public boolean isRequired(ClientConnection connection) { return isRequired(connection.getRemoteAddr()); }
protected KeycloakUriBuilder getBaseBuilder(HttpFacade facade, String base) { KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(base); URI request = URI.create(facade.getRequest().getURI()); String scheme = request.getScheme(); if (deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { scheme = "https"; if (!request.getScheme().equals(scheme) && request.getPort() != -1) { log.error("request scheme: " + request.getScheme() + " ssl required"); throw new RuntimeException("Can't resolve relative url from adapter config."); } } builder.scheme(scheme); builder.host(request.getHost()); if (request.getPort() != -1) { builder.port(request.getPort()); } return builder; }
protected void checkSsl() { if (!session.getContext().getUri().getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) { throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "HTTPS required", Response.Status.FORBIDDEN); } }
public static void setTokenCookie(KeycloakDeployment deployment, HttpFacade facade, RefreshableKeycloakSecurityContext session) { log.debugf("Set new %s cookie now", AdapterConstants.KEYCLOAK_ADAPTER_STATE_COOKIE); String accessToken = session.getTokenString(); String idToken = session.getIdTokenString(); String refreshToken = session.getRefreshToken(); String cookie = new StringBuilder(accessToken).append(DELIM) .append(idToken).append(DELIM) .append(refreshToken).toString(); String cookiePath = getCookiePath(deployment, facade); facade.getResponse().setCookie(AdapterConstants.KEYCLOAK_ADAPTER_STATE_COOKIE, cookie, cookiePath, null, -1, deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()), true); }
protected boolean verifySSL() { if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.warn("SSL is required to authenticate"); return true; } return false; }
private boolean verifySslFailed(JaxrsHttpFacade facade, KeycloakDeployment deployment) { if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.warn("SSL is required to authenticate, but request is not secured"); facade.getResponse().sendError(403, "SSL required!"); return true; } return false; }
protected boolean verifySslFailed(JaxrsHttpFacade facade, KeycloakDeployment deployment) { if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.warning("SSL is required to authenticate, but request is not secured"); facade.getResponse().sendError(403, "SSL required!"); return true; } return false; }
@Override public boolean challenge(HttpFacade exchange) { tokenStore.saveRequest(); log.debug("Sending redirect to login page: " + redirect); exchange.getResponse().setStatus(302); exchange.getResponse().setCookie(deployment.getStateCookieName(), state, /* need to set path? */ null, null, -1, deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()), true); exchange.getResponse().setHeader("Location", redirect); return true; } };
protected JWSInput verifyAdminRequest() throws Exception { if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.warn("SSL is required for adapter admin action"); facade.getResponse().sendError(403, "ssl required"); return null; } String token = StreamUtil.readString(facade.getRequest().getInputStream()); if (token == null) { log.warn("admin request failed, no token"); facade.getResponse().sendError(403, "no token"); return null; } try { // Check just signature. Other things checked in validateAction TokenVerifier tokenVerifier = AdapterTokenVerifier.createVerifier(token, deployment, false, JsonWebToken.class); tokenVerifier.verify(); return new JWSInput(token); } catch (VerificationException ignore) { log.warn("admin request failed, unable to verify token: " + ignore.getMessage()); if (log.isDebugEnabled()) { log.debug(ignore.getMessage(), ignore); } facade.getResponse().sendError(403, "token failed verification"); return null; } }
if (!isRequestSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.error("Adapter requires SSL. Request: " + facade.getRequest().getURI()); return challenge(403, OIDCAuthenticationError.Reason.SSL_REQUIRED, null);
protected boolean verifySSL() { if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.warnf("SSL is required to authenticate. Remote address %s is secure: %s, SSL required for: %s .", facade.getRequest().getRemoteAddr(), facade.getRequest().isSecure(), deployment.getSslRequired().name()); return true; } return false; }
log.debugf("callback uri: %s", url); if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { int port = sslRedirectPort(); if (port < 0) {