keycloak-service
公開メンバ関数 | 静的公開変数類 | 限定公開メンバ関数 | 静的限定公開変数類 | 静的変数 | 全メンバ一覧
org.keycloak.authentication.authenticators.x509.ValidateX509CertificateUsername クラス
org.keycloak.authentication.authenticators.x509.ValidateX509CertificateUsername の継承関係図
Inheritance graph
org.keycloak.authentication.authenticators.x509.ValidateX509CertificateUsername 連携図
Collaboration graph

公開メンバ関数

void authenticate (AuthenticationFlowContext context)
 
void action (AuthenticationFlowContext context)
 
Response errorResponse (int status, String error, String errorDescription)
 
CertificateValidator.CertificateValidatorBuilder certificateValidationParameters (X509AuthenticatorConfigModel config) throws Exception
 
void close ()
 
UserIdentityExtractor getUserIdentityExtractor (X509AuthenticatorConfigModel config)
 
UserIdentityToModelMapper getUserIdentityToModelMapper (X509AuthenticatorConfigModel config)
 
boolean requiresUser ()
 
boolean configuredFor (KeycloakSession session, RealmModel realm, UserModel user)
 
void setRequiredActions (KeycloakSession session, RealmModel realm, UserModel user)
 

静的公開変数類

static final String DEFAULT_ATTRIBUTE_NAME = "usercertificate"
 
static final String REGULAR_EXPRESSION = "x509-cert-auth.regular-expression"
 
static final String ENABLE_CRL = "x509-cert-auth.crl-checking-enabled"
 
static final String ENABLE_OCSP = "x509-cert-auth.ocsp-checking-enabled"
 
static final String ENABLE_CRLDP = "x509-cert-auth.crldp-checking-enabled"
 
static final String CRL_RELATIVE_PATH = "x509-cert-auth.crl-relative-path"
 
static final String OCSPRESPONDER_URI = "x509-cert-auth.ocsp-responder-uri"
 
static final String MAPPING_SOURCE_SELECTION = "x509-cert-auth.mapping-source-selection"
 
static final String MAPPING_SOURCE_CERT_SUBJECTDN = "Match SubjectDN using regular expression"
 
static final String MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL = "Subject's e-mail"
 
static final String MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL = "Subject's Alternative Name E-mail"
 
static final String MAPPING_SOURCE_CERT_SUBJECTDN_CN = "Subject's Common Name"
 
static final String MAPPING_SOURCE_CERT_ISSUERDN = "Match IssuerDN using regular expression"
 
static final String MAPPING_SOURCE_CERT_ISSUERDN_EMAIL = "Issuer's e-mail"
 
static final String MAPPING_SOURCE_CERT_ISSUERDN_CN = "Issuer's Common Name"
 
static final String MAPPING_SOURCE_CERT_SERIALNUMBER = "Certificate Serial Number"
 
static final String USER_MAPPER_SELECTION = "x509-cert-auth.mapper-selection"
 
static final String USER_ATTRIBUTE_MAPPER = "Custom Attribute Mapper"
 
static final String USERNAME_EMAIL_MAPPER = "Username or Email"
 
static final String CUSTOM_ATTRIBUTE_NAME = "x509-cert-auth.mapper-selection.user-attribute-name"
 
static final String CERTIFICATE_KEY_USAGE = "x509-cert-auth.keyusage"
 
static final String CERTIFICATE_EXTENDED_KEY_USAGE = "x509-cert-auth.extendedkeyusage"
 
static final String CONFIRMATION_PAGE_DISALLOWED = "x509-cert-auth.confirmation-page-disallowed"
 

限定公開メンバ関数

Response createInfoResponse (AuthenticationFlowContext context, String infoMessage, Object ... parameters)
 
X509Certificate [] getCertificateChain (AuthenticationFlowContext context)
 

静的限定公開変数類

static ServicesLogger logger = ServicesLogger.LOGGER
 

静的変数

static final String DEFAULT_MATCH_ALL_EXPRESSION = "(.*?)(?:$)"
 

詳解

著者
Peter Nalyvayko
バージョン
Revision
1
日付
7/31/2016

関数詳解

◆ action()

void org.keycloak.authentication.authenticators.x509.ValidateX509CertificateUsername.action ( AuthenticationFlowContext  context)
inline
139  {
140  // Intentionally does nothing
141  }

