org.keycloak.adapters.AuthenticatedActionsHandler 連携図

公開メンバ関数
	AuthenticatedActionsHandler (KeycloakDeployment deployment, OIDCHttpFacade facade)

boolean	handledRequest ()

限定公開メンバ関数
void	queryBearerToken ()

boolean	abortTokenResponse ()

boolean	corsRequest ()

限定公開変数類
KeycloakDeployment	deployment

OIDCHttpFacade	facade

非公開メンバ関数
boolean	isAuthorized ()

静的非公開変数類
static final Logger	log = Logger.getLogger(AuthenticatedActionsHandler.class)

詳解

Pre-installed actions that must be authenticated

Actions include:

CORS Origin Check and Response headers k_query_bearer_token: Get bearer token from server for Javascripts CORS requests

著者: Bill Burke

バージョン

Revision: 1

構築子と解体子

◆ AuthenticatedActionsHandler()

org.keycloak.adapters.AuthenticatedActionsHandler.AuthenticatedActionsHandler	(	KeycloakDeployment	deployment,
		OIDCHttpFacade	facade
	)

inline

                                                                                              {
         this.deployment = deployment;
         this.facade = facade;
     }

関数詳解

◆ abortTokenResponse()

boolean org.keycloak.adapters.AuthenticatedActionsHandler.abortTokenResponse ( )

inlineprotected

                                            {
         if (facade.getSecurityContext() == null) {
             log.debugv("Not logged in, sending back 401: {0}",facade.getRequest().getURI());
             facade.getResponse().sendError(401);
             facade.getResponse().end();
             return true;
         }
         if (!deployment.isExposeToken()) {
             facade.getResponse().setStatus(200);
             facade.getResponse().end();
              return true;
         }
         // Don't allow a CORS request if we're not validating CORS requests.
         if (!deployment.isCors() && facade.getRequest().getHeader(CorsHeaders.ORIGIN) != null) {
             facade.getResponse().setStatus(200);
             facade.getResponse().end();
             return true;
         }
         return false;
     }

◆ corsRequest()

boolean org.keycloak.adapters.AuthenticatedActionsHandler.corsRequest ( )

inlineprotected

                                      {
         if (!deployment.isCors()) return false;
         KeycloakSecurityContext securityContext = facade.getSecurityContext();
         String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN);
         String exposeHeaders = deployment.getCorsExposedHeaders();
 
         if (deployment.getPolicyEnforcer() != null) {
             if (exposeHeaders != null) {
                 exposeHeaders += ",";
             }
             exposeHeaders += "WWW-Authenticate";
         }
 
         String requestOrigin = UriUtils.getOrigin(facade.getRequest().getURI());
         log.debugv("Origin: {0} uri: {1}", origin, facade.getRequest().getURI());
         if (securityContext != null && origin != null && !origin.equals(requestOrigin)) {
             AccessToken token = securityContext.getToken();
             Set<String> allowedOrigins = token.getAllowedOrigins();
             if (log.isDebugEnabled()) {
                 for (String a : allowedOrigins) log.debug("   " + a);
             }
             if (allowedOrigins == null || (!allowedOrigins.contains("*") && !allowedOrigins.contains(origin))) {
                 if (allowedOrigins == null) {
                     log.debugv("allowedOrigins was null in token");
                 } else {
                     log.debugv("allowedOrigins did not contain origin");
 
                 }
                 facade.getResponse().sendError(403);
                 facade.getResponse().end();
                 return true;
             }
             log.debugv("returning origin: {0}", origin);
             facade.getResponse().setStatus(200);
             facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
             facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
             if (exposeHeaders != null) {
                 facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, exposeHeaders);
             }
         } else {
             log.debugv("cors validation not needed as we're not a secure session or origin header was null: {0}", facade.getRequest().getURI());
         }
         return false;
     }

◆ handledRequest()

boolean org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest ( )

inline

                                     {
         log.debugv("AuthenticatedActionsValve.invoke {0}", facade.getRequest().getURI());
         if (corsRequest()) return true;
         String requestUri = facade.getRequest().getURI();
         if (requestUri.endsWith(AdapterConstants.K_QUERY_BEARER_TOKEN)) {
             queryBearerToken();
             return true;
         }
         if (!isAuthorized()) {
             return true;
         }
         return false;
     }

◆ isAuthorized()

boolean org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized ( )

inlineprivate

                                    {
         PolicyEnforcer policyEnforcer = this.deployment.getPolicyEnforcer();
 
         if (policyEnforcer == null) {
             log.debugv("Policy enforcement is disabled.");
             return true;
         }
         try {
             OIDCHttpFacade facade = (OIDCHttpFacade) this.facade;
             AuthorizationContext authorizationContext = policyEnforcer.enforce(facade);
             RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) facade.getSecurityContext();
 
             if (session != null) {
                 session.setAuthorizationContext(authorizationContext);
 
                 return authorizationContext.isGranted();
             }
 
             return true;
         } catch (Exception e) {
             throw new RuntimeException("Failed to enforce policy decisions.", e);
         }
     }

◆ queryBearerToken()

void org.keycloak.adapters.AuthenticatedActionsHandler.queryBearerToken ( )

inlineprotected

                                        {
         log.debugv("queryBearerToken {0}",facade.getRequest().getURI());
         if (abortTokenResponse()) return;
         facade.getResponse().setStatus(200);
         facade.getResponse().setHeader("Content-Type", "text/plain");
         try {
             facade.getResponse().getOutputStream().write(facade.getSecurityContext().getTokenString().getBytes());
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
         facade.getResponse().end();
     }

メンバ詳解

◆ deployment

KeycloakDeployment org.keycloak.adapters.AuthenticatedActionsHandler.deployment

protected

◆ facade

OIDCHttpFacade org.keycloak.adapters.AuthenticatedActionsHandler.facade

protected

◆ log

final Logger org.keycloak.adapters.AuthenticatedActionsHandler.log = Logger.getLogger(AuthenticatedActionsHandler.class)

staticprivate

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/keycloak/doxygen/src/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java

公開メンバ関数

限定公開メンバ関数

限定公開変数類

非公開メンバ関数

静的非公開変数類

詳解

構築子と解体子

◆ AuthenticatedActionsHandler()

関数詳解

◆ abortTokenResponse()

◆ corsRequest()

◆ handledRequest()

◆ isAuthorized()

◆ queryBearerToken()

メンバ詳解

◆ deployment

◆ facade

◆ log