inteligr8/alfresco-keycloak
1
0
Fork 0
mirror of https://github.com/bmlong137/alfresco-keycloak.git synced 2025-09-10 14:11:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use default fields for timeout + proxy

Browse Source
This commit is contained in:
AFaust
2021-10-19 15:39:39 +02:00
parent a9bb9c32a8
commit b4ca07d0c2
15 changed files with 104 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/Reference-Adapter.md
View File

@@ -11,7 +11,7 @@ Configuration of adapter properties in the Share-tier `share-config-custom.xml`
```xml ```xml
<config evaluator="string-compare" condition="Keycloak"> <config evaluator="string-compare" condition="Keycloak">
<keycloak-adapter-config> <keycloak-adapter-config>
<directAuthHost></directAuthHost> <proxy-url></proxy-url>
<auth-server-url>http://localhost:8180/auth</auth-server-url> <auth-server-url>http://localhost:8180/auth</auth-server-url>
<realm>alfresco</realm> <realm>alfresco</realm>
<resource>alfresco-share</resource> <resource>alfresco-share</resource>
@@ -30,7 +30,7 @@ Note: This listing does not include the common property key prefix `keycloak.ada
| Property | Default Value | Description | | Property | Default Value | Description |
| --- | ---: | --- | | --- | ---: | --- |
| `auth-server-url` | `http://localhost:8180/auth` | Publically resolvable base URL to the Keycloak server to be used in redirect URLs and remote calls | | `auth-server-url` | `http://localhost:8180/auth` | Publically resolvable base URL to the Keycloak server to be used in redirect URLs and remote calls |
| `directAuthHost` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved or round-trips via a public gateway / proxy should be avoided | | `proxy-url` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved or round-trips via a public gateway / proxy should be avoided |
| `realm` | `alfresco` | Technical name of the Keycloak realm | | `realm` | `alfresco` | Technical name of the Keycloak realm |
| `realm-public-key` | | Fixed public key of the realm (PEM string) - if not set, the public key(s) will be dynamically loaded and automatically refreshed after a configurable amount of times between JSON Web Key Store requests | | `realm-public-key` | | Fixed public key of the realm (PEM string) - if not set, the public key(s) will be dynamically loaded and automatically refreshed after a configurable amount of times between JSON Web Key Store requests |
| `resource` | `alfresco` / `alfresco-share` | Technical name of the client set up in the realm | | `resource` | `alfresco` / `alfresco-share` | Technical name of the client set up in the realm |
@@ -66,15 +66,9 @@ Note: This listing does not include the common property key prefix `keycloak.ada
| `public-key-cache-ttl` | `86400` | Time-to-live in seconds for public key cache entries | | `public-key-cache-ttl` | `86400` | Time-to-live in seconds for public key cache entries |
| `ignore-oauth-query-parameter` | `false` | Flag determining whether OAuth `access_token` in an URL query is to be ignored | | `ignore-oauth-query-parameter` | `false` | Flag determining whether OAuth `access_token` in an URL query is to be ignored |
| `verify-token-audience` | `true` / `false` | Flag enabling validation of the audience specified in an access token, enabled by default on the Repository-tier - must be disabled if Share or any other application which authenticates users via Keycloak is not delegating user authentication using RFC 8693 OAuth 2.0 Token Exchange | | `verify-token-audience` | `true` / `false` | Flag enabling validation of the audience specified in an access token, enabled by default on the Repository-tier - must be disabled if Share or any other application which authenticates users via Keycloak is not delegating user authentication using RFC 8693 OAuth 2.0 Token Exchange |
| `socket-timeout-millis` | `5000` | General socket timeout for the Apache HTTP client used in calls to Keycloak |
## Non-Standard Adapter Properties | `connection-timeout-millis` | `5000` | Connect timeout for the Apache HTTP client used in calls to Keycloak |
| `connection-ttl-millis` | `-1` | The time-to-live of connections for the Apache HTTP client used in calls to Keycloak |
The following properties are not supported by the Keycloak adapter library, but have been added by the addon for customisation of the adapter's behaviour.
