org.keycloak.federation.kerberos.KerberosFederationProvider の継承関係図

org.keycloak.federation.kerberos.KerberosFederationProvider 連携図

公開メンバ関数
	KerberosFederationProvider (KeycloakSession session, UserStorageProviderModel model, KerberosFederationProviderFactory factory)

UserModel	validate (RealmModel realm, UserModel user)

UserModel	getUserByUsername (String username, RealmModel realm)

UserModel	getUserByEmail (String email, RealmModel realm)

UserModel	getUserById (String id, RealmModel realm)

void	preRemove (RealmModel realm)

void	preRemove (RealmModel realm, RoleModel role)

void	preRemove (RealmModel realm, GroupModel group)

boolean	isValid (RealmModel realm, UserModel local)

boolean	updateCredential (RealmModel realm, UserModel user, CredentialInput input)

void	disableCredentialType (RealmModel realm, UserModel user, String credentialType)

Set< String >	getDisableableCredentialTypes (RealmModel realm, UserModel user)

boolean	supportsCredentialType (String credentialType)

boolean	supportsCredentialAuthenticationFor (String type)

boolean	isConfiguredFor (RealmModel realm, UserModel user, String credentialType)

boolean	isValid (RealmModel realm, UserModel user, CredentialInput input)

CredentialValidationOutput	authenticate (RealmModel realm, CredentialInput input)

void	close ()

静的公開変数類
static final String	KERBEROS_PRINCIPAL = "KERBEROS_PRINCIPAL"

限定公開メンバ関数
boolean	validPassword (String username, String password)

UserModel	findOrCreateAuthenticatedUser (RealmModel realm, String username)

UserModel	importUserToKeycloak (RealmModel realm, String username)

限定公開変数類
KeycloakSession	session

UserStorageProviderModel	model

KerberosConfig	kerberosConfig

KerberosFederationProviderFactory	factory

静的非公開変数類
static final Logger	logger = Logger.getLogger(KerberosFederationProvider.class)

詳解

著者: Marek Posolda

構築子と解体子

◆ KerberosFederationProvider()

org.keycloak.federation.kerberos.KerberosFederationProvider.KerberosFederationProvider	(	KeycloakSession	session,
		UserStorageProviderModel	model,
		KerberosFederationProviderFactory	factory
	)

inline

                                                                                                                                           {
         this.session = session;
         this.model = model;
         this.kerberosConfig = new KerberosConfig(model);
         this.factory = factory;
     }

関数詳解

◆ authenticate()

CredentialValidationOutput org.keycloak.federation.kerberos.KerberosFederationProvider.authenticate	(	RealmModel	realm,
		CredentialInput	input
	)

inline

                                                                                             {
         if (!(input instanceof UserCredentialModel)) return null;
         UserCredentialModel credential = (UserCredentialModel)input;
         if (credential.getType().equals(UserCredentialModel.KERBEROS)) {
             String spnegoToken = credential.getValue();
             SPNEGOAuthenticator spnegoAuthenticator = factory.createSPNEGOAuthenticator(spnegoToken, kerberosConfig);
 
             spnegoAuthenticator.authenticate();
 
             Map<String, String> state = new HashMap<String, String>();
             if (spnegoAuthenticator.isAuthenticated()) {
                 String username = spnegoAuthenticator.getAuthenticatedUsername();
                 UserModel user = findOrCreateAuthenticatedUser(realm, username);
                 if (user == null) {
                     return CredentialValidationOutput.failed();
                 } else {
                     String delegationCredential = spnegoAuthenticator.getSerializedDelegationCredential();
                     if (delegationCredential != null) {
                         state.put(KerberosConstants.GSS_DELEGATION_CREDENTIAL, delegationCredential);
                     }
 
                     return new CredentialValidationOutput(user, CredentialValidationOutput.Status.AUTHENTICATED, state);
                 }
             }  else {
                 state.put(KerberosConstants.RESPONSE_TOKEN, spnegoAuthenticator.getResponseToken());
                 return new CredentialValidationOutput(null, CredentialValidationOutput.Status.CONTINUE, state);
             }
 
         } else {
             return null;
         }
     }

◆ close()

void org.keycloak.federation.kerberos.KerberosFederationProvider.close ( )

inline

                         {
 
     }

◆ disableCredentialType()

void org.keycloak.federation.kerberos.KerberosFederationProvider.disableCredentialType	(	RealmModel	realm,
		UserModel	user,
		String	credentialType
	)

inline

                                                                                                {
 
     }

◆ findOrCreateAuthenticatedUser()

UserModel org.keycloak.federation.kerberos.KerberosFederationProvider.findOrCreateAuthenticatedUser	(	RealmModel	realm,
		String	username
	)

inlineprotected

Called after successful authentication

引数

realm	realm
username	username without realm prefix

戻り値: user if found or successfully created. Null if user with same username already exists, but is not linked to this provider

