@Override public boolean isCached(RequestAuthenticator authenticator) { HttpSession httpSession = request.getSession(false); if (httpSession == null) return false; SerializableKeycloakAccount account = (SerializableKeycloakAccount) httpSession.getAttribute(KeycloakAccount.class.getName()); if (account == null) { return false; } log.fine("remote logged in already. Establish state from session"); RefreshableKeycloakSecurityContext securityContext = account.getKeycloakSecurityContext(); if (!deployment.getRealm().equals(securityContext.getRealm())) { log.fine("Account from cookie is from a different realm than for the request."); cleanSession(httpSession); return false; } if (idMapper != null && !idMapper.hasSession(httpSession.getId())) { log.fine("idMapper does not have session: " + httpSession.getId()); //System.err.println("idMapper does not have session: " + httpSession.getId()); cleanSession(httpSession); return false; } securityContext.setCurrentRequestInfo(deployment, this); request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext); needRequestRestore = restoreRequest(); return true; }
@Override public void saveAccountInfo(OidcKeycloakAccount account) { RefreshableKeycloakSecurityContext securityContext = (RefreshableKeycloakSecurityContext) account.getKeycloakSecurityContext(); Set<String> roles = account.getRoles(); SerializableKeycloakAccount sAccount = new SerializableKeycloakAccount(roles, account.getPrincipal(), securityContext); HttpSession httpSession = request.getSession(); httpSession.setAttribute(KeycloakAccount.class.getName(), sAccount); httpSession.setAttribute(KeycloakSecurityContext.class.getName(), sAccount.getKeycloakSecurityContext()); if (idMapper != null) idMapper.map(account.getKeycloakSecurityContext().getToken().getSessionState(), account.getPrincipal().getName(), httpSession.getId()); //String username = securityContext.getToken().getSubject(); //log.fine("userSessionManagement.login: " + username); }
@Override public void checkCurrentToken() { HttpSession httpSession = request.getSession(false); if (httpSession == null) return; SerializableKeycloakAccount account = (SerializableKeycloakAccount)httpSession.getAttribute(KeycloakAccount.class.getName()); if (account == null) { return; } RefreshableKeycloakSecurityContext session = account.getKeycloakSecurityContext(); if (session == null) return; // just in case session got serialized if (session.getDeployment() == null) session.setCurrentRequestInfo(deployment, this); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return; // FYI: A refresh requires same scope, so same roles will be set. Otherwise, refresh will fail and token will // not be updated boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return; // Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session //log.fine("Cleanup and expire session " + httpSession.getId() + " after failed refresh"); cleanSession(httpSession); httpSession.invalidate(); }
@Override public void handle(Context context) { OIDCFilterSessionStore.SerializableKeycloakAccount account = context.removeSession(KeycloakAccount.class.getName()); if (account != null) { // Logout of the Keycloak server KeycloakDeployment deployment = account.getKeycloakSecurityContext().getDeployment(); account.getKeycloakSecurityContext().logout(deployment); } // Cleanup the session of Keycloak metadata context.removeSession(KeycloakSecurityContext.class.getName()); context.removeSession(REDIRECT_URI); context.removeSession(SAVED_METHOD); context.removeSession(SAVED_HEADERS); context.removeSession(SAVED_BODY); super.handle(context); } }
@Override public void logout() { HttpSession httpSession = request.getSession(false); if (httpSession != null) { SerializableKeycloakAccount account = (SerializableKeycloakAccount) httpSession.getAttribute(KeycloakAccount.class.getName()); if (account != null) { account.getKeycloakSecurityContext().logout(deployment); } cleanSession(httpSession); } }