakCookie.setPath(context.getContextPath());
keycloakCookie.setMaxAge(0);
keycloakCookie.setHttpOnly(true);
keycloakCookie.setSecure(req.isSecure());
res.addCookie(keycloakCookie);
}
chain.doFilter(req, res);
}
@@ -1010,7 +1030,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
{
final boolean hasKeycloakCookie = this.hasKeycloakCookie(req);
if (!hasKeycloakCookie)
if (!hasKeycloakCookie && this.rememberSso)
{
final Cookie keycloakCookie = new Cookie(KEYCLOAK_AUTHENTICATED_COOKIE, "true");
keycloakCookie.setPath(req.getServletContext().getContextPath());
@@ -1025,7 +1045,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
{
final Cookie[] cookies = req.getCookies();
boolean hasKeycloakCookie = false;
if (cookies != null)
if (cookies != null && this.rememberSso)
{
for (final Cookie cookie : cookies)
{
@@ -1827,4 +1847,24 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
}
return sslPort;
}
protected void configureForcedRouteIfNecessary(final HttpClient client, final String forcedRoute)
{
final HttpHost forcedRouteHost = HttpHost.create(forcedRoute);
final HttpParams params = client.getParams();
final InetAddress local = ConnRouteParams.getLocalAddress(params);
final HttpHost defaultProxy = ConnRouteParams.getDefaultProxy(params);
final boolean secure = forcedRouteHost.getSchemeName().equalsIgnoreCase("https");
HttpRoute route;
if (defaultProxy == null)
{
route = new HttpRoute(forcedRouteHost, local, secure);
}
else
{
route = new HttpRoute(forcedRouteHost, local, defaultProxy, secure);
}
params.setParameter(ConnRoutePNames.FORCED_ROUTE, route);
}
}

2
share/src/test/docker/alfresco/extension/alfresco-global.addition.properties
View File

@@ -25,7 +25,7 @@ keycloak.adapter.credentials.provider=secret
keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708
# localhost in auth-server-url won't work for direct access in a Docker deployment
keycloak.adapter.proxy-url=http://keycloak:8080
keycloak.adapter.forced-route-url=http://keycloak:8080
keycloak.roles.requiredClientScopes=alfresco-role-service

2
share/src/test/docker/alfresco/web-extension/share-config-custom.xml
View File

@@ -75,7 +75,7 @@
<perform-token-exchange>true</perform-token-exchange>
</keycloak-auth-config>
<keycloak-adapter-config>
<proxy-url>http://keycloak:8080</proxy-url>
<forced-route-url>http://keycloak:8080</forced-route-url>
<auth-server-url>http://localhost:${docker.tests.keycloakPort}/auth</auth-server-url>
<realm>test</realm>
<resource>alfresco-share</resource>

2
share/src/test/resources/default-config.xml
View File

@@ -40,7 +40,7 @@
<alfresco-resource-name>alfresco</alfresco-resource-name>
</keycloak-auth-config>
<keycloak-adapter-config>
<proxy-url>http://keycloak:8080</proxy-url>
<forced-route-url>http://keycloak:8080</forced-route-url>
<!-- by default use the same client as alfresco (not really "clean") -->
<auth-server-url>http://localhost:8180/auth</auth-server-url>
<realm>alfresco</realm>