commit | author | age
|
7f7e0c
|
1 |
package org.keycloak.protocol.cas.endpoints; |
MP |
2 |
|
|
3 |
import org.jboss.logging.Logger; |
|
4 |
import org.keycloak.events.Details; |
|
5 |
import org.keycloak.events.Errors; |
|
6 |
import org.keycloak.events.EventBuilder; |
|
7 |
import org.keycloak.events.EventType; |
|
8 |
import org.keycloak.models.ClientModel; |
|
9 |
import org.keycloak.models.RealmModel; |
|
10 |
import org.keycloak.protocol.AuthorizationEndpointBase; |
|
11 |
import org.keycloak.protocol.cas.CASLoginProtocol; |
|
12 |
import org.keycloak.protocol.oidc.utils.RedirectUtils; |
|
13 |
import org.keycloak.services.ErrorPageException; |
|
14 |
import org.keycloak.services.messages.Messages; |
|
15 |
import org.keycloak.services.util.CacheControlUtil; |
f75caf
|
16 |
import org.keycloak.sessions.AuthenticationSessionModel; |
7f7e0c
|
17 |
|
MP |
18 |
import javax.ws.rs.GET; |
|
19 |
import javax.ws.rs.core.MultivaluedMap; |
|
20 |
import javax.ws.rs.core.Response; |
|
21 |
|
|
22 |
public class AuthorizationEndpoint extends AuthorizationEndpointBase { |
|
23 |
private static final Logger logger = Logger.getLogger(AuthorizationEndpoint.class); |
|
24 |
|
|
25 |
private ClientModel client; |
f75caf
|
26 |
private AuthenticationSessionModel authenticationSession; |
7f7e0c
|
27 |
private String redirectUri; |
MP |
28 |
|
|
29 |
public AuthorizationEndpoint(RealmModel realm, EventBuilder event) { |
|
30 |
super(realm, event); |
|
31 |
event.event(EventType.LOGIN); |
|
32 |
} |
|
33 |
|
|
34 |
@GET |
|
35 |
public Response build() { |
dee145
|
36 |
MultivaluedMap<String, String> params = session.getContext().getUri().getQueryParameters(); |
7f7e0c
|
37 |
String service = params.getFirst(CASLoginProtocol.SERVICE_PARAM); |
891484
|
38 |
|
DR |
39 |
boolean isSaml11Request = false; |
|
40 |
if (service == null && params.containsKey(CASLoginProtocol.TARGET_PARAM)) { |
|
41 |
// SAML 1.1 authorization uses the TARGET parameter instead of service |
|
42 |
service = params.getFirst(CASLoginProtocol.TARGET_PARAM); |
|
43 |
isSaml11Request = true; |
|
44 |
} |
7124d2
|
45 |
boolean renew = params.containsKey(CASLoginProtocol.RENEW_PARAM); |
MP |
46 |
boolean gateway = params.containsKey(CASLoginProtocol.GATEWAY_PARAM); |
7f7e0c
|
47 |
|
MP |
48 |
checkSsl(); |
|
49 |
checkRealm(); |
|
50 |
checkClient(service); |
|
51 |
|
6638b8
|
52 |
authenticationSession = createAuthenticationSession(client, null); |
f75caf
|
53 |
updateAuthenticationSession(); |
MP |
54 |
|
7f7e0c
|
55 |
// So back button doesn't work |
MP |
56 |
CacheControlUtil.noBackButtonCacheControlHeader(); |
|
57 |
|
7124d2
|
58 |
if (renew) { |
f75caf
|
59 |
authenticationSession.setClientNote(CASLoginProtocol.RENEW_PARAM, "true"); |
7124d2
|
60 |
} |
3882f0
|
61 |
if (gateway) { |
JK |
62 |
authenticationSession.setClientNote(CASLoginProtocol.GATEWAY_PARAM, "true"); |
|
63 |
} |
891484
|
64 |
if (isSaml11Request) { |
DR |
65 |
// Flag the session so we can return the ticket as "SAMLart" in the response |
|
66 |
authenticationSession.setClientNote(CASLoginProtocol.TARGET_PARAM, "true"); |
|
67 |
} |
7124d2
|
68 |
|
7f7e0c
|
69 |
this.event.event(EventType.LOGIN); |
dee145
|
70 |
return handleBrowserAuthenticationRequest(authenticationSession, new CASLoginProtocol(session, realm, session.getContext().getUri(), headers, event), gateway, false); |
7f7e0c
|
71 |
} |
MP |
72 |
|
|
73 |
private void checkClient(String service) { |
|
74 |
if (service == null) { |
|
75 |
event.error(Errors.INVALID_REQUEST); |
6638b8
|
76 |
throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, CASLoginProtocol.SERVICE_PARAM); |
7f7e0c
|
77 |
} |
MP |
78 |
|
b88dc3
|
79 |
event.detail(Details.REDIRECT_URI, service); |
AP |
80 |
|
ea9555
|
81 |
client = realm.getClientsStream() |
7f7e0c
|
82 |
.filter(c -> CASLoginProtocol.LOGIN_PROTOCOL.equals(c.getProtocol())) |
019db5
|
83 |
.filter(c -> RedirectUtils.verifyRedirectUri(session, service, c) != null) |
7f7e0c
|
84 |
.findFirst().orElse(null); |
MP |
85 |
if (client == null) { |
|
86 |
event.error(Errors.CLIENT_NOT_FOUND); |
6638b8
|
87 |
throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND); |
7f7e0c
|
88 |
} |
MP |
89 |
|
|
90 |
if (!client.isEnabled()) { |
|
91 |
event.error(Errors.CLIENT_DISABLED); |
6638b8
|
92 |
throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED); |
7f7e0c
|
93 |
} |
MP |
94 |
|
019db5
|
95 |
redirectUri = RedirectUtils.verifyRedirectUri(session, service, client); |
7f7e0c
|
96 |
|
MP |
97 |
event.client(client.getClientId()); |
|
98 |
event.detail(Details.REDIRECT_URI, redirectUri); |
|
99 |
|
|
100 |
session.getContext().setClient(client); |
|
101 |
} |
|
102 |
|
f75caf
|
103 |
private void updateAuthenticationSession() { |
MP |
104 |
authenticationSession.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL); |
|
105 |
authenticationSession.setRedirectUri(redirectUri); |
|
106 |
authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name()); |
7f7e0c
|
107 |
} |
MP |
108 |
} |