mirror of https://github.com/jacekkow/keycloak-protocol-cas
| .travis.yml | ●●●●● patch | view | raw | blame | history | |
| integrationTest/suite.sh | ●●●●● patch | view | raw | blame | history | |
| pom.xml | ●●●●● patch | view | raw | blame | history | |
| src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java | ●●●●● patch | view | raw | blame | history | |
| src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java | ●●●●● patch | view | raw | blame | history | |
| src/main/java/org/keycloak/protocol/cas/endpoints/LogoutEndpoint.java | ●●●●● patch | view | raw | blame | history | |
| src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java | ●●●●● patch | view | raw | blame | history |
.travis.yml
@@ -13,12 +13,6 @@ - docker env: # - KEYCLOAK_VERSION=2.5.5.Final # - KEYCLOAK_VERSION=3.0.0.Final # - KEYCLOAK_VERSION=3.1.0.Final - KEYCLOAK_VERSION=3.2.1.Final - KEYCLOAK_VERSION=3.3.0.Final - KEYCLOAK_VERSION=3.4.0.Final - KEYCLOAK_VERSION=3.4.3.Final before_install: integrationTest/suite.sh
@@ -12,7 +12,7 @@ exit 1 fi login_url=${BASH_REMATCH[1]} login_url=${BASH_REMATCH[1]//&/&} redirect_response=$(curl --fail --silent -D - -b /tmp/cookies --data 'username=admin&password=admin' "$login_url") if [[ !($redirect_response =~ $ticket_pattern) ]] ; then echo "No service ticket found in response" pom.xml
@@ -22,12 +22,12 @@ <groupId>org.keycloak</groupId> <artifactId>keycloak-protocol-cas</artifactId> <version>2.1.1-SNAPSHOT</version> <version>3.4.3</version> <name>Keycloak CAS Protocol</name> <description /> <properties> <keycloak.version>3.2.0.Final</keycloak.version> <keycloak.version>${project.version}.Final</keycloak.version> <jboss.logging.version>3.3.0.Final</jboss.logging.version> <jboss.logging.tools.version>2.0.1.Final</jboss.logging.tools.version> <junit.version>4.12</junit.version> src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
@@ -12,13 +12,11 @@ import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ResourceAdminManager; import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.sessions.CommonClientSessionModel; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; import java.io.IOException; import java.lang.reflect.Method; import java.net.URI; public class CASLoginProtocol implements LoginProtocol { @@ -93,16 +91,7 @@ String service = clientSession.getRedirectUri(); //TODO validate service String code; try { // Keycloak >3.4 branch: Method getCode was renamed to getOrGenerateCode, CODE_TO_TOKEN was removed Method getOrGenerateCode = ClientSessionCode.class.getMethod("getOrGenerateCode"); code = (String) getOrGenerateCode.invoke(accessCode); } catch (ReflectiveOperationException e) { // Keycloak <=3.3 branch accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name()); code = accessCode.getCode(); } String code = accessCode.getOrGenerateCode(); KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(service); uriBuilder.queryParam(TICKET_RESPONSE_PARAM, SERVICE_TICKET_PREFIX + code);
@@ -42,12 +42,7 @@ checkRealm(); checkClient(service); AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, null); if (checks.response != null) { return checks.response; } authenticationSession = checks.authSession; authenticationSession = createAuthenticationSession(client, null); updateAuthenticationSession(); // So back button doesn't work @@ -64,7 +59,7 @@ private void checkClient(String service) { if (service == null) { event.error(Errors.INVALID_REQUEST); throw new ErrorPageException(session, Messages.MISSING_PARAMETER, CASLoginProtocol.SERVICE_PARAM); throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, CASLoginProtocol.SERVICE_PARAM); } client = realm.getClients().stream() @@ -73,12 +68,12 @@ .findFirst().orElse(null); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); throw new ErrorPageException(session, Messages.CLIENT_NOT_FOUND); throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND); } if (!client.isEnabled()) { event.error(Errors.CLIENT_DISABLED); throw new ErrorPageException(session, Messages.CLIENT_DISABLED); throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED); } redirectUri = RedirectUtils.verifyRedirectUri(uriInfo, service, realm, client); @@ -93,10 +88,5 @@ authenticationSession.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL); authenticationSession.setRedirectUri(redirectUri); authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name()); } @Override protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestState) { return true; } } src/main/java/org/keycloak/protocol/cas/endpoints/LogoutEndpoint.java
@@ -66,7 +66,7 @@ logger.debug("finishing CAS browser logout"); return response; } return ErrorPage.error(session, Messages.FAILED_LOGOUT); return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_LOGOUT); } private void checkClient(String service) { src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
@@ -18,7 +18,6 @@ import javax.ws.rs.GET; import javax.ws.rs.core.*; import java.lang.reflect.Method; public class ValidateEndpoint { protected static final Logger logger = Logger.getLogger(ValidateEndpoint.class); @@ -137,24 +136,14 @@ event.detail(Details.CODE_ID, parts[2]); } ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult; try { // Keycloak >3.4 branch: Parameter event was added to ClientSessionCode.parseResult Method parseResultMethod = ClientSessionCode.class.getMethod("parseResult", String.class, KeycloakSession.class, RealmModel.class, EventBuilder.class, Class.class); parseResult = (ClientSessionCode.ParseResult<AuthenticatedClientSessionModel>) parseResultMethod.invoke( null, code, session, realm, event, AuthenticatedClientSessionModel.class); } catch (ReflectiveOperationException e) { // Keycloak <=3.3 branch parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class); } ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, null, session, realm, client, event, AuthenticatedClientSessionModel.class); if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) { event.error(Errors.INVALID_CODE); // Attempt to use same code twice should invalidate existing clientSession AuthenticatedClientSessionModel clientSession = parseResult.getClientSession(); if (clientSession != null) { clientSession.setUserSession(null); clientSession.detachFromUserSession(); } throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); @@ -162,21 +151,9 @@ clientSession = parseResult.getClientSession(); try { // Keycloak >3.4 branch: Method isExpiredToken was added Method isExpiredToken = ClientSessionCode.ParseResult.class.getMethod("isExpiredToken"); if ((Boolean) isExpiredToken.invoke(parseResult)) { event.error(Errors.EXPIRED_CODE); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST); } } catch (ReflectiveOperationException e) { // Keycloak <=3.3 branch if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) { event.error(Errors.INVALID_CODE); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST); } parseResult.getCode().setAction(null); if (parseResult.isExpiredToken()) { event.error(Errors.EXPIRED_CODE); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST); } clientSession.setNote(CASLoginProtocol.SESSION_SERVICE_TICKET, ticket);