◆ authenticate()

void org.keycloak.authentication.authenticators.x509.ValidateX509CertificateUsername.authenticate ( AuthenticationFlowContext  context)
inline
45  {
46 
47  X509Certificate[] certs = getCertificateChain(context);
48  if (certs == null || certs.length == 0) {
49  logger.debug("[ValidateX509CertificateUsername:authenticate] x509 client certificate is not available for mutual SSL.");
50  context.getEvent().error(Errors.USER_NOT_FOUND);
51  Response challengeResponse = errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", "X509 client certificate is missing.");
52  context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
53  return;
54  }
55 
56  X509AuthenticatorConfigModel config = null;
57  if (context.getAuthenticatorConfig() != null && context.getAuthenticatorConfig().getConfig() != null) {
58  config = new X509AuthenticatorConfigModel(context.getAuthenticatorConfig());
59  }
60  if (config == null) {
61  logger.warn("[ValidateX509CertificateUsername:authenticate] x509 Client Certificate Authentication configuration is not available.");
62  context.getEvent().error(Errors.USER_NOT_FOUND);
63  Response challengeResponse = errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", "Configuration is missing.");
64  context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
65  return;
66  }
67  // Validate X509 client certificate
68  try {
69  CertificateValidator.CertificateValidatorBuilder builder = certificateValidationParameters(config);
70  CertificateValidator validator = builder.build(certs);
71  validator.checkRevocationStatus()
72  .validateKeyUsage()
73  .validateExtendedKeyUsage();
74  } catch(Exception e) {
75  logger.error(e.getMessage(), e);
76  // TODO use specific locale to load error messages
77  Response challengeResponse = errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", e.getMessage());
78  context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
79  return;
80  }
81 
82  Object userIdentity = getUserIdentityExtractor(config).extractUserIdentity(certs);
83  if (userIdentity == null) {
84  context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
85  logger.errorf("[ValidateX509CertificateUsername:authenticate] Unable to extract user identity from certificate.");
86  // TODO use specific locale to load error messages
87  String errorMessage = "Unable to extract user identity from specified certificate";
88  Response challengeResponse = errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", errorMessage);
89  context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
90  return;
91  }
92  UserModel user;
93  try {
94  context.getEvent().detail(Details.USERNAME, userIdentity.toString());
95  context.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, userIdentity.toString());
96  user = getUserIdentityToModelMapper(config).find(context, userIdentity);
97  }
98  catch(ModelDuplicateException e) {
99  logger.modelDuplicateException(e);
100  String errorMessage = String.format("X509 certificate authentication's failed. Reason: \"%s\"", e.getMessage());
101  Response challengeResponse = errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", errorMessage);
102  context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
103  return;
104  }
105  catch(Exception e) {
106  logger.error(e.getMessage(), e);
107  String errorMessage = String.format("X509 certificate authentication's failed. Reason: \"%s\"", e.getMessage());
108  Response challengeResponse = errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", errorMessage);
109  context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
110  return;
111  }
112  if (user == null) {
113  context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
114  Response challengeResponse = errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_grant", "Invalid user credentials");
115  context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
116  return;
117  }
118  if (!user.isEnabled()) {
119  context.getEvent().user(user);
120  context.getEvent().error(Errors.USER_DISABLED);
121  Response challengeResponse = errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_grant", "Account disabled");
122  context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
123  return;
124  }
125  if (context.getRealm().isBruteForceProtected()) {
126  if (context.getProtector().isTemporarilyDisabled(context.getSession(), context.getRealm(), user)) {
127  context.getEvent().user(user);
128  context.getEvent().error(Errors.USER_TEMPORARILY_DISABLED);
129  Response challengeResponse = errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_grant", "Account temporarily disabled");
130  context.failure(AuthenticationFlowError.INVALID_USER, challengeResponse);
131  return;
132  }
133  }
134  context.setUser(user);
135  context.success();
136  }
org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateDirectGrantAuthenticator.errorResponse
Response errorResponse(int status, String error, String errorDescription)
Definition: AbstractX509ClientCertificateDirectGrantAuthenticator.java:37
org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.certificateValidationParameters
CertificateValidator.CertificateValidatorBuilder certificateValidationParameters(X509AuthenticatorConfigModel config)
Definition: AbstractX509ClientCertificateAuthenticator.java:101
org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.getCertificateChain
X509Certificate [] getCertificateChain(AuthenticationFlowContext context)
Definition: AbstractX509ClientCertificateAuthenticator.java:196
org.keycloak.authentication.authenticators.x509.UserIdentityExtractor.extractUserIdentity
abstract Object extractUserIdentity(X509Certificate[] certs)
org.keycloak.services.ServicesLogger.modelDuplicateException
void modelDuplicateException(@Cause ModelDuplicateException mde)
org.keycloak.authentication.authenticators.x509.UserIdentityToModelMapper.find
abstract UserModel find(AuthenticationFlowContext context, Object userIdentity)
org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.getUserIdentityExtractor
UserIdentityExtractor getUserIdentityExtractor(X509AuthenticatorConfigModel config)
Definition: AbstractX509ClientCertificateAuthenticator.java:222
org.keycloak.authentication.authenticators.x509.ValidateX509CertificateUsername.logger
static ServicesLogger logger
Definition: ValidateX509CertificateUsername.java:42
org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.getUserIdentityToModelMapper
UserIdentityToModelMapper getUserIdentityToModelMapper(X509AuthenticatorConfigModel config)
Definition: AbstractX509ClientCertificateAuthenticator.java:226

