Skip to content

Commit

Permalink
cloud-824 move sso securedeployments example to openshift-examples
Browse files Browse the repository at this point in the history 
cloud-824 move sso securedeployments example to openshift-examples
  • Loading branch information
@wdecoste
wdecoste committed Jul 14, 2016
1 parent 78bf135 commit 45f98b7
Show file tree
Hide file tree
Showing 19 changed files with 1,107 additions and 0 deletions.
37 changes: 37 additions & 0 deletions sso-securedeployments/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# keycloak-examples

With the exception of app-html5 and app-profile-html5, all examples are deployed as a WAR. These examples assume that a Keycloak server is running on localhost:8180 and a WildFly server is running on localhost:8080.

If you want to change the address of the Keycloak server, edit the keycloak.json file in each example's WEB-INF directory.
If you want to change the address of the WildFly server, edit each example's client detail in the UI of the Keycloak server.

To install and run all the WAR-based examples:

1. Download this keycloak-examples repository.
2. [Download](http://keycloak.jboss.org/keycloak/downloads.html) and unzip the plain **keycloak** distribution. Do not download the demo dist.
3. [Download](http://wildfly.org/downloads/) an unzip WildFly.
4. [Download](http://keycloak.jboss.org/keycloak/downloads.html?dir=0%3Dadapters/keycloak-oidc%3B) the Keycloak OIDC adapter for WildFly. Unzip this adapter on top of WildFly.
5. [Download](http://keycloak.jboss.org/keycloak/downloads.html?dir=0%3Dadapters/saml%3B) the Keycloak SAML adapter for WildFly. Unzip this adapter on top of WildFly. It's OK to overwrite modules.
6. *cd <Keycloak Home>/bin*
7. *standalone(.bat or .sh) -Djboss.socket.binding.port-offset=100*
8. In your browser, go to <http://localhost:8180/auth/admin/index.html>
9. Login with admin/admin and change the password when prompted.
10. In the upper lefthand corner, click on Master->Add Realm
11. Click "Select File" and choose *examples-realm.json* from the root of the keycloak-examples repo from step 1.
12. *cd &lt;WildFly Home&gt;/bin*
13. *standalone(.bat or .sh)*
14. With WildFly running, open a new command prompt and *cd &lt;WildFly Home&gt;/bin* again. Then execute the following three commands to finish adapter install.
15. *jboss-cli -c --file=adapter-install.cli*
16. *jboss-cli -c --file=adapter-install-saml.cli*
17. *jboss-cli -c --command=:reload*
18. At the root of the keycloak-examples repo, run *mvn wildfly:deploy*

The Examples realm you imported has two users, *secure-user* and *admin-user*. Both use "password" as the password.

You can run each example with the following URLs:

* <http://localhost:8080/app-html5/>
* <http://localhost:8080/app-profile-html5/>
* <http://localhost:8080/app-jee/>
* <http://localhost:8080/app-profile-jee/>
* <http://localhost:8080/app-profile-jee-saml/>
28 changes: 28 additions & 0 deletions sso-securedeployments/app-profile-jee-saml/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
You need to create a client in Keycloak. The configuration options when creating the client should be:

Settings
-----------
* Client ID: app-profile-jee-saml
* Enabled: ON
* Consent Required: OFF
* direct-grants-only: OFF
* Client Protocol: saml
* Include AuthnStatement: ON
* Sign Documents: OFF
* Sign Assertions: OFF
* Encrypt Assertions: OFF
* Client Signature Required: OFF
* Force POST Binding: OFF
* Front Channel Logout: OFF
* Force Name ID Format: OFF
* Name ID Format: username
* Root URL: <blank>
* Valid Redirect URIs: http://localhost:8080/app-profile-jee-saml/*
* Base URL: http://localhost:8080/app-profile-jee-saml/
* Master SAML Processing URL: http://localhost:8080/app-profile-jee-saml/saml

Mappers
------------
Add all builtin mappers

Then, build the WAR with Maven and install as per the Adapter configuration for your server as described in the Keycloak documentation.
77 changes: 77 additions & 0 deletions sso-securedeployments/app-profile-jee-saml/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>

<parent>
<groupId>org.keycloak.quickstart</groupId>
<artifactId>keycloak-quickstart-parent</artifactId>
<version>0.5-SNAPSHOT</version>
</parent>

<groupId>org.keycloak.quickstart</groupId>
<artifactId>keycloak-quickstart-app-profile-jee-saml</artifactId>
<version>0.5-SNAPSHOT</version>

<name>Keycloak Quickstart App Profile JEE SAML</name>
<description/>

<packaging>war</packaging>

<properties>

</properties>

<dependencies>
<dependency>
<groupId>org.jboss.spec.javax.servlet</groupId>
<artifactId>jboss-servlet-api_3.0_spec</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-core</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-adapter-core</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-saml-adapter-core</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-adapter-spi</artifactId>
<scope>provided</scope>
</dependency>
<!-- <dependency>
<groupId>org.keycloak.quickstart</groupId>
<artifactId>keycloak-quickstart-app-profile-jee</artifactId>
<type>war</type>
<version>${project.version}</version>
</dependency> -->
</dependencies>

