inteligr8/alfresco-keycloak
1
0
Fork 0
mirror of https://github.com/bmlong137/alfresco-keycloak.git synced 2025-09-10 14:11:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use default fields for timeout + proxy

Browse Source
This commit is contained in:
AFaust
2021-10-19 15:39:39 +02:00
parent a9bb9c32a8
commit b4ca07d0c2
15 changed files with 104 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml
View File

@@ -30,9 +30,6 @@
<bean id="keycloakDeployment" class="${project.artifactId}.spring.KeycloakDeploymentBeanFactory">
<property name="adapterConfig" ref="keycloakAdapterConfig" />
<property name="connectionTimeout" value="${keycloak.adapter.connectionTimeout}" />
<property name="socketTimeout" value="${keycloak.adapter.socketTimeout}" />
<property name="directAuthHost" value="${keycloak.adapter.directAuthHost}" />
</bean>
<bean id="sessionIdMapper" class="${project.artifactId}.authentication.SimpleCacheBackedSessionIdMapper">

50
repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties
View File

@@ -15,14 +15,8 @@ keycloak.authentication.silentRemoteUserValidationFailure=true
keycloak.authentication.bodyBufferLimit=10485760
# override for a direct route to the auth server host
# useful primarily for Docker-ized deployments where container running Alfresco cannot resolve the auth server via the public DNS name
keycloak.adapter.directAuthHost=
# other custom adapter properties not part of default Keycloak adapter library
keycloak.adapter.connectionTimeout=5000
keycloak.adapter.socketTimeout=5000
keycloak.adapter.auth-server-url=http://localhost:8180/auth
keycloak.adapter.proxy-url=
keycloak.adapter.realm=alfresco
keycloak.adapter.resource=alfresco
keycloak.adapter.ssl-required=none
@@ -33,7 +27,47 @@ keycloak.adapter.credentials.secret=
# for some reason, this is not a sane default in Keycloak Adapter config
keycloak.adapter.verify-token-audience=true
# TODO default settings (identical to AdapterConfig defaults) to better align with default Alfresco subsystem property handling
keycloak.adapter.allow-any-hostname=false
keycloak.adapter.disable-trust-manager=false
# TODO Try and integrate ACS keystore handling
keycloak.adapter.truststore=
keycloak.adapter.truststore-password=
keycloak.adapter.client-keystore=
keycloak.adapter.client-keystore-password=
keycloak.adapter.client-key-password=
keycloak.adapter.connection-pool-size=20
keycloak.adapter.always-refresh-token=false
keycloak.adapter.register-node-at-startup=false
keycloak.adapter.register-node-period=-1
keycloak.adapter.token-store=
keycloak.adapter.adapter-state-cookie-path=
keycloak.adapter.principal-attribute=
keycloak.adapter.turn-off-change-session-id-on-login=
keycloak.adapter.token-minimum-time-to-live=0
keycloak.adapter.min-time-between-jwks-requests=10
keycloak.adapter.public-key-cache-ttl=86400
keycloak.adapter.enable-pkce=false
keycloak.adapter.ignore-oauth-query-parameter=false
keycloak.adapter.min-time-between-jwks-requests=10
keycloak.adapter.socket-timeout-millis=5000
keycloak.adapter.connection-timeout-millis=5000
keycloak.adapter.connection-ttl-millis=-1
keycloak.adapter.use-resource-role-mappings=false
# note: support for handling CORS is a tertiary side-effect of Keycloak integration
keycloak.adapter.enable-cors=false
keycloak.adapter.cors-max-age=-1
keycloak.adapter.cors-allowed-headers=
keycloak.adapter.cors-allowed-methods=
keycloak.adapter.cors-exposed-headers=
keycloak.adapter.expose-token=false
keycloak.adapter.bearer-only=false
keycloak.adapter.autodetect-bearer-only=false
# recommended to never be set to true as that would disable basic auth for any local Alfresco users
keycloak.adapter.enable-basic-auth=false
# keycloak.adapter.redirect-rewrite-rules.x=y
keycloak.adapter.realm-public-key=
keycloak.authentication.userAuthority.default.property.realmRoleNameFilter.ref=realmFilter.aggregate
keycloak.authentication.userAuthority.default.property.realmRoleNameMapper.ref=realmMapper.aggregate

