- add exact path match condition to allow selection of specific groups
- add negative match conditions to exclude specific groups/users
- support group names derived from attibutes
- use Docker Compose instead of fabric8io
- don't use local paths to support running with remote Docker contexts
- use latest Keycloak Docker image and make sure test realm works out-of-the-box
- add flag to avoid failing on missing properties during JSON deserialisation
(newer Keycloak versions offer more properties in IDM API response payloads)
- RequestAttributes init conflicted with some Surf / Alfresco code which
partially re-initialises request context, skipping user details if
request attributes contains request (ServletUtil.getRequest())
- consolidate request context handling in doFilter to remove lower-level
handling in various contexts
- retry if refresh of exchanged token yields invalid token (wrong
audience - known case of apparently incorrect Keycloak behaviour)
- use custom header instead of redirect patch to have Repository tier not
redirect to Keycloak login page on unauthenticated access from Share
- activate audience verification which is inactive with Keycloak class
defaults
- RemoteUserAuthenticator may re-run KeycloakRemoteUserMapper for Bearer
authentication
- RemoteUserAuthenticator simply re-sets current user without running
through regular ticket validation hoops (which we already covered)
- need authentication listener to hook into triggered event for
re-processing access token
- this adds hard-dependency to full acosix-utility module, which is
extremely unfortunate - TODO: Move authenticator listener patch
(enabling multiple listeners) into utility core, since it can be
reasonably considered a non-invasive, baseline patch (does not alter
core behaviours) relevant for potentially multiple extensions, which
should not necessitate dependency on full utility module with its
accompanying set of (more or less) invasive patches