| Property | Default Value | Description |
| --- | ---: | --- |
| `connectionTimeout` | `-1` | Connect timeout for the Apache HTTP client used in calls to Keycloak |
| `socketTimeout` | `-1` | General socket timeout for the Apache HTTP client used in calls to Keycloak |
## Unsupported Adapter Properties ## Unsupported Adapter Properties
@@ -94,4 +88,4 @@ This listing details configuration properties from the Keycloak adapter library
| `token-store` | `session` | Mode for how the Keycloak adapter stores user account information - related to clustering like previous two settings and not relevant for the integration as provided by the addon | | `token-store` | `session` | Mode for how the Keycloak adapter stores user account information - related to clustering like previous two settings and not relevant for the integration as provided by the addon |
| `turn-off-change-session-id-on-login` | | Completely unused flag in the Keycloak adapter library | | `turn-off-change-session-id-on-login` | | Completely unused flag in the Keycloak adapter library |
| `policy-enforcer` | | Complex configuration object determining fine-grained access policies to the Repository / Share application. - This is currently not supported for configuration by the addon due to use of complex object structures | | `policy-enforcer` | | Complex configuration object determining fine-grained access policies to the Repository / Share application. - This is currently not supported for configuration by the addon due to use of complex object structures |
| `enable-pkce` | `false` | RFC 7636 - Flag enabling the use of the Proof Key for Code Exchange for OAuth public clients. - This has not yet implemented by the Keycloak adapter library. | | `enable-pkce` | `false` | RFC 7636 - Flag enabling the use of the Proof Key for Code Exchange for OAuth public clients. - This has not yet been implemented by the Keycloak adapter library. |

4
docs/Simple-Configuration.md
View File

@@ -98,7 +98,7 @@ The following core configuration properties can be set (more extensive list in t
| `...groupFilter.containedInGroup.property.groupPaths` | | Comma-separated list of group paths (e.g. `/Group A/Group B,/Group A/Group C`) to use in filtering which groups are synchronised to Alfresco (by default - configured separately - any match qualifies, and transitive containment is considered) | | `...groupFilter.containedInGroup.property.groupPaths` | | Comma-separated list of group paths (e.g. `/Group A/Group B,/Group A/Group C`) to use in filtering which groups are synchronised to Alfresco (by default - configured separately - any match qualifies, and transitive containment is considered) |
| `...groupFilter.containedInGroup.property.groupIds` | | Comma-separated list of group IDs to use in filtering which groups are synchronised to Alfresco (by default - configured separately - any match qualifies, and transitive containment is considered) | | `...groupFilter.containedInGroup.property.groupIds` | | Comma-separated list of group IDs to use in filtering which groups are synchronised to Alfresco (by default - configured separately - any match qualifies, and transitive containment is considered) |
| `keycloak.adapter.auth-server-url` | `http://localhost:8180/auth` | Publically resolvable base URL to the Keycloak server to be used in redirect URLs and remote calls | | `keycloak.adapter.auth-server-url` | `http://localhost:8180/auth` | Publically resolvable base URL to the Keycloak server to be used in redirect URLs and remote calls |
| `...directAuthHost` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved by the Alfresco Repository host or round-trips via a public gateway / proxy should be avoided | | `...proxy-url` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved by the Alfresco Repository host or round-trips via a public gateway / proxy should be avoided |
| `...realm` | `alfresco` | Technical name of the Keycloak realm | | `...realm` | `alfresco` | Technical name of the Keycloak realm |
| `...resource` | `alfresco` | Technical name of the client set up for the Alfresco Repository in the realm | | `...resource` | `alfresco` | Technical name of the client set up for the Alfresco Repository in the realm |
| `...credentials.secret` | | Shared secret for validation of authorisation codes / access tokens | | `...credentials.secret` | | Shared secret for validation of authorisation codes / access tokens |
@@ -118,7 +118,7 @@ The following showcases an example configuration block:
