public boolean checkActive() { // this object may have been serialized, so we need to reset realm config/metadata RefreshableKeycloakSecurityContext session = getKeycloakSecurityContext(); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) { log.debug("session is active"); return true; } log.debug("session is not active or refresh is enforced. Try refresh"); boolean success = session.refreshExpiredToken(false); if (!success || !session.isActive()) { log.debug("session is not active return with failure"); return false; } log.debug("refresh succeeded"); setRoles(session); return true; }
public boolean checkActive() { // this object may have been serialized, so we need to reset realm config/metadata RefreshableKeycloakSecurityContext session = getKeycloakSecurityContext(); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) { log.debug("session is active"); return true; } log.debug("session is not active or refresh is enforced. Try refresh"); boolean success = session.refreshExpiredToken(false); if (!success || !session.isActive()) { log.debug("session is not active return with failure"); return false; } log.debug("refresh succeeded"); setRoles(session); return true; }
@Override public void checkCurrentToken() { if (request.getSession(false) == null) return; RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) request.getSession().getAttribute(KeycloakSecurityContext.class.getName()); if (session == null) return; // just in case session got serialized if (session.getDeployment() == null) session.setCurrentRequestInfo(deployment, this); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return; // FYI: A refresh requires same scope, so same roles will be set. Otherwise, refresh will fail and token will // not be updated boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return; // Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session request.getSession().removeAttribute(KeycloakSecurityContext.class.getName()); request.getSession().invalidate(); }
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { if (request.getAttribute(FILTER_APPLIED) != null) { filterChain.doFilter(request, response); return; } request.setAttribute(FILTER_APPLIED, Boolean.TRUE); KeycloakSecurityContext keycloakSecurityContext = getKeycloakPrincipal(); if (keycloakSecurityContext instanceof RefreshableKeycloakSecurityContext) { RefreshableKeycloakSecurityContext refreshableSecurityContext = (RefreshableKeycloakSecurityContext) keycloakSecurityContext; KeycloakDeployment deployment = resolveDeployment(request, response); if (!refreshableSecurityContext.isActive() || deployment.isAlwaysRefreshToken()) { if (refreshableSecurityContext.refreshExpiredToken(false)) { request.setAttribute(KeycloakSecurityContext.class.getName(), refreshableSecurityContext); } else { clearAuthenticationContext(); } } request.setAttribute(KeycloakSecurityContext.class.getName(), keycloakSecurityContext); } filterChain.doFilter(request, response); }
@Override public void checkCurrentToken() { if (request.getSession(false) == null) return; RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) request.getSession().getAttribute(KeycloakSecurityContext.class.getName()); if (session == null) return; // just in case session got serialized if (session.getDeployment() == null) session.setCurrentRequestInfo(deployment, this); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return; // FYI: A refresh requires same scope, so same roles will be set. Otherwise, refresh will fail and token will // not be updated boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return; // Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session request.getSession().removeAttribute(KeycloakSecurityContext.class.getName()); request.getSession().invalidate(); }
@Override public void checkCurrentToken() { HttpSession httpSession = request.getSession(false); if (httpSession == null) return; SerializableKeycloakAccount account = (SerializableKeycloakAccount)httpSession.getAttribute(KeycloakAccount.class.getName()); if (account == null) { return; } RefreshableKeycloakSecurityContext session = account.getKeycloakSecurityContext(); if (session == null) return; // just in case session got serialized if (session.getDeployment() == null) session.setCurrentRequestInfo(deployment, this); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return; // FYI: A refresh requires same scope, so same roles will be set. Otherwise, refresh will fail and token will // not be updated boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return; // Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session //log.fine("Cleanup and expire session " + httpSession.getId() + " after failed refresh"); cleanSession(httpSession); httpSession.invalidate(); }
/** * Verify if we already have authenticated and active principal in cookie. Perform refresh if it's not active * * @return valid principal */ protected KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this); if (principal == null) { log.debug("Account was not in cookie or was invalid"); return null; } RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext(); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal; boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return principal; log.debugf("Cleanup and expire cookie for user %s after failed refresh", principal.getName()); CookieTokenStore.removeCookie(deployment, facade); return null; }
/** * Verify if we already have authenticated and active principal in cookie. Perform refresh if it's not active * * @return valid principal */ protected KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this); if (principal == null) { log.debug("Account was not in cookie or was invalid"); return null; } RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext(); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal; boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return principal; log.debugf("Cleanup and expire cookie for user %s after failed refresh", principal.getName()); CookieTokenStore.removeCookie(deployment, facade); return null; }
/** * Verify if we already have authenticated and active principal in cookie. Perform refresh if it's not active * * @return valid principal */ protected KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this); if (principal == null) { log.fine("Account was not in cookie or was invalid"); return null; } RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext(); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal; boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return principal; log.fine("Cleanup and expire cookie for user " + principal.getName() + " after failed refresh"); request.setUserPrincipal(null); request.setAuthType(null); CookieTokenStore.removeCookie(deployment, facade); return null; } }
/** * Verify if we already have authenticated and active principal in cookie. Perform refresh if it's not active * * @return valid principal */ protected KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this); if (principal == null) { log.fine("Account was not in cookie or was invalid"); return null; } RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext(); if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal; boolean success = session.refreshExpiredToken(false); if (success && session.isActive()) return principal; log.fine("Cleanup and expire cookie for user " + principal.getName() + " after failed refresh"); request.setUserPrincipal(null); request.setAuthType(null); CookieTokenStore.removeCookie(deployment, facade); return null; } }
log.trace("checking whether to refresh."); if (isActive() && isTokenTimeToLiveSufficient(this.token)) return true;
if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) { request.setAttribute(KeycloakSecurityContext.class.getName(), session); request.setUserPrincipal(account.getPrincipal()); if (success && session.isActive()) { request.setAttribute(KeycloakSecurityContext.class.getName(), session); request.setUserPrincipal(account.getPrincipal());
if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) { request.setAttribute(KeycloakSecurityContext.class.getName(), session); request.setUserPrincipal(account.getPrincipal()); if (success && session.isActive()) { request.setAttribute(KeycloakSecurityContext.class.getName(), session); request.setUserPrincipal(account.getPrincipal());