diff --git a/.travis.yml b/.travis.yml
index 27bd183..731551e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,12 +13,6 @@ services:
- docker
env:
-# - KEYCLOAK_VERSION=2.5.5.Final
-# - KEYCLOAK_VERSION=3.0.0.Final
-# - KEYCLOAK_VERSION=3.1.0.Final
- - KEYCLOAK_VERSION=3.2.1.Final
- - KEYCLOAK_VERSION=3.3.0.Final
- - KEYCLOAK_VERSION=3.4.0.Final
- KEYCLOAK_VERSION=3.4.3.Final
before_install:
diff --git a/integrationTest/suite.sh b/integrationTest/suite.sh
index 35d9f00..6958b45 100755
--- a/integrationTest/suite.sh
+++ b/integrationTest/suite.sh
@@ -12,7 +12,7 @@ get_ticket() {
exit 1
fi
- login_url=${BASH_REMATCH[1]}
+ login_url=${BASH_REMATCH[1]//&/&}
redirect_response=$(curl --fail --silent -D - -b /tmp/cookies --data 'username=admin&password=admin' "$login_url")
if [[ !($redirect_response =~ $ticket_pattern) ]] ; then
echo "No service ticket found in response"
diff --git a/pom.xml b/pom.xml
index a502285..59de4c5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -22,12 +22,12 @@
org.keycloak
keycloak-protocol-cas
- 2.1.1-SNAPSHOT
+ 3.4.3
Keycloak CAS Protocol
- 3.2.0.Final
+ ${project.version}.Final
3.3.0.Final
2.0.1.Final
4.12
diff --git a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
index b796962..dd08b5b 100644
--- a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
+++ b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
@@ -12,13 +12,11 @@
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.sessions.AuthenticationSessionModel;
-import org.keycloak.sessions.CommonClientSessionModel;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import java.io.IOException;
-import java.lang.reflect.Method;
import java.net.URI;
public class CASLoginProtocol implements LoginProtocol {
@@ -93,16 +91,7 @@ public Response authenticated(UserSessionModel userSession, AuthenticatedClientS
String service = clientSession.getRedirectUri();
//TODO validate service
- String code;
- try {
- // Keycloak >3.4 branch: Method getCode was renamed to getOrGenerateCode, CODE_TO_TOKEN was removed
- Method getOrGenerateCode = ClientSessionCode.class.getMethod("getOrGenerateCode");
- code = (String) getOrGenerateCode.invoke(accessCode);
- } catch (ReflectiveOperationException e) {
- // Keycloak <=3.3 branch
- accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name());
- code = accessCode.getCode();
- }
+ String code = accessCode.getOrGenerateCode();
KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(service);
uriBuilder.queryParam(TICKET_RESPONSE_PARAM, SERVICE_TICKET_PREFIX + code);
diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
index 339051f..bcf1231 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
@@ -42,12 +42,7 @@ public Response build() {
checkRealm();
checkClient(service);
- AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, null);
- if (checks.response != null) {
- return checks.response;
- }
-
- authenticationSession = checks.authSession;
+ authenticationSession = createAuthenticationSession(client, null);
updateAuthenticationSession();
// So back button doesn't work
@@ -64,7 +59,7 @@ public Response build() {
private void checkClient(String service) {
if (service == null) {
event.error(Errors.INVALID_REQUEST);
- throw new ErrorPageException(session, Messages.MISSING_PARAMETER, CASLoginProtocol.SERVICE_PARAM);
+ throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, CASLoginProtocol.SERVICE_PARAM);
}
client = realm.getClients().stream()
@@ -73,12 +68,12 @@ private void checkClient(String service) {
.findFirst().orElse(null);
if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND);
- throw new ErrorPageException(session, Messages.CLIENT_NOT_FOUND);
+ throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND);
}
if (!client.isEnabled()) {
event.error(Errors.CLIENT_DISABLED);
- throw new ErrorPageException(session, Messages.CLIENT_DISABLED);
+ throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED);
}
redirectUri = RedirectUtils.verifyRedirectUri(uriInfo, service, realm, client);
@@ -94,9 +89,4 @@ private void updateAuthenticationSession() {
authenticationSession.setRedirectUri(redirectUri);
authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
}
-
- @Override
- protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestState) {
- return true;
- }
}
diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/LogoutEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/LogoutEndpoint.java
index b29588f..1db8322 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/LogoutEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/LogoutEndpoint.java
@@ -66,7 +66,7 @@ public Response logout(@QueryParam(CASLoginProtocol.SERVICE_PARAM) String servic
logger.debug("finishing CAS browser logout");
return response;
}
- return ErrorPage.error(session, Messages.FAILED_LOGOUT);
+ return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_LOGOUT);
}
private void checkClient(String service) {
diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
index c250578..6145334 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
@@ -18,7 +18,6 @@
import javax.ws.rs.GET;
import javax.ws.rs.core.*;
-import java.lang.reflect.Method;
public class ValidateEndpoint {
protected static final Logger logger = Logger.getLogger(ValidateEndpoint.class);
@@ -137,24 +136,14 @@ private void checkTicket(String ticket, boolean requireReauth) {
event.detail(Details.CODE_ID, parts[2]);
}
- ClientSessionCode.ParseResult parseResult;
- try {
- // Keycloak >3.4 branch: Parameter event was added to ClientSessionCode.parseResult
- Method parseResultMethod = ClientSessionCode.class.getMethod("parseResult",
- String.class, KeycloakSession.class, RealmModel.class, EventBuilder.class, Class.class);
- parseResult = (ClientSessionCode.ParseResult) parseResultMethod.invoke(
- null, code, session, realm, event, AuthenticatedClientSessionModel.class);
- } catch (ReflectiveOperationException e) {
- // Keycloak <=3.3 branch
- parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class);
- }
+ ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, null, session, realm, client, event, AuthenticatedClientSessionModel.class);
if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) {
event.error(Errors.INVALID_CODE);
// Attempt to use same code twice should invalidate existing clientSession
AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
if (clientSession != null) {
- clientSession.setUserSession(null);
+ clientSession.detachFromUserSession();
}
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
@@ -162,21 +151,9 @@ private void checkTicket(String ticket, boolean requireReauth) {
clientSession = parseResult.getClientSession();
- try {
- // Keycloak >3.4 branch: Method isExpiredToken was added
- Method isExpiredToken = ClientSessionCode.ParseResult.class.getMethod("isExpiredToken");
- if ((Boolean) isExpiredToken.invoke(parseResult)) {
- event.error(Errors.EXPIRED_CODE);
- throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
- }
- } catch (ReflectiveOperationException e) {
- // Keycloak <=3.3 branch
- if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
- event.error(Errors.INVALID_CODE);
- throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
- }
-
- parseResult.getCode().setAction(null);
+ if (parseResult.isExpiredToken()) {
+ event.error(Errors.EXPIRED_CODE);
+ throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
}
clientSession.setNote(CASLoginProtocol.SESSION_SERVICE_TICKET, ticket);