You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2021/07/14 07:59:42 UTC
[isis] 02/02: ISIS-2793: deletes defunct code
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch ISIS-2793-rewrite
in repository https://gitbox.apache.org/repos/asf/isis.git
commit ebc8319c9938becb333af7716af8a65b5fcf5867
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Wed Jul 14 08:59:26 2021 +0100
ISIS-2793: deletes defunct code
---
.../keycloak/IsisModuleSecurityKeycloak.java | 14 ++----
.../keycloak/handler/KeycloakLogoutHandler.java | 54 ----------------------
2 files changed, 4 insertions(+), 64 deletions(-)
diff --git a/security/keycloak/src/main/java/org/apache/isis/security/keycloak/IsisModuleSecurityKeycloak.java b/security/keycloak/src/main/java/org/apache/isis/security/keycloak/IsisModuleSecurityKeycloak.java
index fef4c70..f7df66f 100644
--- a/security/keycloak/src/main/java/org/apache/isis/security/keycloak/IsisModuleSecurityKeycloak.java
+++ b/security/keycloak/src/main/java/org/apache/isis/security/keycloak/IsisModuleSecurityKeycloak.java
@@ -40,14 +40,12 @@ import org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.springframework.web.client.RestTemplate;
import static org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
import org.apache.isis.core.runtimeservices.IsisModuleCoreRuntimeServices;
import org.apache.isis.core.security.authentication.login.LoginSuccessHandler;
import org.apache.isis.core.webapp.IsisModuleCoreWebapp;
-import org.apache.isis.security.keycloak.handler.KeycloakLogoutHandler;
import org.apache.isis.security.keycloak.handler.LogoutHandlerForKeycloak;
import org.apache.isis.security.keycloak.services.KeycloakOauth2UserService;
import org.apache.isis.security.spring.IsisModuleSecuritySpring;
@@ -80,7 +78,6 @@ public class IsisModuleSecurityKeycloak {
public WebSecurityConfigurerAdapter webSecurityConfigurer(
@Value("${kc.realm}") String realm,
KeycloakOauth2UserService keycloakOidcUserService,
- // KeycloakLogoutHandler keycloakLogoutHandler,
List<LoginSuccessHandler> loginSuccessHandlers,
List<LogoutHandler> logoutHandlers
) {
@@ -98,9 +95,11 @@ public class IsisModuleSecurityKeycloak {
.anyRequest().authenticated()
.and()
- // Propagate logouts via /logout to Keycloak
+ // responsibility to propagate logout to Keycloak is performed by
+ // LogoutHandlerForKeycloak (called by Isis' LogoutMenu, not by Spring)
+ // this is to ensure that Isis can invalidate the http session eagerly and not preserve it in
+ // the SecurityContextPersistenceFilter (which uses http session to do its work)
.logout()
-// .addLogoutHandler(keycloakLogoutHandler)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
logoutHandlers.forEach(httpSecurityLogoutConfigurer::addLogoutHandler);
@@ -150,10 +149,5 @@ public class IsisModuleSecurityKeycloak {
return new KeycloakOauth2UserService(jwtDecoder, authoritiesMapper);
}
- @Bean
- KeycloakLogoutHandler keycloakLogoutHandler() {
- return new KeycloakLogoutHandler(new RestTemplate());
- }
-
}
diff --git a/security/keycloak/src/main/java/org/apache/isis/security/keycloak/handler/KeycloakLogoutHandler.java b/security/keycloak/src/main/java/org/apache/isis/security/keycloak/handler/KeycloakLogoutHandler.java
deleted file mode 100644
index c7ce849..0000000
--- a/security/keycloak/src/main/java/org/apache/isis/security/keycloak/handler/KeycloakLogoutHandler.java
+++ /dev/null
@@ -1,54 +0,0 @@
-package org.apache.isis.security.keycloak.handler;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.springframework.http.ResponseEntity;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.core.oidc.user.OidcUser;
-import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
-import org.springframework.web.client.RestTemplate;
-import org.springframework.web.util.UriComponentsBuilder;
-
-import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
-
-/**
- * Propagates logouts to Keycloak.
- *
- * <p>
- * Necessary because Spring Security 5 (currently) doesn't support
- * end-session-endpoints.
- * </p>
- */
-@Slf4j
-@RequiredArgsConstructor
-public class KeycloakLogoutHandler extends SecurityContextLogoutHandler {
-
- private final RestTemplate restTemplate;
-
- @Override
- public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
- super.logout(request, response, authentication);
-
- if (authentication != null) {
- propagateLogoutToKeycloak((OidcUser) authentication.getPrincipal());
- }
- }
-
- private void propagateLogoutToKeycloak(OidcUser user) {
-
- String endSessionEndpoint = user.getIssuer() + "/protocol/openid-connect/logout";
-
- UriComponentsBuilder builder = UriComponentsBuilder //
- .fromUriString(endSessionEndpoint) //
- .queryParam("id_token_hint", user.getIdToken().getTokenValue());
-
- ResponseEntity<String> logoutResponse = restTemplate.getForEntity(builder.toUriString(), String.class);
- if (logoutResponse.getStatusCode().is2xxSuccessful()) {
- log.info("Successfulley logged out in Keycloak");
- } else {
- log.info("Could not propagate logout to Keycloak");
- }
- }
-}