protected void checkClient(String service) { if (service == null) { event.error(Errors.INVALID_REQUEST); throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "Missing parameter: " + CASLoginProtocol.SERVICE_PARAM, Response.Status.BAD_REQUEST); } client = realm.getClients().stream() .filter(c -> CASLoginProtocol.LOGIN_PROTOCOL.equals(c.getProtocol())) .filter(c -> RedirectUtils.verifyRedirectUri(session.getContext().getUri(), service, realm, c) != null) .findFirst().orElse(null); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Client not found", Response.Status.BAD_REQUEST); } if (!client.isEnabled()) { event.error(Errors.CLIENT_DISABLED); throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Client disabled", Response.Status.BAD_REQUEST); } event.client(client.getClientId()); session.getContext().setClient(client); }
@GET @Path("logout_response") public Response logoutResponse(@Context UriInfo uriInfo, @QueryParam("state") String state) { UserSessionModel userSession = session.sessions().getUserSession(realm, state); if (userSession == null) { logger.error("no valid user session"); EventBuilder event = new EventBuilder(realm, session, clientConnection); event.event(EventType.LOGOUT); event.error(Errors.USER_SESSION_NOT_FOUND); return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR); } if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) { logger.error("usersession in different state"); EventBuilder event = new EventBuilder(realm, session, clientConnection); event.event(EventType.LOGOUT); event.error(Errors.USER_SESSION_NOT_FOUND); return ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE); } return AuthenticationManager.finishBrowserLogout(session, realm, userSession, uriInfo, clientConnection, headers); }
private void checkClient(String service) { if (service == null) { event.error(Errors.INVALID_REQUEST); throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, CASLoginProtocol.SERVICE_PARAM); } client = realm.getClients().stream() .filter(c -> CASLoginProtocol.LOGIN_PROTOCOL.equals(c.getProtocol())) .filter(c -> RedirectUtils.verifyRedirectUri(session.getContext().getUri(), service, realm, c) != null) .findFirst().orElse(null); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND); } if (!client.isEnabled()) { event.error(Errors.CLIENT_DISABLED); throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED); } redirectUri = RedirectUtils.verifyRedirectUri(session.getContext().getUri(), service, realm, client); event.client(client.getClientId()); event.detail(Details.REDIRECT_URI, redirectUri); session.getContext().setClient(client); }
protected void checkTicket(String ticket, boolean requireReauth) { if (ticket == null) { event.error(Errors.INVALID_CODE); throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "Missing parameter: " + CASLoginProtocol.TICKET_PARAM, Response.Status.BAD_REQUEST); event.error(Errors.INVALID_CODE); throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Malformed service ticket", Response.Status.BAD_REQUEST); event.error(Errors.INVALID_CODE); event.error(Errors.EXPIRED_CODE); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST); event.error(Errors.SESSION_EXPIRED); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Interactive authentication was requested but not performed", Response.Status.BAD_REQUEST); event.error(Errors.USER_SESSION_NOT_FOUND); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User session not found", Response.Status.BAD_REQUEST); event.error(Errors.USER_NOT_FOUND); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User not found", Response.Status.BAD_REQUEST); event.error(Errors.USER_DISABLED); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User disabled", Response.Status.BAD_REQUEST); event.error(Errors.INVALID_CODE); throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Auth error", Response.Status.BAD_REQUEST); event.error(Errors.USER_SESSION_NOT_FOUND); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Session not active", Response.Status.BAD_REQUEST);
/** * Override the validate password so we transfer password validation result into the authentication flow context. * <p> * TODO: Discuss issue with keycloak development team and send a patch. */ @Override public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) { List<CredentialInput> credentials = new LinkedList<>(); String password = inputData.getFirst(CredentialRepresentation.PASSWORD); // Patched PasswordUserCredentialModel credentialModel = UserCredentialModel.password(password); AuthenticatorUtil.readScope(context) .ifPresent(s -> credentialModel.setNote(Constants.CUSTOM_SCOPE_NOTE_KEY, s)); credentials.add(credentialModel); if (password != null && !password.isEmpty() && context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) { AuthenticatorUtil.addMainSecretToUserSession(userSecretAdapter, context, user, credentialModel); return true; } else { context.getEvent().user(user); context.getEvent().error(Errors.INVALID_USER_CREDENTIALS); Response challengeResponse = invalidCredentials(context); context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse); context.clearUser(); return false; } } }
@Override public void authenticate(AuthenticationFlowContext context) { UserCredentialModel credentialModel = passwordAndScope(context); boolean valid = context.getSession().userCredentialManager().isValid(context.getRealm(), context.getUser(), new CredentialInput[] { credentialModel }); if (!valid) { context.getEvent().user(context.getUser()); context.getEvent().error("invalid_user_credentials"); Response challengeResponse = this.errorResponse(Status.UNAUTHORIZED.getStatusCode(), "invalid_grant", "Invalid user credentials"); context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse); } else { AuthenticatorUtil.addMainSecretToUserSession(userSecretAdapter, context, context.getUser(), credentialModel); context.success(); } }