<perform-token-exchange>true</perform-token-exchange> <perform-token-exchange>true</perform-token-exchange>
</keycloak-auth-config> </keycloak-auth-config>
<keycloak-adapter-config> <keycloak-adapter-config>
<directAuthHost></directAuthHost> <proxy-url></proxy-url>
<auth-server-url>http://localhost:8180/auth</auth-server-url> <auth-server-url>http://localhost:8180/auth</auth-server-url>
<realm>alfresco</realm> <realm>alfresco</realm>
<resource>alfresco-share</resource> <resource>alfresco-share</resource>

3
repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml
View File

@@ -30,9 +30,6 @@
<bean id="keycloakDeployment" class="${project.artifactId}.spring.KeycloakDeploymentBeanFactory"> <bean id="keycloakDeployment" class="${project.artifactId}.spring.KeycloakDeploymentBeanFactory">
<property name="adapterConfig" ref="keycloakAdapterConfig" /> <property name="adapterConfig" ref="keycloakAdapterConfig" />
<property name="connectionTimeout" value="${keycloak.adapter.connectionTimeout}" />
<property name="socketTimeout" value="${keycloak.adapter.socketTimeout}" />
<property name="directAuthHost" value="${keycloak.adapter.directAuthHost}" />
</bean> </bean>
<bean id="sessionIdMapper" class="${project.artifactId}.authentication.SimpleCacheBackedSessionIdMapper"> <bean id="sessionIdMapper" class="${project.artifactId}.authentication.SimpleCacheBackedSessionIdMapper">

50
repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties
View File

@@ -15,14 +15,8 @@ keycloak.authentication.silentRemoteUserValidationFailure=true
keycloak.authentication.bodyBufferLimit=10485760 keycloak.authentication.bodyBufferLimit=10485760
# override for a direct route to the auth server host
# useful primarily for Docker-ized deployments where container running Alfresco cannot resolve the auth server via the public DNS name
keycloak.adapter.directAuthHost=
# other custom adapter properties not part of default Keycloak adapter library
keycloak.adapter.connectionTimeout=5000
keycloak.adapter.socketTimeout=5000
keycloak.adapter.auth-server-url=http://localhost:8180/auth keycloak.adapter.auth-server-url=http://localhost:8180/auth
keycloak.adapter.proxy-url=
keycloak.adapter.realm=alfresco keycloak.adapter.realm=alfresco
keycloak.adapter.resource=alfresco keycloak.adapter.resource=alfresco
keycloak.adapter.ssl-required=none keycloak.adapter.ssl-required=none
@@ -33,7 +27,47 @@ keycloak.adapter.credentials.secret=
# for some reason, this is not a sane default in Keycloak Adapter config # for some reason, this is not a sane default in Keycloak Adapter config
keycloak.adapter.verify-token-audience=true keycloak.adapter.verify-token-audience=true
# TODO default settings (identical to AdapterConfig defaults) to better align with default Alfresco subsystem property handling keycloak.adapter.allow-any-hostname=false
keycloak.adapter.disable-trust-manager=false
# TODO Try and integrate ACS keystore handling
keycloak.adapter.truststore=
keycloak.adapter.truststore-password=
keycloak.adapter.client-keystore=
keycloak.adapter.client-keystore-password=
keycloak.adapter.client-key-password=
keycloak.adapter.connection-pool-size=20
keycloak.adapter.always-refresh-token=false
keycloak.adapter.register-node-at-startup=false
keycloak.adapter.register-node-period=-1
keycloak.adapter.token-store=
keycloak.adapter.adapter-state-cookie-path=
keycloak.adapter.principal-attribute=
keycloak.adapter.turn-off-change-session-id-on-login=
keycloak.adapter.token-minimum-time-to-live=0
keycloak.adapter.min-time-between-jwks-requests=10
keycloak.adapter.public-key-cache-ttl=86400
keycloak.adapter.enable-pkce=false
keycloak.adapter.ignore-oauth-query-parameter=false
keycloak.adapter.min-time-between-jwks-requests=10
keycloak.adapter.socket-timeout-millis=5000
keycloak.adapter.connection-timeout-millis=5000
keycloak.adapter.connection-ttl-millis=-1
keycloak.adapter.use-resource-role-mappings=false
# note: support for handling CORS is a tertiary side-effect of Keycloak integration
keycloak.adapter.enable-cors=false
keycloak.adapter.cors-max-age=-1
keycloak.adapter.cors-allowed-headers=
keycloak.adapter.cors-allowed-methods=
keycloak.adapter.cors-exposed-headers=
keycloak.adapter.expose-token=false
keycloak.adapter.bearer-only=false
keycloak.adapter.autodetect-bearer-only=false
# recommended to never be set to true as that would disable basic auth for any local Alfresco users
keycloak.adapter.enable-basic-auth=false
# keycloak.adapter.redirect-rewrite-rules.x=y
keycloak.adapter.realm-public-key=
