/** * Does the resource override the requirement of verifying the caller? * * @param resource * @return */ @JsonIgnore public boolean isVerifyCaller(String resource) { Access access = getResourceAccess(resource); if (access != null && access.getVerifyCaller() != null) return access.getVerifyCaller().booleanValue(); return false; }
private Set<String> selectResourceRoles(KeycloakResource keycloakResource) { Set<String> roles = new HashSet<>(); AccessToken.Access resourceAccess = securityContext.getToken().getResourceAccess(keycloakResource.getResource()); if (resourceAccess != null && resourceAccess.getRoles() != null) { roles.addAll(resourceAccess.getRoles()); } return Collections.unmodifiableSet(roles); }
private Collection<? extends Role> createRoles(final AccessToken accessToken) { Set<String> roleNames = new HashSet<String>(); //Add app roles first, if any AccessToken.Access access = accessToken.getResourceAccess(accessToken.getIssuedFor()); if (access != null && access.getRoles() != null){ roleNames.addAll(access.getRoles()); } //Add realm roles next, if any AccessToken.Access realmAccess = accessToken.getRealmAccess(); if (realmAccess != null && realmAccess.getRoles() != null){ roleNames.addAll(realmAccess.getRoles()); } final List<Role> roles = new ArrayList<Role>(roleNames.size()); for (final String roleName : roleNames) { roles.add(new RoleImpl(roleName)); } return roles; }
Map<String, AccessToken.Access> resourceAccess = token.getResourceAccess(); if (resourceAccess != null) { for (Map.Entry<String, AccessToken.Access> e : resourceAccess.entrySet()) {
public static Set<String> getRolesFromSecurityContext(RefreshableKeycloakSecurityContext session) { Set<String> roles = null; AccessToken accessToken = session.getToken(); if (session.getDeployment().isUseResourceRoleMappings()) { if (log.isTraceEnabled()) { log.trace("useResourceRoleMappings"); } AccessToken.Access access = accessToken.getResourceAccess(session.getDeployment().getResourceName()); if (access != null) roles = access.getRoles(); } else { if (log.isTraceEnabled()) { log.trace("use realm role mappings"); } AccessToken.Access access = accessToken.getRealmAccess(); if (access != null) roles = access.getRoles(); } if (roles == null) roles = Collections.emptySet(); if (log.isTraceEnabled()) { log.trace("Setting roles: "); for (String role : roles) { log.trace(" role: " + role); } } return roles; }
for (Map.Entry<String, AccessToken.Access> entry : accessToken.getResourceAccess().entrySet()) { AccessToken.Access resourceAccess = entry.getValue(); roles.addAll(Optional.fromNullable(resourceAccess.getRoles()).or(Collections.emptySet()));
@Override public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object handler) { try { SimpleHttpFacade simpleHttpFacade = new SimpleHttpFacade(httpServletRequest, httpServletResponse); AccessToken accessToken = simpleHttpFacade.getSecurityContext().getToken(); Set<String> resourceRoles = Sets.newHashSet(); AccessToken.Access resourceAccess = accessToken.getResourceAccess() .getOrDefault(keycloakResource, null); if (resourceAccess != null) { resourceRoles = resourceAccess.getRoles(); } locKeycloakLog.save( LocKeycloakLog.LocKeycloakLogDomain.builder() .param(httpServletRequest.getParameterMap().toString()) .createDateTime(LocalDateTime.now()).url(httpServletRequest.getContextPath()) .userName(accessToken.getName()).email(accessToken.getEmail()) .realmRoles(accessToken.getRealmAccess().getRoles()) .resourceRoles(resourceRoles).build()); log.info("keycloak security pre handle {} ({}) in {} access {}", accessToken.getName(), accessToken.getEmail(), accessToken.getAudience()[0], httpServletRequest.getRequestURI()); } catch (Exception e) { log.warn(e.getMessage(), e); } return true; }