@Override public RefreshableKeycloakSecurityContext getKeycloakSecurityContext() { return principal.getKeycloakSecurityContext(); }
@POST @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) @Path("/items") public LibraryItem addItem(@Context SecurityContext context, LibraryItem item) throws URISyntaxException { KeycloakPrincipal principal = (KeycloakPrincipal) context.getUserPrincipal(); item.setUserId(principal.getName()); em.persist(item); return item; } }
/** * Create a successful result. * * @param authentication valid credentials */ public AuthResults(Authentication authentication) { Object username = null; Object details = null; if (authentication.getDetails() instanceof SimpleKeycloakAccount) { details = (SimpleKeycloakAccount) authentication.getDetails(); assert ((SimpleKeycloakAccount) details).getPrincipal() instanceof KeycloakPrincipal; final KeycloakPrincipal principal = (KeycloakPrincipal) ((SimpleKeycloakAccount) details).getPrincipal(); username = principal.getName(); if (principal.getKeycloakSecurityContext().getIdToken() != null) { username = principal.getKeycloakSecurityContext().getIdToken().getPreferredUsername(); } } else { username = authentication.getPrincipal(); details = authentication.getDetails(); } this.authentication = new UsernamePasswordAuthenticationToken( username, authentication.getCredentials(), authentication.getAuthorities()); ((UsernamePasswordAuthenticationToken) this.authentication).setDetails(details); this.challenge = null; }
protected void completeAuthentication(BearerTokenRequestAuthenticator bearer, String method) { RefreshableKeycloakSecurityContext session = new RefreshableKeycloakSecurityContext(deployment, null, bearer.getTokenString(), bearer.getToken(), null, null, null); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(AdapterUtils.getPrincipalName(deployment, bearer.getToken()), session); completeBearerAuthentication(principal, method); log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName()); }
public static KeycloakPrincipal<RefreshableKeycloakSecurityContext> createPrincipal(KeycloakDeployment deployment, RefreshableKeycloakSecurityContext securityContext) { return new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(getPrincipalName(deployment, securityContext.getToken()), securityContext); } }
/** * Verify if we already have authenticated and active principal in cookie. Perform refresh if it's not active * * @return valid principal */ protected KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this); if (principal == null) { log.debug("Account was not in cookie or was invalid"); return null; } RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext(); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal; boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return principal; log.debugf("Cleanup and expire cookie for user %s after failed refresh", principal.getName()); CookieTokenStore.removeCookie(deployment, facade); return null; }
protected void completeAuthentication(OAuthRequestAuthenticator oauth) { RefreshableKeycloakSecurityContext session = new RefreshableKeycloakSecurityContext(deployment, tokenStore, oauth.getTokenString(), oauth.getToken(), oauth.getIdTokenString(), oauth.getIdToken(), oauth.getRefreshToken()); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(AdapterUtils.getPrincipalName(deployment, oauth.getToken()), session); completeOAuthAuthentication(principal); log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName()); }
/** * Called after accessToken was verified (including signature, expiration etc) * */ protected Auth postTokenVerification(String tokenString, AccessToken token) { boolean verifyCaller; if (deployment.isUseResourceRoleMappings()) { verifyCaller = token.isVerifyCaller(deployment.getResourceName()); } else { verifyCaller = token.isVerifyCaller(); } if (verifyCaller) { throw new IllegalStateException("VerifyCaller not supported yet in login module"); } RefreshableKeycloakSecurityContext skSession = new RefreshableKeycloakSecurityContext(deployment, null, tokenString, token, null, null, null); String principalName = AdapterUtils.getPrincipalName(deployment, token); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(principalName, skSession); final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(skSession); return new Auth(principal, roles, tokenString); }
@Override public RefreshableKeycloakSecurityContext getKeycloakSecurityContext() { return principal.getKeycloakSecurityContext(); }
/** * Verify if we already have authenticated and active principal in cookie. Perform refresh if it's not active * * @return valid principal */ protected KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this); if (principal == null) { log.debug("Account was not in cookie or was invalid"); return null; } RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext(); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal; boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return principal; log.debugf("Cleanup and expire cookie for user %s after failed refresh", principal.getName()); CookieTokenStore.removeCookie(deployment, facade); return null; }
public void get(@Suspended final AsyncResponse asyncResponse, @Context SecurityContext context) { KeycloakPrincipal principal = (KeycloakPrincipal) context.getUserPrincipal(); String userId = principal.getName(); TypedQuery<LibraryItem> q = this.em.createQuery("SELECT li FROM LibraryItem li WHERE li.userId = :userId", LibraryItem.class); List<LibraryItem> items = q.setParameter("userId", userId).getResultList();
