Java Code Examples for org.keycloak.adapters.RefreshableKeycloakSecurityContext#isActive()

The following examples show how to use org.keycloak.adapters.RefreshableKeycloakSecurityContext#isActive() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: CatalinaCookieTokenStore.java    From keycloak with Apache License 2.0 6 votes vote down vote up
/**
 * Verify if we already have authenticated and active principal in cookie. Perform refresh if it's not active
 *
 * @return valid principal
 */
protected KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() {
    KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this);
    if (principal == null) {
        log.fine("Account was not in cookie or was invalid");
        return null;
    }

    RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext();

    if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal;
    boolean success = session.refreshExpiredToken(false);
    if (success && session.isActive()) return principal;

    log.fine("Cleanup and expire cookie for user " + principal.getName() + " after failed refresh");
    request.setUserPrincipal(null);
    request.setAuthType(null);
    CookieTokenStore.removeCookie(deployment, facade);
    return null;
}
 
Example 2
Source File: SpringSecurityCookieTokenStore.java    From keycloak with Apache License 2.0 6 votes vote down vote up
/**
 * Verify if we already have authenticated and active principal in cookie. Perform refresh if
 * it's not active
 *
 * @return valid principal
 */
private KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() {
    KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal =
            CookieTokenStore.getPrincipalFromCookie(deployment, facade, this);
    if (principal == null) {
        logger.debug("Account was not in cookie or was invalid");
        return null;
    }

    RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext();

    if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal;
    boolean success = session.refreshExpiredToken(false);
    if (success && session.isActive()) {
        refreshCallback(session);
        return principal;
    }

    logger.debug(
            "Cleanup and expire cookie for user {} after failed refresh", principal.getName());
    CookieTokenStore.removeCookie(deployment, facade);
    return null;
}
 
Example 3
Source File: KeycloakUndertowAccount.java    From keycloak with Apache License 2.0 6 votes vote down vote up
public boolean checkActive() {
    // this object may have been serialized, so we need to reset realm config/metadata
    RefreshableKeycloakSecurityContext session = getKeycloakSecurityContext();
    if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) {
        log.debug("session is active");
        return true;
    }

    log.debug("session is not active or refresh is enforced. Try refresh");
    boolean success = session.refreshExpiredToken(false);
    if (!success || !session.isActive()) {
        log.debug("session is not active return with failure");

        return false;
    }
    log.debug("refresh succeeded");

    setRoles(session);
    return true;
}
 
Example 4
Source File: JettySessionTokenStore.java    From keycloak with Apache License 2.0 6 votes vote down vote up
@Override
public void checkCurrentToken() {
    if (request.getSession(false) == null) return;
    RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) request.getSession().getAttribute(KeycloakSecurityContext.class.getName());
    if (session == null) return;

    // just in case session got serialized
    if (session.getDeployment() == null) session.setCurrentRequestInfo(deployment, this);

    if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return;

    // FYI: A refresh requires same scope, so same roles will be set.  Otherwise, refresh will fail and token will
    // not be updated
    boolean success = session.refreshExpiredToken(false);
    if (success && session.isActive()) return;

    // Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session
    request.getSession().removeAttribute(KeycloakSecurityContext.class.getName());
    request.getSession().invalidate();
}
 
Example 5
Source File: JettyCookieTokenStore.java    From keycloak with Apache License 2.0 6 votes vote down vote up
/**
 * Verify if we already have authenticated and active principal in cookie. Perform refresh if it's not active
 *
 * @return valid principal
 */
protected KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() {
    KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this);
    if (principal == null) {
        log.debug("Account was not in cookie or was invalid");
        return null;
    }

    RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext();

    if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return principal;
    boolean success = session.refreshExpiredToken(false);
    if (success && session.isActive()) return principal;

    log.debugf("Cleanup and expire cookie for user %s after failed refresh", principal.getName());
    CookieTokenStore.removeCookie(deployment, facade);
    return null;
}
 
Example 6
Source File: ElytronSessionTokenStore.java    From keycloak with Apache License 2.0 6 votes vote down vote up
@Override
public void checkCurrentToken() {
    HttpScope session = httpFacade.getScope(Scope.SESSION);
    if (session == null || !session.exists()) return;
    RefreshableKeycloakSecurityContext securityContext = (RefreshableKeycloakSecurityContext) session.getAttachment(KeycloakSecurityContext.class.getName());
    if (securityContext == null) return;

    // just in case session got serialized
    if (securityContext.getDeployment() == null) securityContext.setCurrentRequestInfo(httpFacade.getDeployment(), this);

    if (securityContext.isActive() && !securityContext.getDeployment().isAlwaysRefreshToken()) return;

    // FYI: A refresh requires same scope, so same roles will be set.  Otherwise, refresh will fail and token will
    // not be updated
    boolean success = securityContext.refreshExpiredToken(false);
    if (success && securityContext.isActive()) return;

    // Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session
    session.setAttachment(KeycloakSecurityContext.class.getName(), null);
    session.invalidate();
}
 