keycloak.authentication.userAuthority.default.property.realmRoleNameFilter.ref=realmFilter.aggregate keycloak.authentication.userAuthority.default.property.realmRoleNameFilter.ref=realmFilter.aggregate
keycloak.authentication.userAuthority.default.property.realmRoleNameMapper.ref=realmMapper.aggregate keycloak.authentication.userAuthority.default.property.realmRoleNameMapper.ref=realmMapper.aggregate

87
repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java
View File

@@ -15,19 +15,9 @@
*/ */
package de.acosix.alfresco.keycloak.repo.spring; package de.acosix.alfresco.keycloak.repo.spring;
import java.net.InetAddress;
import java.util.concurrent.TimeUnit;
import org.alfresco.httpclient.HttpClientFactory.NonBlockingHttpParamsFactory; import org.alfresco.httpclient.HttpClientFactory.NonBlockingHttpParamsFactory;
import org.alfresco.util.PropertyCheck; import org.alfresco.util.PropertyCheck;
import org.apache.commons.httpclient.params.DefaultHttpParams; import org.apache.commons.httpclient.params.DefaultHttpParams;
import org.apache.http.HttpHost;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.params.ConnRoutePNames;
import org.apache.http.conn.params.ConnRouteParams;
import org.apache.http.conn.routing.HttpRoute;
import org.apache.http.params.HttpParams;
import org.keycloak.adapters.HttpClientBuilder;
import org.keycloak.adapters.KeycloakDeployment; import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder; import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.representations.adapters.config.AdapterConfig; import org.keycloak.representations.adapters.config.AdapterConfig;
@@ -48,12 +38,6 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
protected AdapterConfig adapterConfig; protected AdapterConfig adapterConfig;
protected String directAuthHost;
protected int connectionTimeout;
protected int socketTimeout;
/** /**
* *
* {@inheritDoc} * {@inheritDoc}
@@ -66,63 +50,20 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
/** /**
* @param adapterConfig * @param adapterConfig
* the adapterConfig to set * the adapterConfig to set
*/ */
public void setAdapterConfig(final AdapterConfig adapterConfig) public void setAdapterConfig(final AdapterConfig adapterConfig)
{ {
this.adapterConfig = adapterConfig; this.adapterConfig = adapterConfig;
} }
/**
* @param directAuthHost
* the directAuthHost to set
*/
public void setDirectAuthHost(final String directAuthHost)
{
this.directAuthHost = directAuthHost;
}
/**
* @param connectionTimeout
* the connectionTimeout to set
*/
public void setConnectionTimeout(final int connectionTimeout)
{
this.connectionTimeout = connectionTimeout;
}
/**
* @param socketTimeout
* the socketTimeout to set
*/
public void setSocketTimeout(final int socketTimeout)
{
this.socketTimeout = socketTimeout;
}
/** /**
* {@inheritDoc} * {@inheritDoc}
*/ */
@Override @Override
public KeycloakDeployment getObject() throws Exception public KeycloakDeployment getObject() throws Exception
{ {
final KeycloakDeployment keycloakDeployment = KeycloakDeploymentBuilder.build(this.adapterConfig); return KeycloakDeploymentBuilder.build(this.adapterConfig);
HttpClientBuilder httpClientBuilder = new HttpClientBuilder();
if (this.connectionTimeout > 0)
{
httpClientBuilder = httpClientBuilder.establishConnectionTimeout(this.connectionTimeout, TimeUnit.MILLISECONDS);
}
if (this.socketTimeout > 0)
{
httpClientBuilder = httpClientBuilder.socketTimeout(this.socketTimeout, TimeUnit.MILLISECONDS);
}
final HttpClient client = httpClientBuilder.build(this.adapterConfig);
this.configureForcedRouteIfNecessary(client);
keycloakDeployment.setClient(client);
return keycloakDeployment;
} }
/** /**
@@ -145,28 +86,4 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
{ {
return KeycloakDeployment.class; return KeycloakDeployment.class;
} }
@SuppressWarnings("deprecation")
protected void configureForcedRouteIfNecessary(final HttpClient client)
{
if (this.directAuthHost != null && !this.directAuthHost.isEmpty())
{
final HttpHost directAuthHost = HttpHost.create(this.directAuthHost);
final HttpParams params = client.getParams();
final InetAddress local = ConnRouteParams.getLocalAddress(params);
final HttpHost proxy = ConnRouteParams.getDefaultProxy(params);
final boolean secure = directAuthHost.getSchemeName().equalsIgnoreCase("https");
HttpRoute route;
if (proxy == null)
{
route = new HttpRoute(directAuthHost, local, secure);
}
else
{
route = new HttpRoute(directAuthHost, local, proxy, secure);
}
params.setParameter(ConnRoutePNames.FORCED_ROUTE, route);
}
}
} }

4