◆ certificateValidationParameters()

CertificateValidator.CertificateValidatorBuilder org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.certificateValidationParameters ( X509AuthenticatorConfigModel  config) throws Exception
inlineinherited
101  {
102  return CertificateValidatorConfigBuilder.fromConfig(config);
103  }

◆ close()

void org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.close ( )
inlineinherited
192  {
193 
194  }

◆ configuredFor()

boolean org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.configuredFor ( KeycloakSession  session,
RealmModel  realm,
UserModel  user 
)
inlineinherited
235  {
236  return true;
237  }

◆ createInfoResponse()

Response org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.createInfoResponse ( AuthenticationFlowContext  context,
String  infoMessage,
Object ...  parameters 
)
inlineprotectedinherited
76  {
77  LoginFormsProvider form = context.form();
78  return form.setInfo(infoMessage, parameters).createInfoPage();
79  }

◆ errorResponse()

Response org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateDirectGrantAuthenticator.errorResponse ( int  status,
String  error,
String  errorDescription 
)
inlineinherited
37  {
38  Map<String, String> e = new HashMap<String, String>();
39  e.put(OAuth2Constants.ERROR, error);
40  if (errorDescription != null) {
41  e.put(OAuth2Constants.ERROR_DESCRIPTION, errorDescription);
42  }
43  return Response.status(status).entity(e).type(MediaType.APPLICATION_JSON_TYPE).build();
44  }

◆ getCertificateChain()

X509Certificate [] org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.getCertificateChain ( AuthenticationFlowContext  context)
inlineprotectedinherited
196  {
197  try {
198  // Get a x509 client certificate
199  X509ClientCertificateLookup provider = context.getSession().getProvider(X509ClientCertificateLookup.class);
200  if (provider == null) {
201  logger.errorv("\"{0}\" Spi is not available, did you forget to update the configuration?",
202  X509ClientCertificateLookup.class);
203  return null;
204  }
205 
206  X509Certificate[] certs = provider.getCertificateChain(context.getHttpRequest());
207 
208  if (certs != null) {
209  for (X509Certificate cert : certs) {
210  logger.tracev("\"{0}\"", cert.getSubjectDN().getName());
211  }
212  }
213 
214  return certs;
215  }
216  catch (GeneralSecurityException e) {
217  logger.error(e.getMessage(), e);
218  }
219  return null;
220  }
org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.logger
static ServicesLogger logger
Definition: AbstractX509ClientCertificateAuthenticator.java:49

◆ getUserIdentityExtractor()

UserIdentityExtractor org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.getUserIdentityExtractor ( X509AuthenticatorConfigModel  config)
inlineinherited
222  {
223  return UserIdentityExtractorBuilder.fromConfig(config);
224  }

◆ getUserIdentityToModelMapper()