Example 7
Source File: ElytronCookieTokenStore.java    From keycloak with Apache License 2.0 6 votes vote down vote up
@Override
public void checkCurrentToken() {
    KeycloakDeployment deployment = httpFacade.getDeployment();
    KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, httpFacade, this);

    if (principal == null) {
        return;
    }

    RefreshableKeycloakSecurityContext securityContext = principal.getKeycloakSecurityContext();

    if (securityContext.isActive() && !securityContext.getDeployment().isAlwaysRefreshToken()) return;

    // FYI: A refresh requires same scope, so same roles will be set.  Otherwise, refresh will fail and token will
    // not be updated
    boolean success = securityContext.refreshExpiredToken(false);
    if (success && securityContext.isActive()) return;

    saveAccountInfo(new ElytronAccount(principal));
}
 
Example 8
Source File: OIDCFilterSessionStore.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
public void checkCurrentToken() {
    HttpSession httpSession = request.getSession(false);
    if (httpSession == null) return;
    SerializableKeycloakAccount account = (SerializableKeycloakAccount)httpSession.getAttribute(KeycloakAccount.class.getName());
    if (account == null) {
        return;
    }

    RefreshableKeycloakSecurityContext session = account.getKeycloakSecurityContext();
    if (session == null) return;

    // just in case session got serialized
    if (session.getDeployment() == null) session.setCurrentRequestInfo(deployment, this);

    if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return;

    // FYI: A refresh requires same scope, so same roles will be set.  Otherwise, refresh will fail and token will
    // not be updated
    boolean success = session.refreshExpiredToken(false);
    if (success && session.isActive()) return;

    // Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session
    //log.fine("Cleanup and expire session " + httpSession.getId() + " after failed refresh");
    cleanSession(httpSession);
    httpSession.invalidate();
}
 
Example 9
Source File: CatalinaSessionTokenStore.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
public void checkCurrentToken() {
    Session catalinaSession = request.getSessionInternal(false);
    if (catalinaSession == null) return;
    SerializableKeycloakAccount account = (SerializableKeycloakAccount) catalinaSession.getSession().getAttribute(SerializableKeycloakAccount.class.getName());
    if (account == null) {
        return;
    }

    RefreshableKeycloakSecurityContext session = account.getKeycloakSecurityContext();
    if (session == null) return;

    // just in case session got serialized
    if (session.getDeployment() == null) session.setCurrentRequestInfo(deployment, this);

    if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) {
        request.setAttribute(KeycloakSecurityContext.class.getName(), session);
        request.setUserPrincipal(account.getPrincipal());
        request.setAuthType("KEYCLOAK");
        return;
    }

    // FYI: A refresh requires same scope, so same roles will be set.  Otherwise, refresh will fail and token will
    // not be updated
    boolean success = session.refreshExpiredToken(false);
    if (success && session.isActive()) {
        request.setAttribute(KeycloakSecurityContext.class.getName(), session);
        request.setUserPrincipal(account.getPrincipal());
        request.setAuthType("KEYCLOAK");
        return;
    }

    // Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session
    log.fine("Cleanup and expire session " + catalinaSession.getId() + " after failed refresh");
    request.setUserPrincipal(null);
    request.setAuthType(null);
    cleanSession(catalinaSession);
    catalinaSession.expire();
}
 
Example 10
Source File: KeycloakSecurityContextRequestFilter.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
    if (request.getAttribute(FILTER_APPLIED) != null) {
        filterChain.doFilter(request, response);
        return;
    }

    request.setAttribute(FILTER_APPLIED, Boolean.TRUE);

    KeycloakSecurityContext keycloakSecurityContext = getKeycloakSecurityContext();

    if (keycloakSecurityContext instanceof RefreshableKeycloakSecurityContext) {
        RefreshableKeycloakSecurityContext refreshableSecurityContext = (RefreshableKeycloakSecurityContext) keycloakSecurityContext;
        KeycloakDeployment deployment = resolveDeployment(request, response);

        // just in case session got serialized
        if (refreshableSecurityContext.getDeployment()==null) {
            log.trace("Recreating missing deployment and related fields in deserialized context");
            AdapterTokenStore adapterTokenStore = adapterTokenStoreFactory.createAdapterTokenStore(deployment, (HttpServletRequest) request,
                    (HttpServletResponse) response);
            refreshableSecurityContext.setCurrentRequestInfo(deployment, adapterTokenStore);
        }

        if (!refreshableSecurityContext.isActive() || deployment.isAlwaysRefreshToken()) {
            if (refreshableSecurityContext.refreshExpiredToken(false)) {
                request.setAttribute(KeycloakSecurityContext.class.getName(), refreshableSecurityContext);
            } else {
                clearAuthenticationContext();
            }
        }

        request.setAttribute(KeycloakSecurityContext.class.getName(), keycloakSecurityContext);
    }

    filterChain.doFilter(request, response);
}
 
Example 11
Source File: ElytronAccount.java    From keycloak with Apache License 2.0 5 votes vote down vote up
public boolean checkActive() {
    RefreshableKeycloakSecurityContext session = getKeycloakSecurityContext();

    if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) {
        log.debug("session is active");
        return true;
    }

    log.debug("session not active");

    return false;
}