repository/src/test/docker/alfresco/extension/alfresco-global.addition.properties
View File

@@ -25,11 +25,11 @@ keycloak.adapter.credentials.provider=secret
keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708 keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708
# localhost in auth-server-url won't work for direct access in a Docker deployment # localhost in auth-server-url won't work for direct access in a Docker deployment
keycloak.adapter.directAuthHost=http://keycloak:8080 keycloak.adapter.proxy-url=http://keycloak:8080
keycloak.roles.requiredClientScopes=alfresco-role-service keycloak.roles.requiredClientScopes=alfresco-role-service
keycloak.synchronization.userFilter.containedInGroup.property.groupPaths=/Test A keycloak.synchronization.userFilter.containedInGroup.property.groupPaths=/Test A
keycloak.synchronization.groupFilter.containedInGroup.property.groupPaths=/Test A keycloak.synchronization.groupFilter.containedInGroup.property.groupPaths=/Test A
keycloak.synchronization.requiredClientScopes=realm-management keycloak.synchronization.requiredClientScopes=alfresco-authority-sync

51
repository/src/test/docker/test-realm.json
View File

@@ -676,15 +676,6 @@
} }
], ],
"policies": [ "policies": [
{
"name": "alfresco-token-exchange",
"type": "client",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"clients": "[\"alfresco-share\"]"
}
},
{ {
"name": "token-exchange.permission.client.alfresco", "name": "token-exchange.permission.client.alfresco",
"type": "scope", "type": "scope",
@@ -692,8 +683,7 @@
"decisionStrategy": "UNANIMOUS", "decisionStrategy": "UNANIMOUS",
"config": { "config": {
"resources": "[\"client.resource.alfresco\"]", "resources": "[\"client.resource.alfresco\"]",
"scopes": "[\"token-exchange\"]", "scopes": "[\"token-exchange\"]"
"applyPolicies": "[\"alfresco-token-exchange\"]"
} }
}, },
{ {
@@ -871,33 +861,36 @@
] ]
} }
], ],
"defaultRole": {
"name": "default-roles-test",
"description": "${role_default-roles}",
"composite": true,
"composites": {
"realm": [
"offline_access",
"uma_authorization",
"user"
],
"client": {
"account": [
"view-profile",
"manage-account"
]
}
}
},
"roles": { "roles": {
"realm": [ "realm": [
{ {
"name": "uma_authorization", "name": "uma_authorization",
"description": "${role_uma_authorization}" "description": "${role_uma_authorization}"
}, },
{
"name": "default-roles-test",
"description": "${role_default-roles}",
"composite": true,
"composites": {
"realm": [
"offline_access",
"uma_authorization",
"user"
],
"client": {
"account": [
"view-profile",
"manage-account"
]
}
}
},
{ {
"name": "offline_access", "name": "offline_access",
"description": "${role_offline-access}" "description": "${role_offline-access}"
},
{
"name": "user"
} }
], ],
"client": { "client": {

5
share/src/main/config/default-config.xml
View File

@@ -38,7 +38,6 @@
<alfresco-resource-name>alfresco</alfresco-resource-name> <alfresco-resource-name>alfresco</alfresco-resource-name>
</keycloak-auth-config> </keycloak-auth-config>
<keycloak-adapter-config> <keycloak-adapter-config>
<!-- by default use the same client as alfresco (not really "clean") -->
<auth-server-url>http://localhost:8180/auth</auth-server-url> <auth-server-url>http://localhost:8180/auth</auth-server-url>
<realm>alfresco</realm> <realm>alfresco</realm>
<resource>alfresco-share</resource> <resource>alfresco-share</resource>
@@ -51,8 +50,8 @@
</credentials> </credentials>
<!-- for some reason, this is not a sane default in Keycloak Adapter config --> <!-- for some reason, this is not a sane default in Keycloak Adapter config -->
<verify-token-audience>true</verify-token-audience> <verify-token-audience>true</verify-token-audience>
<connectionTimeout>5000</connectionTimeout> <socket-timeout-millis>5000</socket-timeout-millis>
<socketTimeout>5000</socketTimeout> <connection-timeout-millis>5000</connection-timeout-millis>
</keycloak-adapter-config> </keycloak-adapter-config>
</config> </config>

105
share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java
View File

@@ -134,12 +134,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
protected final Set<String> markedAsUnset = new HashSet<>(); protected final Set<String> markedAsUnset = new HashSet<>();
protected final ConfigValueHolder<Long> connectionTimeout = new ConfigValueHolder<>();
protected final ConfigValueHolder<Long> socketTimeout = new ConfigValueHolder<>();
protected final ConfigValueHolder<String> directAuthHost = new ConfigValueHolder<>();
/** /**
* Creates a new instance of this class. * Creates a new instance of this class.