<build>
<finalName>app-profile-jee-saml</finalName>
<plugins>
<plugin>
<groupId>org.jboss.as.plugins</groupId>
<artifactId>jboss-as-maven-plugin</artifactId>
<configuration>
<skip>false</skip>
</configuration>
</plugin>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<configuration>
<skip>false</skip>
</configuration>
</plugin>
</plugins>
</build>
</project>
93 changes: 93 additions & 0 deletions ...nts/app-profile-jee-saml/src/main/java/org/keycloak/quickstart/profilejee/Controller.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
/*
* Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
* as indicated by the @author tags. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*/
package org.keycloak.quickstart.profilejee;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.keycloak.adapters.saml.SamlDeploymentContext;
import org.keycloak.adapters.saml.SamlPrincipal;
import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.constants.ServiceUrlConstants;

/**
* Controller simplifies access to the server environment from the JSP.
*
* @author Stan Silvert ssilvert@redhat.com (C) 2015 Red Hat Inc.
*/
public class Controller {

public String getFirstName(HttpServletRequest req) {
return getFriendlyAttrib(req, "givenName");
}

public String getLastName(HttpServletRequest req) {
return getFriendlyAttrib(req, "surname");
}

public String getEmail(HttpServletRequest req) {
return getFriendlyAttrib(req, "email");
}

public String getUsername(HttpServletRequest req) {
return req.getUserPrincipal().getName();
}

private String getFriendlyAttrib(HttpServletRequest req, String attribName) {
SamlPrincipal principal = getAccount(req);
return principal.getFriendlyAttribute(attribName);
}

private SamlPrincipal getAccount(HttpServletRequest req) {
SamlPrincipal principal = (SamlPrincipal)req.getUserPrincipal();
return principal;
}

public boolean isLoggedIn(HttpServletRequest req) {
return getAccount(req) != null;
}

public String getAccountUri(HttpServletRequest req) {
String serverPath = findKeycloakServerPath(req);
String realm = findRealmName(req);
return KeycloakUriBuilder.fromUri(serverPath).path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH)
.queryParam("referrer", "app-profile-jee-saml").build(realm).toString();
}

// HACK: This is a really bad way to find the realm name, but I can't
// figure out a better way to do it with the SAML adapter. It parses
// the URL specified in keycloak-saml.xml
private String findRealmName(HttpServletRequest req) {
String bindingUrl = getBindingUrl(req);
// bindingUrl looks like http://localhost:8080/auth/realms/master/protocol/saml
int beginIndex = bindingUrl.indexOf("/realms/") + "/realms/".length();
return bindingUrl.substring(beginIndex, bindingUrl.indexOf('/', beginIndex));
}

private String findKeycloakServerPath(HttpServletRequest req) {
String bindingUrl = getBindingUrl(req);
// bindingUrl looks like http://localhost:8080/auth/realms/master/protocol/saml
return bindingUrl.substring(0, bindingUrl.indexOf("/auth")) + "/auth";
}

private String getBindingUrl(HttpServletRequest req) {
SamlDeploymentContext ctx = (SamlDeploymentContext)req.getServletContext().getAttribute(SamlDeploymentContext.class.getName());
return ctx.resolveDeployment(null).getIDP().getSingleSignOnService().getRequestBindingUrl();
}

}
30 changes: 30 additions & 0 deletions sso-securedeployments/app-profile-jee-saml/src/main/webapp/WEB-INF/keycloak-saml.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
<keycloak-saml-adapter>
<SP entityID="app-profile-jee-saml"
sslPolicy="NONE"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/index.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService signRequest="false"
validateResponseSignature="false"
requestBinding="POST"
bindingUrl="http://localhost:8080/auth/realms/master/protocol/saml"
/>

<SingleLogoutService
validateRequestSignature="false"
validateResponseSignature="false"
signRequest="false"
signResponse="false"
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8080/auth/realms/master/protocol/saml"
redirectBindingUrl="http://localhost:8080/auth/realms/master/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>
51 changes: 51 additions & 0 deletions sso-securedeployments/app-profile-jee-saml/src/main/webapp/WEB-INF/web.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
* Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
* as indicated by the @author tags. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">

<module-name>app-profile-jee-saml</module-name>

<security-constraint>
<web-resource-collection>
<url-pattern>/profile.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<url-pattern>/saml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>KEYCLOAK-SAML</auth-method>
</login-config>

<security-role>
<role-name>user</role-name>
</security-role>

</web-app>
46 changes: 46 additions & 0 deletions sso-securedeployments/app-profile-jee-saml/src/main/webapp/index.jsp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
<%--
* Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
* as indicated by the @author tags. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
--%>

<%@page contentType="text/html" pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Keycloak Example App</title>

<link rel="stylesheet" type="text/css" href="styles.css"/>
</head>
<body>
<jsp:useBean id="controller" class="org.keycloak.quickstart.profilejee.Controller" scope="request"/>

<c:set var="isLoggedIn" value="<%=controller.isLoggedIn(request)%>"/>
<c:if test="${isLoggedIn}">
<c:redirect url="profile.jsp"/>
</c:if>

<div class="wrapper" id="welcome">
<div class="menu">
<button onclick="location.href = 'profile.jsp'" type="button">Login</button>
</div>

<div class="content">
<div class="message">Please login</div>
</div>
</div>
</body>
</html>
Loading

0 comments on commit 45f98b7

Please sign in to comment.