Skip to content

ESB-890: Dynamic user authorization mapping driven by KC profile #321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MEM2677 wants to merge 15 commits into
base: release/7.3
Choose a base branch
from
Open

ESB-890: Dynamic user authorization mapping driven by KC profile #321

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
3cbbebd
ESB-890: Dynamic mapping of authorizations from KC user profile
MEM2677 Jan 7, 2026
ee2f17e
ESB-890: code cleaning
MEM2677 Jan 7, 2026
5965af8
ESB-890: minor refactor
MEM2677 Jan 8, 2026
694de63
ESB-890: code review (WIP)
MEM2677 Jan 14, 2026
f3fbdd8
ESB-890: minor refacor
MEM2677 Jan 14, 2026
f67ce32
ESB-890: code cleaning
MEM2677 Jan 14, 2026
9e06ae0
ESB-890: code cleaning
MEM2677 Jan 14, 2026
8d0d90a
ESB-890: code cleaning
MEM2677 Jan 14, 2026
79f10d6
ESB-890: code cleaning, liquibase support
MEM2677 Jan 15, 2026
1838213
ESB-890: code cleaning
MEM2677 Jan 15, 2026
e7ff119
ESB-890: quality gate
MEM2677 Jan 15, 2026
ac215e2
ESB-890: quality gate
MEM2677 Jan 15, 2026
15fc343
ESB-890: improved configuration handling
MEM2677 Jan 15, 2026
f518233
ESB-890: README.md
MEM2677 Jan 16, 2026
13b190f
ESB-890: README.md
MEM2677 Jan 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion engine/src/main/java/com/agiletec/aps/system/common/entity/AbstractEntitySearcherDAO.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ protected EntitySearchFilter[] addFilter(EntitySearchFilter[] filters, EntitySea

private PreparedStatement buildStatement(EntitySearchFilter[] filters, boolean isCount, boolean selectAll, Connection conn) {
String query = this.createQueryString(filters, isCount, selectAll);

PreparedStatement stat = null;
try {
stat = conn.prepareStatement(query);
Expand Down Expand Up @@ -567,4 +568,4 @@ protected String getMasterTableName() {
return this.getEntityMasterTableName();
}

}
}
4 changes: 2 additions & 2 deletions ...ne/src/main/java/com/agiletec/aps/system/services/authorization/AuthorizationManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@

/**
* Servizio di autorizzazione. Il servizio espone tutti i metodi necessari per
* la verifica verifica delle autorizzazioni utente, qualsiasi sia la sua
* la verifica delle autorizzazioni utente, qualsiasi sia la sua
* provenienza e definizione.
* @author E.Santoboni
*/
Expand Down Expand Up @@ -749,4 +749,4 @@ public void setGroupManager(IGroupManager groupManager) {
private IRoleManager _roleManager;
private IGroupManager _groupManager;

}
}
5 changes: 5 additions & 0 deletions keycloak-plugin/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ Information below is for building from source or running locally as a contributo
### What this plugin does
* Enables SSO capabilities to an Entando Instance by using Keycloak.
* Moves User Management to Keycloak.
* Assigns on-the-fly authorizations to the logging-in users; such authorizations might come from keycloak itself or external sources

### What this plugin does not
This plugin doesn't come with Role and Group management, because Entando Core roles/groups model isn't compatible with Keycloak. That means that even with the same users across multiple Entando Instances, the role and group mappings have to be configured on each instance.
Expand All @@ -24,6 +25,10 @@ This plugin doesn't come with Role and Group management, because Entando Core ro
>- `keycloak.secure.uris`: **[OPTIONAL]** Use if you want to secure an endpoint. Works with wildcards, comma separated.
>- `keycloak.authenticated.user.default.authorizations`: **[OPTIONAL]** Use if you want to automatically assign `group:role` to any user that logs in, comma separated. Example: `administrators:admin,readers`

## Environment variables
>- `KC_MAPPING_UPDATE`: specifies the refresh period -Chron style!- of the dynamic configuration used to assign authorizations to the loggin-in users. The default is `0 * * * * *`


## Installing

### Installing on your project
Expand Down
31 changes: 31 additions & 0 deletions keycloak-plugin/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,37 @@
<name>Entando Plugin: Keycloak</name>
<url>http://www.entando.com/</url>
<build>
<resources>
<resource>
<directory>src/main/resources</directory>
<excludes>
<exclude>src/main/resources/component</exclude>
</excludes>
</resource>
<resource>
<directory>src/main/resources</directory>
<includes>
<include>**/*component.xml</include>
</includes>
<filtering>true</filtering>
</resource>
<resource>
<directory>src/main/java</directory>
<includes>
<include>**/*.properties</include>
<include>**/*.xml</include>
<include>**/*.xsd</include>
<include>**/*.txt</include>
</includes>
</resource>
<resource>
<directory>src/test/java</directory>
<includes>
<include>**/*.sql</include>
<include>**/*.json</include>
</includes>
</resource>
</resources>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
Expand Down
5 changes: 3 additions & 2 deletions .../src/main/java/org/entando/entando/aps/servlet/security/KeycloakAuthenticationFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ public Authentication attemptAuthentication(final HttpServletRequest request, fi
}

final String bearerToken = authorization.substring("Bearer ".length());

final ResponseEntity<AccessToken> resp = oidcService.validateToken(bearerToken);
final AccessToken accessToken = resp.getBody();

Expand All @@ -111,7 +112,7 @@ public Authentication attemptAuthentication(final HttpServletRequest request, fi
setUserOnContext(request, user, userAuthentication);

// TODO optimise to not check on every request
keycloakGroupManager.processNewUser(user);
keycloakGroupManager.processNewUser(user, bearerToken, true);

return userAuthentication;
} catch (EntException e) {
Expand Down Expand Up @@ -174,4 +175,4 @@ public void onAuthenticationFailure(HttpServletRequest request,
response.addHeader("Content-Type", "application/json");
response.getOutputStream().println(objectMapper.writeValueAsString(restResponse));
}
}
}
2 changes: 1 addition & 1 deletion keycloak-plugin/src/main/java/org/entando/entando/keycloak/filter/KeycloakFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,7 @@ private void doLogin(final HttpServletRequest request, final HttpServletResponse
session.setAttribute(SESSION_PARAM_ID_TOKEN, responseEntity.getBody().getIdToken());
session.setAttribute(SESSION_PARAM_REFRESH_TOKEN, responseEntity.getBody().getRefreshToken());

keycloakGroupManager.processNewUser(user);
keycloakGroupManager.processNewUser(user, responseEntity.getBody().getAccessToken(), true);
saveUserOnSession(request, user);
log.info("Successfully authenticated user {}", user.getUsername());
} catch (HttpClientErrorException e) {
Expand Down
Loading
Loading