use accessToken preferredUsername instead of AuthenticationUtil fullyAuthenticatedUser

2025-05-26 21:44:41 +00:00 · 2025-01-09 14:08:14 -05:00 · 2025-01-09 14:08:14 -05:00 · dd6717607a
commit dd6717607a
parent 776434296e
2 changed files with 13 additions and 12 deletions
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenGroupSyncProcessor.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenGroupSyncProcessor.java
@ -171,11 +171,11 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali
            if (this.syncGroupMembershipOnLogin)
            {
                AuthenticationUtil.runAsSystem(() -> this.transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
-                    boolean changed = this.syncGroupMemberships(groups);
+                    boolean changed = this.syncGroupMemberships(accessToken.getPreferredUsername(), groups);
                    if (changed) {
                    	String ticket = this.authenticationService.getCurrentTicket();
                    	if (ticket != null) {
-                    		LOGGER.debug("Invalidating Alflresco ticket as group membership changed: {}", ticket);
+                    		LOGGER.debug("Invalidating Alfresco ticket as group membership changed: {}", ticket);
                    		this.authenticationService.invalidateTicket(ticket);
                    	}
                    }
@ -243,15 +243,14 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali
     *     the Alfresco group authorities as determined from the Keycloak access token for the current user
     * @return true if group membership changed
     */
-    protected boolean syncGroupMemberships(final Collection<String> groups)
+    protected boolean syncGroupMemberships(String username, final Collection<String> groups)
    {
-        final String userName = AuthenticationUtil.getFullyAuthenticatedUser();
-        final String maskedUsername = AlfrescoCompatibilityUtil.maskUsername(userName);
+        final String maskedUsername = AlfrescoCompatibilityUtil.maskUsername(username);
        boolean changed = false;

        LOGGER.debug("Synchronising group membership for user {} and token extracted groups {}", maskedUsername, groups);

-        final Set<String> existingUnprocessedGroups = this.authorityService.getContainingAuthorities(AuthorityType.GROUP, userName, true);
+        final Set<String> existingUnprocessedGroups = this.authorityService.getContainingAuthorities(AuthorityType.GROUP, username, true);

        LOGGER.debug("User {} is currently in the groups {}", maskedUsername, existingUnprocessedGroups);

@ -261,7 +260,7 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali
            if (!existingUnprocessedGroups.remove(group) && this.authorityService.authorityExists(group))
            {
                LOGGER.debug("Adding user {} to group {}", maskedUsername, group);
-                this.authorityService.addAuthority(group, userName);
+                this.authorityService.addAuthority(group, username);
                changed = true;
            }
        }
@ -269,7 +268,7 @@ public class KeycloakTokenGroupSyncProcessor implements TokenProcessor, Initiali
        for (final String group : existingUnprocessedGroups)
        {
            LOGGER.debug("Removing user {} from group {}", maskedUsername, group);
-            this.authorityService.removeAuthority(group, userName);
+            this.authorityService.removeAuthority(group, username);
            changed = true;
        }
        
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenPersonProcessor.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakTokenPersonProcessor.java
@ -151,6 +151,8 @@ public class KeycloakTokenPersonProcessor implements TokenProcessor, Initializin
                this.updatePerson(accessToken, idToken);
                return null;
            }, false, requiresNew);
+            
+            AuthenticationUtil.setFullyAuthenticatedUser(accessToken.getPreferredUsername());
        }
    }

@ -164,16 +166,16 @@ public class KeycloakTokenPersonProcessor implements TokenProcessor, Initializin
     */
    protected void updatePerson(final AccessToken accessToken, final IDToken idToken)
    {
-        final String userName = AuthenticationUtil.getFullyAuthenticatedUser();
+        final String username = accessToken.getPreferredUsername();

-        LOGGER.debug("Mapping person property updates for user {}", AlfrescoCompatibilityUtil.maskUsername(userName));
+        LOGGER.debug("Mapping person property updates for user {}", AlfrescoCompatibilityUtil.maskUsername(username));

-        final NodeRef person = this.personService.getPerson(userName);
+        final NodeRef person = this.personService.getPerson(username);

        final Map<QName, Serializable> updates = new HashMap<>();
        this.userProcessors.forEach(processor -> processor.mapUser(accessToken, idToken != null ? idToken : accessToken, updates));

-        LOGGER.debug("Determined property updates for person node of user {}", AlfrescoCompatibilityUtil.maskUsername(userName));
+        LOGGER.debug("Determined property updates for person node of user {}", AlfrescoCompatibilityUtil.maskUsername(username));

        final Set<QName> propertiesToRemove = updates.keySet().stream().filter(k -> updates.get(k) == null).collect(Collectors.toSet());
        updates.keySet().removeAll(propertiesToRemove);