if (realmAccess != null && realmAccess.getRoles() != null) { for (String r : realmAccess.getRoles()) { roles.add(r); if (resourceAccess != null) { for (Map.Entry<String, AccessToken.Access> e : resourceAccess.entrySet()) { if (e.getValue().getRoles() != null) { for (String r : e.getValue().getRoles()) { roles.add(e.getKey().replace('/', '-') + "/" + r.replace('/', '-'));
public Access addAccess(String service) { if (resourceAccess == null) { resourceAccess = new HashMap<>(); } Access access = resourceAccess.get(service); if (access != null) return access; access = new Access(); resourceAccess.put(service, access); return access; }
/** * Deep copies issuer, subject, issuedFor, sessionState, realmAccess, and resourceAccess * from AccessToken. * * @param token */ public RefreshToken(AccessToken token) { this(); this.issuer = token.issuer; this.subject = token.subject; this.issuedFor = token.issuedFor; this.sessionState = token.sessionState; this.nonce = token.nonce; this.audience = new String[] { token.issuer }; this.scope = token.scope; if (token.realmAccess != null) { realmAccess = token.realmAccess.clone(); } if (token.resourceAccess != null) { resourceAccess = new HashMap<String, Access>(); for (Map.Entry<String, Access> entry : token.resourceAccess.entrySet()) { resourceAccess.put(entry.getKey(), entry.getValue().clone()); } } }
@Override public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object handler) { try { SimpleHttpFacade simpleHttpFacade = new SimpleHttpFacade(httpServletRequest, httpServletResponse); AccessToken accessToken = simpleHttpFacade.getSecurityContext().getToken(); Set<String> resourceRoles = Sets.newHashSet(); AccessToken.Access resourceAccess = accessToken.getResourceAccess() .getOrDefault(keycloakResource, null); if (resourceAccess != null) { resourceRoles = resourceAccess.getRoles(); } locKeycloakLog.save( LocKeycloakLog.LocKeycloakLogDomain.builder() .param(httpServletRequest.getParameterMap().toString()) .createDateTime(LocalDateTime.now()).url(httpServletRequest.getContextPath()) .userName(accessToken.getName()).email(accessToken.getEmail()) .realmRoles(accessToken.getRealmAccess().getRoles()) .resourceRoles(resourceRoles).build()); log.info("keycloak security pre handle {} ({}) in {} access {}", accessToken.getName(), accessToken.getEmail(), accessToken.getAudience()[0], httpServletRequest.getRequestURI()); } catch (Exception e) { log.warn(e.getMessage(), e); } return true; }
public static Set<String> getRolesFromSecurityContext(RefreshableKeycloakSecurityContext session) { Set<String> roles = null; AccessToken accessToken = session.getToken(); if (session.getDeployment().isUseResourceRoleMappings()) { if (log.isTraceEnabled()) { log.trace("useResourceRoleMappings"); } AccessToken.Access access = accessToken.getResourceAccess(session.getDeployment().getResourceName()); if (access != null) roles = access.getRoles(); } else { if (log.isTraceEnabled()) { log.trace("use realm role mappings"); } AccessToken.Access access = accessToken.getRealmAccess(); if (access != null) roles = access.getRoles(); } if (roles == null) roles = Collections.emptySet(); if (log.isTraceEnabled()) { log.trace("Setting roles: "); for (String role : roles) { log.trace(" role: " + role); } } return roles; }
@Override public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession session, ClientSessionContext clientSessionCtx) { String clientId = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID); String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX); if (clientId != null && !clientId.isEmpty()) { AccessToken.Access access = RoleResolveUtil.getResolvedClientRoles(session, clientSessionCtx, clientId, false); if (access == null) { return; } setAttribute(attributes, mappingModel, access.getRoles(), rolePrefix); } else { // If clientId is not specified, we consider all clients Map<String, AccessToken.Access> allAccess = RoleResolveUtil.getAllResolvedClientRoles(session, clientSessionCtx); Set<String> allRoles = allAccess.values().stream().filter(Objects::nonNull) .flatMap(access -> access.getRoles().stream()) .collect(Collectors.toSet()); setAttribute(attributes, mappingModel, allRoles, rolePrefix); } }
private Collection<? extends Role> createRoles(final AccessToken accessToken) { Set<String> roleNames = new HashSet<String>(); //Add app roles first, if any AccessToken.Access access = accessToken.getResourceAccess(accessToken.getIssuedFor()); if (access != null && access.getRoles() != null){ roleNames.addAll(access.getRoles()); } //Add realm roles next, if any AccessToken.Access realmAccess = accessToken.getRealmAccess(); if (realmAccess != null && realmAccess.getRoles() != null){ roleNames.addAll(realmAccess.getRoles()); } final List<Role> roles = new ArrayList<Role>(roleNames.size()); for (final String roleName : roleNames) { roles.add(new RoleImpl(roleName)); } return roles; }
@SuppressWarnings("unchecked") private Object createUserDetails(NativeWebRequest webRequest) { KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = (KeycloakPrincipal<RefreshableKeycloakSecurityContext>) webRequest.getUserPrincipal(); AccessToken token = principal.getKeycloakSecurityContext().getToken(); return new UserDetails(token.getId(), token.getGivenName(), token.getFamilyName(), token.getEmail(), token.getRealmAccess().getRoles()); }
private Set<String> selectResourceRoles(KeycloakResource keycloakResource) { Set<String> roles = new HashSet<>(); AccessToken.Access resourceAccess = securityContext.getToken().getResourceAccess(keycloakResource.getResource()); if (resourceAccess != null && resourceAccess.getRoles() != null) { roles.addAll(resourceAccess.getRoles()); } return Collections.unmodifiableSet(roles); }
@Override public Set<String> getRoles() { return Collections.unmodifiableSet(keycloakSecurityContext.getToken().getRealmAccess().getRoles()); }
@Override public Set<String> getRole() { return this.auth.getRealmAccess().getRoles(); }
@Override public boolean isUserInRole(String role) { return this.auth.getRealmAccess().isUserInRole(role); }
private void checkRealmAdmin() { if (auth == null) { throw new NotAuthorizedException("Bearer"); } else if (auth.getToken().getRealmAccess() == null || !auth.getToken().getRealmAccess().isUserInRole("admin")) { throw new ForbiddenException("Does not have realm admin role"); } }
@Override public boolean hasRole(String roleKey) { checkState(); return Connections.getKeycloak().getToken().getRealmAccess().isUserInRole(roleKey); }
@Override public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession session, ClientSessionContext clientSessionCtx) { String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_REALM_ROLE_MAPPING_ROLE_PREFIX); AccessToken.Access access = RoleResolveUtil.getResolvedRealmRoles(session, clientSessionCtx, false); if (access == null) { return; } setAttribute(attributes, mappingModel, access.getRoles(), rolePrefix); }
private Set<String> selectRealmRoles() { Set<String> roles = new HashSet<>(); AccessToken.Access realmAccess = securityContext.getToken().getRealmAccess(); if (realmAccess != null && realmAccess.getRoles() != null) { roles.addAll(realmAccess.getRoles()); } return Collections.unmodifiableSet(roles); }
public Access clone() { Access access = new Access(); access.verifyCaller = verifyCaller; if (roles != null) { access.roles = new HashSet<String>(); access.roles.addAll(roles); } return access; }