*/ */
@@ -148,57 +142,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
super(NAME); super(NAME);
} }
/**
* @return the connectionTimeout
*/
public Long getConnectionTimeout()
{
return this.connectionTimeout.getValue();
}
/**
* @param connectionTimeout
* the connectionTimeout to set
*/
public void setConnectionTimeout(final Long connectionTimeout)
{
this.connectionTimeout.setValue(connectionTimeout);
}
/**
* @return the socketTimeout
*/
public Long getSocketTimeout()
{
return this.socketTimeout.getValue();
}
/**
* @param socketTimeout
* the socketTimeout to set
*/
public void setSocketTimeout(final Long socketTimeout)
{
this.socketTimeout.setValue(socketTimeout);
}
/**
* @return the directAuthHost
*/
public String getDirectAuthHost()
{
return this.directAuthHost.getValue();
}
/**
* @param directAuthHost
* the directAuthHost to set
*/
public void setDirectAuthHost(final String directAuthHost)
{
this.directAuthHost.setValue(directAuthHost);
}
/** /**
* Checks if a specific field is supported by this config element. * Checks if a specific field is supported by this config element.
* *
@@ -390,36 +333,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
} }
} }
if (otherConfigElement.connectionTimeout.isUnset())
{
combined.connectionTimeout.unset();
}
else
{
combined.setConnectionTimeout(otherConfigElement.getConnectionTimeout() != null ? otherConfigElement.getConnectionTimeout()
: this.getConnectionTimeout());
}
if (otherConfigElement.socketTimeout.isUnset())
{
combined.socketTimeout.unset();
}
else
{
combined.setSocketTimeout(
otherConfigElement.getSocketTimeout() != null ? otherConfigElement.getSocketTimeout() : this.getSocketTimeout());
}
if (otherConfigElement.directAuthHost.isUnset())
{
combined.directAuthHost.unset();
}
else
{
combined.setDirectAuthHost(
otherConfigElement.getDirectAuthHost() != null ? otherConfigElement.getDirectAuthHost() : this.getDirectAuthHost());
}
return combined; return combined;
} }
@@ -435,12 +348,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
builder.append(this.configValueByField); builder.append(this.configValueByField);
builder.append(",markedAsUnset="); builder.append(",markedAsUnset=");
builder.append(this.markedAsUnset); builder.append(this.markedAsUnset);
builder.append(",connectionTimeout=");
builder.append(this.connectionTimeout);
builder.append(",socketTimeout=");
builder.append(this.socketTimeout);
builder.append(",directAuthHost=");
builder.append(this.directAuthHost);
builder.append("]"); builder.append("]");
return builder.toString(); return builder.toString();
} }
@@ -462,10 +369,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
result = prime * result + valueHash; result = prime * result + valueHash;
} }
result = prime * result + this.connectionTimeout.hashCode();
result = prime * result + this.socketTimeout.hashCode();
result = prime * result + this.directAuthHost.hashCode();
return result; return result;
} }
@@ -496,14 +399,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
{ {
return false; return false;
} }
if (!EqualsHelper.nullSafeEquals(this.connectionTimeout, other.connectionTimeout))
{
return false;
}
if (!EqualsHelper.nullSafeEquals(this.socketTimeout, other.socketTimeout))
{
return false;
}
return true; return true;
} }

21
share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElementReader.java
View File

@@ -116,26 +116,7 @@ public class KeycloakAdapterConfigElementReader implements ConfigElementReader
} }
else else
{ {
switch (subElementName) LOGGER.warn("Encountered unsupported Keycloak Adapter config element {}", subElementName);
{
// use -1 as dummy value for empty value to signify that empty value has explicitly been set (relevant for merge/combine
// of config)
case "connectionTimeout":
final String prospectiveConnectionTimeout = subElement.getTextTrim();
configElement.setConnectionTimeout(
prospectiveConnectionTimeout.isEmpty() ? null : Long.valueOf(prospectiveConnectionTimeout));
break;
case "socketTimeout":
final String prospectiveSocketTimeout = subElement.getTextTrim();
configElement.setSocketTimeout(prospectiveSocketTimeout.isEmpty() ? null : Long.valueOf(prospectiveSocketTimeout));
break;
case "directAuthHost":
final String prospectiveDirectAuthHost = subElement.getTextTrim();
configElement.setDirectAuthHost(prospectiveDirectAuthHost.isEmpty() ? null : prospectiveDirectAuthHost);
break;
default:
LOGGER.warn("Encountered unsupported Keycloak Adapter config element {}", subElementName);
}
} }
} }
LOGGER.debug("Read configuration element {} from XML section", configElement); LOGGER.debug("Read configuration element {} from XML section", configElement);

71
share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
View File