return new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(AdapterUtils.getPrincipalName(deployment, accessToken), secContext); } catch (VerificationException ve) { log.warn("Failed verify token", ve);
KeycloakPrincipal principal = (KeycloakPrincipal) request.getUserPrincipal(); principal.getKeycloakSecurityContext().getToken().getRealmAccess().getRoles().add("Test-Role");
/** * Verify if we already have authenticated and active principal in cookie. Perform refresh if it's not active * * @return valid principal */ protected KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this); if (principal == null) { log.fine("Account was not in cookie or was invalid"); return null; } RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext(); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal; boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return principal; log.fine("Cleanup and expire cookie for user " + principal.getName() + " after failed refresh"); request.setUserPrincipal(null); request.setAuthType(null); CookieTokenStore.removeCookie(deployment, facade); return null; } }
private void propagateSecurityContext(JaxrsHttpFacade facade, ContainerRequestContext request, KeycloakDeployment resolvedDeployment, BearerTokenRequestAuthenticator bearer) { final RefreshableKeycloakSecurityContext skSession = new RefreshableKeycloakSecurityContext(resolvedDeployment, null, bearer.getTokenString(), bearer.getToken(), null, null, null); facade.setSecurityContext(skSession); final String principalName = AdapterUtils.getPrincipalName(resolvedDeployment, bearer.getToken()); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<>(principalName, skSession); final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(skSession); request.setSecurityContext(new HammockSecurityContext(principal, roles, request.getSecurityContext().isSecure())); }
KeycloakPrincipal principal = (KeycloakPrincipal) request.getUserPrincipal(); String clientId = "securesite"; principal.getKeycloakSecurityContext().getToken().getResourceAccess(clientId).getRoles();
/** * Verify if we already have authenticated and active principal in cookie. Perform refresh if it's not active * * @return valid principal */ protected KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this); if (principal == null) { log.fine("Account was not in cookie or was invalid"); return null; } RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext(); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal; boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return principal; log.fine("Cleanup and expire cookie for user " + principal.getName() + " after failed refresh"); request.setUserPrincipal(null); request.setAuthType(null); CookieTokenStore.removeCookie(deployment, facade); return null; } }
protected void propagateSecurityContext(JaxrsHttpFacade facade, ContainerRequestContext request, KeycloakDeployment resolvedDeployment, BearerTokenRequestAuthenticator bearer) { RefreshableKeycloakSecurityContext skSession = new RefreshableKeycloakSecurityContext(resolvedDeployment, null, bearer.getTokenString(), bearer.getToken(), null, null, null); // Not needed to do resteasy specifics as KeycloakSecurityContext can be always retrieved from SecurityContext by typecast SecurityContext.getUserPrincipal to KeycloakPrincipal // ResteasyProviderFactory.pushContext(KeycloakSecurityContext.class, skSession); facade.setSecurityContext(skSession); String principalName = AdapterUtils.getPrincipalName(resolvedDeployment, bearer.getToken()); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(principalName, skSession); SecurityContext anonymousSecurityContext = getRequestSecurityContext(request); final boolean isSecure = anonymousSecurityContext.isSecure(); final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(skSession); SecurityContext ctx = new SecurityContext() { @Override public Principal getUserPrincipal() { return principal; } @Override public boolean isUserInRole(String role) { return roles.contains(role); } @Override public boolean isSecure() { return isSecure; } @Override public String getAuthenticationScheme() { return "OAUTH_BEARER"; } }; request.setSecurityContext(ctx); }
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { @SuppressWarnings("rawtypes") KeycloakPrincipal principal = (KeycloakPrincipal)request.getUserPrincipal(); if (principal != null) { //user has a valid session, we can assign role on the fly like this principal.getKeycloakSecurityContext().getToken().getRealmAccess().getRoles().add("Test-Role"); } }
@Produces @CurrentUser @Override public HawkularUser getCurrent() { Principal p = sessionContext.getCallerPrincipal(); if (!(p instanceof KeycloakPrincipal)) { logger.nonAuthRequestWantsPersona(); return null; } KeycloakPrincipal principal = (KeycloakPrincipal) p; String id = principal.getName(); String name = principal.getKeycloakSecurityContext().getToken().getName(); String email = principal.getKeycloakSecurityContext().getToken().getEmail(); HawkularUser user = getOrCreateByIdAndName(id, name); boolean needsUpdate = false; if (!name.equals(user.getName())) { logger.settingUsersName(id, name, user.getName()); user.setName(name); needsUpdate = true; } if (null != email && !email.equals(user.getEmail())) { logger.settingUsersEmail(id, email, user.getEmail()); user.setEmail(email); needsUpdate = true; } if (needsUpdate) { return update(user); } return user; }