                                                                                          {
         UserModel user = session.userLocalStorage().getUserByUsername(username, realm);
         if (user != null) {
             user = session.users().getUserById(user.getId(), realm);  // make sure we get a cached instance
             logger.debug("Kerberos authenticated user " + username + " found in Keycloak storage");
 
             if (!model.getId().equals(user.getFederationLink())) {
                 logger.warn("User with username " + username + " already exists, but is not linked to provider [" + model.getName() + "]");
                 return null;
             } else {
                 UserModel proxied = validate(realm, user);
                 if (proxied != null) {
                     return proxied;
                 } else {
                     logger.warn("User with username " + username + " already exists and is linked to provider [" + model.getName() +
                             "] but kerberos principal is not correct. Kerberos principal on user is: " + user.getFirstAttribute(KERBEROS_PRINCIPAL));
                     logger.warn("Will re-create user");
                     new UserManager(session).removeUser(realm, user, session.userLocalStorage());
                 }
             }
         }
 
         logger.debug("Kerberos authenticated user " + username + " not in Keycloak storage. Creating him");
         return importUserToKeycloak(realm, username);
     }

◆ getDisableableCredentialTypes()

Set<String> org.keycloak.federation.kerberos.KerberosFederationProvider.getDisableableCredentialTypes	(	RealmModel	realm,
		UserModel	user
	)

inline

                                                                                        {
         return Collections.EMPTY_SET;
     }

◆ getUserByEmail()

UserModel org.keycloak.federation.kerberos.KerberosFederationProvider.getUserByEmail	(	String	email,
		RealmModel	realm
	)

inline

                                                                     {
         return null;
     }

◆ getUserById()

UserModel org.keycloak.federation.kerberos.KerberosFederationProvider.getUserById	(	String	id,
		RealmModel	realm
	)

inline

                                                               {
         return null;
     }

◆ getUserByUsername()

UserModel org.keycloak.federation.kerberos.KerberosFederationProvider.getUserByUsername	(	String	username,
		RealmModel	realm
	)

inline

                                                                           {
         KerberosUsernamePasswordAuthenticator authenticator = factory.createKerberosUsernamePasswordAuthenticator(kerberosConfig);
         if (authenticator.isUserAvailable(username)) {
             // Case when method was called with username including kerberos realm like john@REALM.ORG . Authenticator already checked that kerberos realm was correct
             if (username.contains("@")) {
                 username = username.split("@")[0];
             }
 
             return findOrCreateAuthenticatedUser(realm, username);
         } else {
             return null;
         }
     }

◆ importUserToKeycloak()

UserModel org.keycloak.federation.kerberos.KerberosFederationProvider.importUserToKeycloak	(	RealmModel	realm,
		String	username
	)

inlineprotected

                                                                                 {
         // Just guessing email from kerberos realm
         String email = username + "@" + kerberosConfig.getKerberosRealm().toLowerCase();
 
         logger.debugf("Creating kerberos user: %s, email: %s to local Keycloak storage", username, email);
         UserModel user = session.userLocalStorage().addUser(realm, username);
         user.setEnabled(true);
         user.setEmail(email);
         user.setFederationLink(model.getId());
         user.setSingleAttribute(KERBEROS_PRINCIPAL, username + "@" + kerberosConfig.getKerberosRealm());
 
         if (kerberosConfig.isUpdateProfileFirstLogin()) {
             user.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
         }
 
         return validate(realm, user);
     }

◆ isConfiguredFor()

boolean org.keycloak.federation.kerberos.KerberosFederationProvider.isConfiguredFor	(	RealmModel	realm,
		UserModel	user,
		String	credentialType
	)

inline

                                                                                             {
         return supportsCredentialType(credentialType);
     }

◆ isValid() [1/2]

boolean org.keycloak.federation.kerberos.KerberosFederationProvider.isValid	(	RealmModel	realm,
		UserModel	local
	)

inline

                                                               {
         // KerberosUsernamePasswordAuthenticator.isUserAvailable is an overhead, so avoid it for now
 
         String kerberosPrincipal = local.getUsername() + "@" + kerberosConfig.getKerberosRealm();
         return kerberosPrincipal.equalsIgnoreCase(local.getFirstAttribute(KERBEROS_PRINCIPAL));
     }

◆ isValid() [2/2]

boolean org.keycloak.federation.kerberos.KerberosFederationProvider.isValid	(	RealmModel	realm,
		UserModel	user,
		CredentialInput	input
	)

inline

                                                                                     {
         if (!(input instanceof UserCredentialModel)) return false;
         if (input.getType().equals(UserCredentialModel.PASSWORD) && !session.userCredentialManager().isConfiguredLocally(realm, user, UserCredentialModel.PASSWORD)) {
             return validPassword(user.getUsername(), ((UserCredentialModel)input).getValue());
         } else {
             return false; // invalid cred type
         }
     }