87
repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java
View File

@@ -15,19 +15,9 @@
*/
package de.acosix.alfresco.keycloak.repo.spring;
import java.net.InetAddress;
import java.util.concurrent.TimeUnit;
import org.alfresco.httpclient.HttpClientFactory.NonBlockingHttpParamsFactory;
import org.alfresco.util.PropertyCheck;
import org.apache.commons.httpclient.params.DefaultHttpParams;
import org.apache.http.HttpHost;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.params.ConnRoutePNames;
import org.apache.http.conn.params.ConnRouteParams;
import org.apache.http.conn.routing.HttpRoute;
import org.apache.http.params.HttpParams;
import org.keycloak.adapters.HttpClientBuilder;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.representations.adapters.config.AdapterConfig;
@@ -48,12 +38,6 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
protected AdapterConfig adapterConfig;
protected String directAuthHost;
protected int connectionTimeout;
protected int socketTimeout;
/**
*
* {@inheritDoc}
@@ -66,63 +50,20 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
/**
* @param adapterConfig
* the adapterConfig to set
* the adapterConfig to set
*/
public void setAdapterConfig(final AdapterConfig adapterConfig)
{
this.adapterConfig = adapterConfig;
}
/**
* @param directAuthHost
* the directAuthHost to set
*/
public void setDirectAuthHost(final String directAuthHost)
{
this.directAuthHost = directAuthHost;
}
/**
* @param connectionTimeout
* the connectionTimeout to set
*/
public void setConnectionTimeout(final int connectionTimeout)
{
this.connectionTimeout = connectionTimeout;
}
/**
* @param socketTimeout
* the socketTimeout to set
*/
public void setSocketTimeout(final int socketTimeout)
{
this.socketTimeout = socketTimeout;
}
/**
* {@inheritDoc}
*/
@Override
public KeycloakDeployment getObject() throws Exception
{
final KeycloakDeployment keycloakDeployment = KeycloakDeploymentBuilder.build(this.adapterConfig);
HttpClientBuilder httpClientBuilder = new HttpClientBuilder();
if (this.connectionTimeout > 0)
{
httpClientBuilder = httpClientBuilder.establishConnectionTimeout(this.connectionTimeout, TimeUnit.MILLISECONDS);
}
if (this.socketTimeout > 0)
{
httpClientBuilder = httpClientBuilder.socketTimeout(this.socketTimeout, TimeUnit.MILLISECONDS);
}
final HttpClient client = httpClientBuilder.build(this.adapterConfig);
this.configureForcedRouteIfNecessary(client);
keycloakDeployment.setClient(client);
return keycloakDeployment;
return KeycloakDeploymentBuilder.build(this.adapterConfig);
}
/**
@@ -145,28 +86,4 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
{
return KeycloakDeployment.class;
}
@SuppressWarnings("deprecation")
protected void configureForcedRouteIfNecessary(final HttpClient client)
{
if (this.directAuthHost != null && !this.directAuthHost.isEmpty())
{
final HttpHost directAuthHost = HttpHost.create(this.directAuthHost);
final HttpParams params = client.getParams();
final InetAddress local = ConnRouteParams.getLocalAddress(params);
final HttpHost proxy = ConnRouteParams.getDefaultProxy(params);
final boolean secure = directAuthHost.getSchemeName().equalsIgnoreCase("https");
HttpRoute route;
if (proxy == null)
{
route = new HttpRoute(directAuthHost, local, secure);
}
else
{
route = new HttpRoute(directAuthHost, local, proxy, secure);
}
params.setParameter(ConnRoutePNames.FORCED_ROUTE, route);
}
}
}

4
repository/src/test/docker/alfresco/extension/alfresco-global.addition.properties
View File

@@ -25,11 +25,11 @@ keycloak.adapter.credentials.provider=secret
keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708
# localhost in auth-server-url won't work for direct access in a Docker deployment
keycloak.adapter.directAuthHost=http://keycloak:8080
keycloak.adapter.proxy-url=http://keycloak:8080
keycloak.roles.requiredClientScopes=alfresco-role-service
keycloak.synchronization.userFilter.containedInGroup.property.groupPaths=/Test A
keycloak.synchronization.groupFilter.containedInGroup.property.groupPaths=/Test A
keycloak.synchronization.requiredClientScopes=realm-management
keycloak.synchronization.requiredClientScopes=alfresco-authority-sync

51
repository/src/test/docker/test-realm.json
View File

@@ -676,15 +676,6 @@
}
],
"policies": [
{
"name": "alfresco-token-exchange",
"type": "client",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"clients": "[\"alfresco-share\"]"
}
},
{
"name": "token-exchange.permission.client.alfresco",
"type": "scope",
@@ -692,8 +683,7 @@
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.alfresco\"]",
"scopes": "[\"token-exchange\"]",
"applyPolicies": "[\"alfresco-token-exchange\"]"
"scopes": "[\"token-exchange\"]"
}
},
{
@@ -871,33 +861,36 @@
]
}
],
"defaultRole": {
"name": "default-roles-test",
"description": "${role_default-roles}",
"composite": true,
"composites": {
"realm": [
"offline_access",
"uma_authorization",
"user"
],
"client": {
"account": [
"view-profile",
"manage-account"
]
}
}
},
"roles": {
"realm": [
{
"name": "uma_authorization",
"description": "${role_uma_authorization}"
},
{
"name": "default-roles-test",
"description": "${role_default-roles}",
"composite": true,
"composites": {
"realm": [
"offline_access",
"uma_authorization",
"user"
],
"client": {
"account": [
"view-profile",
"manage-account"
]
}
}
},
{
"name": "offline_access",
"description": "${role_offline-access}"
},
{
"name": "user"
}
],
"client": {