UserIdentityToModelMapper org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.getUserIdentityToModelMapper ( X509AuthenticatorConfigModel  config)
inlineinherited
226  {
227  return UserIdentityToModelMapperBuilder.fromConfig(config);
228  }

◆ requiresUser()

boolean org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.requiresUser ( )
inlineinherited
230  {
231  return false;
232  }

◆ setRequiredActions()

void org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.setRequiredActions ( KeycloakSession  session,
RealmModel  realm,
UserModel  user 
)
inlineinherited
240  {
241  }

メンバ詳解

◆ CERTIFICATE_EXTENDED_KEY_USAGE

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CERTIFICATE_EXTENDED_KEY_USAGE = "x509-cert-auth.extendedkeyusage"
staticinherited

◆ CERTIFICATE_KEY_USAGE

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CERTIFICATE_KEY_USAGE = "x509-cert-auth.keyusage"
staticinherited

◆ CONFIRMATION_PAGE_DISALLOWED

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CONFIRMATION_PAGE_DISALLOWED = "x509-cert-auth.confirmation-page-disallowed"
staticinherited

◆ CRL_RELATIVE_PATH

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CRL_RELATIVE_PATH = "x509-cert-auth.crl-relative-path"
staticinherited

◆ CUSTOM_ATTRIBUTE_NAME

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CUSTOM_ATTRIBUTE_NAME = "x509-cert-auth.mapper-selection.user-attribute-name"
staticinherited

◆ DEFAULT_ATTRIBUTE_NAME

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.DEFAULT_ATTRIBUTE_NAME = "usercertificate"
staticinherited

◆ DEFAULT_MATCH_ALL_EXPRESSION

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.DEFAULT_MATCH_ALL_EXPRESSION = "(.*?)(?:$)"
staticpackageinherited

◆ ENABLE_CRL

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.ENABLE_CRL = "x509-cert-auth.crl-checking-enabled"
staticinherited

◆ ENABLE_CRLDP

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.ENABLE_CRLDP = "x509-cert-auth.crldp-checking-enabled"
staticinherited

◆ ENABLE_OCSP

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.ENABLE_OCSP = "x509-cert-auth.ocsp-checking-enabled"
staticinherited

◆ logger

ServicesLogger org.keycloak.authentication.authenticators.x509.ValidateX509CertificateUsername.logger = ServicesLogger.LOGGER
staticprotected

◆ MAPPING_SOURCE_CERT_ISSUERDN

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN = "Match IssuerDN using regular expression"
staticinherited

◆ MAPPING_SOURCE_CERT_ISSUERDN_CN

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN_CN = "Issuer's Common Name"
staticinherited

◆ MAPPING_SOURCE_CERT_ISSUERDN_EMAIL

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN_EMAIL = "Issuer's e-mail"
staticinherited

◆ MAPPING_SOURCE_CERT_SERIALNUMBER

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SERIALNUMBER = "Certificate Serial Number"
staticinherited

◆ MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL = "Subject's Alternative Name E-mail"
staticinherited

◆ MAPPING_SOURCE_CERT_SUBJECTDN

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN = "Match SubjectDN using regular expression"
staticinherited

◆ MAPPING_SOURCE_CERT_SUBJECTDN_CN

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_CN = "Subject's Common Name"
staticinherited

◆ MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL = "Subject's e-mail"
staticinherited

◆ MAPPING_SOURCE_SELECTION

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_SELECTION = "x509-cert-auth.mapping-source-selection"
staticinherited

◆ OCSPRESPONDER_URI

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.OCSPRESPONDER_URI = "x509-cert-auth.ocsp-responder-uri"
staticinherited

◆ REGULAR_EXPRESSION

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.REGULAR_EXPRESSION = "x509-cert-auth.regular-expression"
staticinherited

◆ USER_ATTRIBUTE_MAPPER

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.USER_ATTRIBUTE_MAPPER = "Custom Attribute Mapper"
staticinherited

◆ USER_MAPPER_SELECTION

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.USER_MAPPER_SELECTION = "x509-cert-auth.mapper-selection"
staticinherited

◆ USERNAME_EMAIL_MAPPER

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.USERNAME_EMAIL_MAPPER = "Username or Email"
staticinherited
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時00分05秒作成 - keycloak-service / 構成:   doxygen 1.8.13