◆ preRemove() [1/3]

void org.keycloak.federation.kerberos.KerberosFederationProvider.preRemove ( RealmModel realm )

inline

                                             {
 
     }

◆ preRemove() [2/3]

void org.keycloak.federation.kerberos.KerberosFederationProvider.preRemove	(	RealmModel	realm,
		RoleModel	role
	)

inline

                                                             {
 
     }

◆ preRemove() [3/3]

void org.keycloak.federation.kerberos.KerberosFederationProvider.preRemove	(	RealmModel	realm,
		GroupModel	group
	)

inline

                                                               {
 
     }

◆ supportsCredentialAuthenticationFor()

boolean org.keycloak.federation.kerberos.KerberosFederationProvider.supportsCredentialAuthenticationFor ( String type )

inline

                                                                     {
         return CredentialModel.KERBEROS.equals(type);
     }

◆ supportsCredentialType()

boolean org.keycloak.federation.kerberos.KerberosFederationProvider.supportsCredentialType ( String credentialType )

inline

                                                                  {
         return credentialType.equals(CredentialModel.KERBEROS) || (kerberosConfig.isAllowPasswordAuthentication() && credentialType.equals(CredentialModel.PASSWORD));
     }

◆ updateCredential()

boolean org.keycloak.federation.kerberos.KerberosFederationProvider.updateCredential	(	RealmModel	realm,
		UserModel	user,
		CredentialInput	input
	)

inline

                                                                                              {
         if (!(input instanceof UserCredentialModel) || !CredentialModel.PASSWORD.equals(input.getType())) return false;
         if (kerberosConfig.getEditMode() == EditMode.READ_ONLY) {
             throw new ReadOnlyException("Can't change password in Keycloak database. Change password with your Kerberos server");
         }
         return false;
     }

◆ validate()

UserModel org.keycloak.federation.kerberos.KerberosFederationProvider.validate	(	RealmModel	realm,
		UserModel	user
	)

inline

                                                                 {
         if (!isValid(realm, user)) {
             return null;
         }
 
         if (kerberosConfig.getEditMode() == EditMode.READ_ONLY) {
             return new ReadOnlyKerberosUserModelDelegate(user, this);
         } else {
             return user;
         }
     }

◆ validPassword()

boolean org.keycloak.federation.kerberos.KerberosFederationProvider.validPassword	(	String	username,
		String	password
	)

inlineprotected

                                                                       {
         if (kerberosConfig.isAllowPasswordAuthentication()) {
             KerberosUsernamePasswordAuthenticator authenticator = factory.createKerberosUsernamePasswordAuthenticator(kerberosConfig);
             return authenticator.validUser(username, password);
         } else {
             return false;
         }
     }

メンバ詳解

◆ factory

KerberosFederationProviderFactory org.keycloak.federation.kerberos.KerberosFederationProvider.factory

protected

◆ KERBEROS_PRINCIPAL

final String org.keycloak.federation.kerberos.KerberosFederationProvider.KERBEROS_PRINCIPAL = "KERBEROS_PRINCIPAL"

static

◆ kerberosConfig

KerberosConfig org.keycloak.federation.kerberos.KerberosFederationProvider.kerberosConfig

protected

◆ logger

final Logger org.keycloak.federation.kerberos.KerberosFederationProvider.logger = Logger.getLogger(KerberosFederationProvider.class)

staticprivate

◆ model

UserStorageProviderModel org.keycloak.federation.kerberos.KerberosFederationProvider.model

protected

◆ session

KeycloakSession org.keycloak.federation.kerberos.KerberosFederationProvider.session

protected

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/federation/src/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/KerberosFederationProvider.java

公開メンバ関数

静的公開変数類

限定公開メンバ関数

限定公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ KerberosFederationProvider()

関数詳解

◆ authenticate()

◆ close()

◆ disableCredentialType()

◆ findOrCreateAuthenticatedUser()

◆ getDisableableCredentialTypes()

◆ getUserByEmail()

◆ getUserById()

◆ getUserByUsername()

◆ importUserToKeycloak()

◆ isConfiguredFor()

◆ isValid() [1/2]

◆ isValid() [2/2]

◆ preRemove() [1/3]

◆ preRemove() [2/3]

◆ preRemove() [3/3]

◆ supportsCredentialAuthenticationFor()

◆ supportsCredentialType()

◆ updateCredential()

◆ validate()

◆ validPassword()

メンバ詳解

◆ factory

◆ KERBEROS_PRINCIPAL

◆ kerberosConfig

◆ logger

◆ model

◆ session