mirror of https://github.com/jacekkow/keycloak-protocol-cas
blame | history | patch | commit | commitdiff | ignore whitespace
Matthias Piepkorn
2018-11-16 89e3d757b9f6893d16e5c3e49fc407aa1a003931 
 src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java


@@ -37,9 +37,6 @@


    @Context


    protected HttpHeaders headers;




    @Context


    protected UriInfo uriInfo;




    protected RealmModel realm;


    protected EventBuilder event;


    protected ClientModel client;


@@ -53,7 +50,7 @@


    @GET


    @NoCache


    public Response build() {


        MultivaluedMap<String, String> params = uriInfo.getQueryParameters();


        MultivaluedMap<String, String> params = session.getContext().getUri().getQueryParameters();


        String service = params.getFirst(CASLoginProtocol.SERVICE_PARAM);


        String ticket = params.getFirst(CASLoginProtocol.TICKET_PARAM);


        boolean renew = params.containsKey(CASLoginProtocol.RENEW_PARAM);


@@ -83,7 +80,7 @@


    }




    private void checkSsl() {


        if (!uriInfo.getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {


        if (!session.getContext().getUri().getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {


            throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "HTTPS required", Response.Status.FORBIDDEN);


        }


    }


@@ -102,7 +99,7 @@




        client = realm.getClients().stream()


                .filter(c -> CASLoginProtocol.LOGIN_PROTOCOL.equals(c.getProtocol()))


                .filter(c -> RedirectUtils.verifyRedirectUri(uriInfo, service, realm, c) != null)


                .filter(c -> RedirectUtils.verifyRedirectUri(session.getContext().getUri(), service, realm, c) != null)


                .findFirst().orElse(null);


        if (client == null) {


            event.error(Errors.CLIENT_NOT_FOUND);


@@ -136,14 +133,14 @@


            event.detail(Details.CODE_ID, parts[2]);


        }




        ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class);


        ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, null, session, realm, client, event, AuthenticatedClientSessionModel.class);


        if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) {


            event.error(Errors.INVALID_CODE);




            // Attempt to use same code twice should invalidate existing clientSession


            AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();


            if (clientSession != null) {


                clientSession.setUserSession(null);


                clientSession.detachFromUserSession();


            }




            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);


@@ -151,13 +148,12 @@




        clientSession = parseResult.getClientSession();




        if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {


            event.error(Errors.INVALID_CODE);


        if (parseResult.isExpiredToken()) {


            event.error(Errors.EXPIRED_CODE);


            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);


        }




        clientSession.setNote(CASLoginProtocol.SESSION_SERVICE_TICKET, ticket);


        parseResult.getCode().setAction(null);




        if (requireReauth && AuthenticationManager.isSSOAuthentication(clientSession)) {


            event.error(Errors.SESSION_EXPIRED);