From be62769403b9b0673b4e7a08a5a3e9d6568a557c Mon Sep 17 00:00:00 2001 From: Alessio Fabiani Date: Tue, 9 Jul 2024 09:53:41 +0200 Subject: [PATCH] [FIXES #2971] MapStore - SSO keycloak kerberos (#356) --- .../GeoStoreKeycloakAuthProvider.java | 3 +-- .../security/keycloak/KeyCloakFilter.java | 20 +++++++++++++++---- .../keycloak/KeyCloakLoginService.java | 19 +++++++++++++----- .../keycloak/KeycloakCookieUtils.java | 2 +- 4 files changed, 32 insertions(+), 12 deletions(-) diff --git a/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/GeoStoreKeycloakAuthProvider.java b/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/GeoStoreKeycloakAuthProvider.java index 14be9c20..90aae1d9 100644 --- a/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/GeoStoreKeycloakAuthProvider.java +++ b/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/GeoStoreKeycloakAuthProvider.java @@ -76,7 +76,6 @@ public GeoStoreKeycloakAuthProvider(KeyCloakConfiguration configuration) { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { - KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication; OidcKeycloakAccount account = token.getAccount(); KeycloakSecurityContext context = account.getKeycloakSecurityContext(); @@ -127,7 +126,7 @@ public Authentication authenticate(Authentication authentication) User user = retrieveUser(username, "", grantedAuthoritiesMapper, keycloakGroups); addEveryOne(user.getGroups()); if (user.getRole() == null) { - // no role get the one configured to be default for authenticated users. + // no role gets the one configured to be default for authenticated users. Role defRole = configuration.getAuthenticatedDefaultRole(); user.setRole(defRole); } diff --git a/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeyCloakFilter.java b/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeyCloakFilter.java index c7289993..d89fd354 100644 --- a/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeyCloakFilter.java +++ b/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeyCloakFilter.java @@ -29,14 +29,16 @@ import static it.geosolutions.geostore.services.rest.SessionServiceDelegate.PROVIDER_KEY; import static it.geosolutions.geostore.services.rest.security.keycloak.KeyCloakLoginService.KEYCLOAK_REDIRECT; -import static it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Utils.ACCESS_TOKEN_PARAM; -import static it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Utils.REFRESH_TOKEN_PARAM; +import static it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Utils.*; +import static it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Utils.getResponse; import it.geosolutions.geostore.services.UserService; import it.geosolutions.geostore.services.rest.security.TokenAuthenticationCache; import it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Utils; +import it.geosolutions.geostore.services.rest.utils.GeoStoreContext; import java.io.IOException; import java.util.Date; +import java.util.Objects; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletRequest; @@ -48,10 +50,13 @@ import org.keycloak.adapters.KeycloakDeployment; import org.keycloak.adapters.RequestAuthenticator; import org.keycloak.adapters.spi.AuthOutcome; +import org.keycloak.adapters.spi.HttpFacade; +import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.AuthenticationEntryPoint; +import org.springframework.web.context.request.RequestAttributes; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.filter.GenericFilterBean; @@ -59,6 +64,7 @@ * Keycloak Authentication Filter. Manage the logic to authenticate a user against a keycloak * server. */ +@SuppressWarnings("PMD.UnusedLocalVariable") public class KeyCloakFilter extends GenericFilterBean { private static final Logger LOGGER = LogManager.getLogger(KeyCloakFilter.class); @@ -144,8 +150,8 @@ protected Authentication authenticateAndUpdateCache( } else { entryPoint = new KeycloakAuthenticationEntryPoint(authenticator.getChallenge()); } - RequestContextHolder.getRequestAttributes() - .setAttribute(KEYCLOAK_REDIRECT, entryPoint, 0); + Objects.requireNonNull(RequestContextHolder.getRequestAttributes()) + .setAttribute(KEYCLOAK_REDIRECT, entryPoint, RequestAttributes.SCOPE_REQUEST); } else { LOGGER.warn("Failed to authentication and to redirect the user."); } @@ -160,10 +166,16 @@ protected Authentication authenticateAndUpdateCache( protected void updateCache(Authentication authentication) { Object details = authentication.getDetails(); if (details instanceof KeycloakTokenDetails) { + KeyCloakHelper helper = GeoStoreContext.bean(KeyCloakHelper.class); KeycloakTokenDetails keycloakDetails = (KeycloakTokenDetails) details; String accessToken = keycloakDetails.getAccessToken(); if (accessToken != null) { cache.putCacheEntry(accessToken, authentication); + if (helper != null) { + HttpFacade facade = new SimpleHttpFacade(getRequest(), getResponse()); + KeycloakDeployment deployment = helper.getDeployment(facade); + KeycloakCookieUtils.setTokenCookie(deployment, facade, keycloakDetails); + } } } } diff --git a/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeyCloakLoginService.java b/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeyCloakLoginService.java index 3d925ea6..77f9d976 100644 --- a/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeyCloakLoginService.java +++ b/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeyCloakLoginService.java @@ -33,6 +33,7 @@ import it.geosolutions.geostore.services.rest.IdPLoginRest; import it.geosolutions.geostore.services.rest.security.oauth2.Oauth2LoginService; import java.io.IOException; +import java.util.Objects; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.ws.rs.core.Response; @@ -41,11 +42,12 @@ import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.AuthenticationEntryPoint; +import org.springframework.web.context.request.RequestAttributes; import org.springframework.web.context.request.RequestContextHolder; /** * Keycloak implementation for a LoginService. Since keycloak redirects to the url from which the - * call to the authorization page was issued no internal redirect is really performed here. + * call to the authorization page was issued, no internal redirect is really performed here. */ public class KeyCloakLoginService extends Oauth2LoginService { @@ -59,18 +61,25 @@ public KeyCloakLoginService(IdPLoginRest loginRest) { @Override public void doLogin(HttpServletRequest request, HttpServletResponse response, String provider) { + KeycloakTokenDetails details = getDetails(); + boolean attempInternalRedirect = (details != null && details.getAccessToken() != null); + AuthenticationEntryPoint challenge = (AuthenticationEntryPoint) - RequestContextHolder.getRequestAttributes() - .getAttribute(KEYCLOAK_REDIRECT, 0); - if (challenge != null) { + Objects.requireNonNull(RequestContextHolder.getRequestAttributes()) + .getAttribute(KEYCLOAK_REDIRECT, RequestAttributes.SCOPE_REQUEST); + if (challenge == null) attempInternalRedirect = true; + else if (!attempInternalRedirect) { try { challenge.commence(request, response, null); + attempInternalRedirect = false; } catch (Exception e) { LOGGER.error("Error while redirecting to Keycloak authorization.", e); throw new RuntimeException(e); } - } else { + } + + if (attempInternalRedirect) { try { response.sendRedirect(configuration(provider).getInternalRedirectUri()); } catch (IOException e) { diff --git a/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeycloakCookieUtils.java b/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeycloakCookieUtils.java index 6fe3b1fa..9eae50f2 100644 --- a/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeycloakCookieUtils.java +++ b/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/keycloak/KeycloakCookieUtils.java @@ -45,7 +45,7 @@ static void setTokenCookie( String cookie = accessToken + SEPARATOR + idToken + SEPARATOR + refreshToken; String cookiePath = getCookiePath(deployment, facade); - // forces the expiration of the old keycloak cookie after refresh token. Keycloak doesn't do + // Forces the expiration of the old keycloak cookie after refresh token. Keycloak doesn't do // it for us. facade.getResponse() .setCookie(