@@ -22,13 +22,11 @@ import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.lang.reflect.Constructor; import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException; import java.lang.reflect.InvocationTargetException;
import java.net.InetAddress;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
import java.util.Locale; import java.util.Locale;
import java.util.concurrent.TimeUnit;
import java.util.function.BiFunction; import java.util.function.BiFunction;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
@@ -50,17 +48,12 @@ import org.alfresco.util.EqualsHelper;
import org.alfresco.util.PropertyCheck; import org.alfresco.util.PropertyCheck;
import org.alfresco.web.site.servlet.SSOAuthenticationFilter; import org.alfresco.web.site.servlet.SSOAuthenticationFilter;
import org.apache.http.HttpEntity; import org.apache.http.HttpEntity;
import org.apache.http.HttpHost;
import org.apache.http.HttpResponse; import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair; import org.apache.http.NameValuePair;
import org.apache.http.client.HttpClient; import org.apache.http.client.HttpClient;
import org.apache.http.client.entity.UrlEncodedFormEntity; import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost; import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.params.ConnRoutePNames;
import org.apache.http.conn.params.ConnRouteParams;
import org.apache.http.conn.routing.HttpRoute;
import org.apache.http.message.BasicNameValuePair; import org.apache.http.message.BasicNameValuePair;
import org.apache.http.params.HttpParams;
import org.apache.http.util.EntityUtils; import org.apache.http.util.EntityUtils;
import org.keycloak.KeycloakSecurityContext; import org.keycloak.KeycloakSecurityContext;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
@@ -68,7 +61,6 @@ import org.keycloak.TokenVerifier;
import org.keycloak.adapters.AdapterDeploymentContext; import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AuthenticatedActionsHandler; import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.BearerTokenRequestAuthenticator; import org.keycloak.adapters.BearerTokenRequestAuthenticator;
import org.keycloak.adapters.HttpClientBuilder;
import org.keycloak.adapters.KeycloakDeployment; import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder; import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.OAuthRequestAuthenticator; import org.keycloak.adapters.OAuthRequestAuthenticator;
@@ -512,35 +504,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
protected void initFromAdapterConfig(final KeycloakAdapterConfigElement keycloakAdapterConfig) protected void initFromAdapterConfig(final KeycloakAdapterConfigElement keycloakAdapterConfig)
{ {
final AdapterConfig adapterConfiguration = keycloakAdapterConfig.buildAdapterConfiguration(); final AdapterConfig adapterConfiguration = keycloakAdapterConfig.buildAdapterConfiguration();
// disable any CORS handling (if CORS is relevant, it should be handled by Share / Surf)
adapterConfiguration.setCors(false);
// BASIC authentication should never be used
adapterConfiguration.setEnableBasicAuth(false);
this.keycloakDeployment = KeycloakDeploymentBuilder.build(adapterConfiguration); this.keycloakDeployment = KeycloakDeploymentBuilder.build(adapterConfiguration);
// even in newer version than used by ACS 6.x does Keycloak lib not allow timeout configuration
if (this.keycloakDeployment.getClient() != null)
{
final Long connectionTimeout = keycloakAdapterConfig.getConnectionTimeout();
final Long socketTimeout = keycloakAdapterConfig.getSocketTimeout();
HttpClientBuilder httpClientBuilder = new HttpClientBuilder();
if (connectionTimeout != null && connectionTimeout.longValue() >= 0)
{
httpClientBuilder = httpClientBuilder.establishConnectionTimeout(connectionTimeout.longValue(), TimeUnit.MILLISECONDS);
}
if (socketTimeout != null && socketTimeout.longValue() >= 0)
{
httpClientBuilder = httpClientBuilder.socketTimeout(socketTimeout.longValue(), TimeUnit.MILLISECONDS);
}
final HttpClient client = httpClientBuilder.build(adapterConfiguration);
this.configureForcedRouteIfNecessary(keycloakAdapterConfig, client);
this.keycloakDeployment.setClient(client);
}
this.deploymentContext = new AdapterDeploymentContext(this.keycloakDeployment); this.deploymentContext = new AdapterDeploymentContext(this.keycloakDeployment);
} }
@@ -1863,39 +1827,4 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
} }
return sslPort; return sslPort;
} }
/**
* Sets up a forced route for the Keycloak-library backing HTTP client if configured. This may be necessary to deal with situations
* where Share cannot use the public address of the authentication server (used in authentication redirects) to talk with the server
* directly, due to network isolation / addressing restrictions (e.g. in Docker-ized deployments).
*
* @param configElement
* the adapter configuration
* @param client
* the client to configure
*/
@SuppressWarnings("deprecation")
protected void configureForcedRouteIfNecessary(final KeycloakAdapterConfigElement configElement, final HttpClient client)
{
final String directAuthHost = configElement.getDirectAuthHost();
if (directAuthHost != null && !directAuthHost.isEmpty())
{
final HttpHost host = HttpHost.create(directAuthHost);
final HttpParams params = client.getParams();
final InetAddress local = ConnRouteParams.getLocalAddress(params);
final HttpHost proxy = ConnRouteParams.getDefaultProxy(params);
final boolean secure = host.getSchemeName().equalsIgnoreCase("https");
HttpRoute route;
if (proxy == null)
{
route = new HttpRoute(host, local, secure);
}
else
{
route = new HttpRoute(host, local, proxy, secure);
}
params.setParameter(ConnRoutePNames.FORCED_ROUTE, route);
}
}
} }

2
share/src/test/docker/alfresco/extension/alfresco-global.addition.properties
View File

@@ -25,7 +25,7 @@ keycloak.adapter.credentials.provider=secret
keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708 keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708
# localhost in auth-server-url won't work for direct access in a Docker deployment # localhost in auth-server-url won't work for direct access in a Docker deployment
keycloak.adapter.directAuthHost=http://keycloak:8080 keycloak.adapter.proxy-url=http://keycloak:8080
keycloak.roles.requiredClientScopes=alfresco-role-service keycloak.roles.requiredClientScopes=alfresco-role-service

2
share/src/test/docker/alfresco/web-extension/share-config-custom.xml
View File

@@ -75,7 +75,7 @@
<perform-token-exchange>true</perform-token-exchange> <perform-token-exchange>true</perform-token-exchange>
</keycloak-auth-config> </keycloak-auth-config>
<keycloak-adapter-config> <keycloak-adapter-config>
<directAuthHost>http://keycloak:8080</directAuthHost> <proxy-url>http://keycloak:8080</proxy-url>
<auth-server-url>http://localhost:${docker.tests.keycloakPort}/auth</auth-server-url> <auth-server-url>http://localhost:${docker.tests.keycloakPort}/auth</auth-server-url>
<realm>test</realm> <realm>test</realm>
<resource>alfresco-share</resource> <resource>alfresco-share</resource>

40
share/src/test/docker/test-realm.json
View File

@@ -683,6 +683,7 @@
"secret": "a5b3e8bc-39cc-4ddd-8c8f-1c34e7a35975", "secret": "a5b3e8bc-39cc-4ddd-8c8f-1c34e7a35975",
"publicClient": false, "publicClient": false,
"protocol": "openid-connect", "protocol": "openid-connect",
"alwaysDisplayInConsole": true,
"fullScopeAllowed": false, "fullScopeAllowed": false,
"defaultClientScopes": [ "defaultClientScopes": [
"roles", "roles",
@@ -930,33 +931,36 @@
] ]
} }
], ],
"defaultRole": {
"name": "default-roles-test",
"description": "${role_default-roles}",
"composite": true,
"composites": {
"realm": [
"offline_access",
"uma_authorization",
"user"
],
"client": {
"account": [
"view-profile",
"manage-account"
]
}
}
},
"roles": { "roles": {
"realm": [ "realm": [
{ {
"name": "uma_authorization", "name": "uma_authorization",
"description": "${role_uma_authorization}" "description": "${role_uma_authorization}"
}, },
{
"name": "default-roles-test",
"description": "${role_default-roles}",
"composite": true,
"composites": {
"realm": [
"offline_access",
"uma_authorization",
"user"
],
"client": {
"account": [
"view-profile",
"manage-account"
]
}
}
},
{ {
"name": "offline_access", "name": "offline_access",
"description": "${role_offline-access}" "description": "${role_offline-access}"
},
{
"name": "user"
} }
], ],
"client": { "client": {

2
share/src/test/resources/default-config.xml
View File

@@ -40,7 +40,7 @@
<alfresco-resource-name>alfresco</alfresco-resource-name> <alfresco-resource-name>alfresco</alfresco-resource-name>
</keycloak-auth-config> </keycloak-auth-config>
<keycloak-adapter-config> <keycloak-adapter-config>
<directAuthHost>http://keycloak:8080</directAuthHost> <proxy-url>http://keycloak:8080</proxy-url>
<!-- by default use the same client as alfresco (not really "clean") --> <!-- by default use the same client as alfresco (not really "clean") -->
<auth-server-url>http://localhost:8180/auth</auth-server-url> <auth-server-url>http://localhost:8180/auth</auth-server-url>
<realm>alfresco</realm> <realm>alfresco</realm>