Keycloak: added authentication

Author: Olard

deploy/docker-compose.yml

@@ -1,28 +1,28 @@
 version: '3'
 services:
-  backend:
-    image: gufalcon/http-server:latest
-    restart: always
-    depends_on:
-      - db
-    ports:
-      - "1280:8080"
-      - "12443:8443"
-    environment:
-      - HTTP_PORT=8080
-      - HTTP_HOST=0.0.0.0
-      - DB_DRIVER=mysql
-      - DB_SERVER=db
-      - DB_PORT=3306
-      - DB_NAME=httpserver
-      - DB_USER=httpserver
-      - DB_PASSWORD=DP5V7hi7xgknaH39lDTX
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http-server.port=8080"
-      - "traefik.http-server.backend=http-server"
-      - "traefik.http-server.frontend.rule=Host:http-server.unterrainer.info"
-      - "traefik.http-server.frontend.entryPoints=http,https"
+#  backend:
+#    image: gufalcon/http-server:latest
+#    restart: always
+#    depends_on:
+#      - db
+#    ports:
+#      - "1280:8080"
+#      - "12443:8443"
+#    environment:
+#      - HTTP_PORT=8080
+#      - HTTP_HOST=0.0.0.0
+#      - DB_DRIVER=mysql
+#      - DB_SERVER=db
+#      - DB_PORT=3306
+#      - DB_NAME=httpserver
+#      - DB_USER=httpserver
+#      - DB_PASSWORD=DP5V7hi7xgknaH39lDTX
+#    labels:
+#      - "traefik.enable=true"
+#      - "traefik.http-server.port=8080"
+#      - "traefik.http-server.backend=http-server"
+#      - "traefik.http-server.frontend.rule=Host:http-server.unterrainer.info"
+#      - "traefik.http-server.frontend.entryPoints=http,https"
 
   db:
     image: mariadb:latest
@@ -37,6 +37,34 @@ services:
     volumes:
       - "/app/data/http-server/mysql-data/db:/var/lib/mysql"
 
+  keycloak_db:
+    image: mariadb:latest
+    restart: always
+    ports:
+      - 14310:3306
+    environment:
+      - MYSQL_ROOT_PASSWORD=3YazHzbLuzChlwroXLSm5I
+      - MYSQL_DATABASE=keycloak
+      - MYSQL_USER=keycloak
+      - MYSQL_PASSWORD=8KNM3flMpEyCYkFw5wrGoCN3
+    volumes:
+      - "/app/data/keycloak/mysql-data/db:/var/lib/mysql"
+
+  keycloak:
+      image: quay.io/keycloak/keycloak:latest
+      environment:
+        DB_VENDOR: mariadb
+        DB_ADDR: keycloak_db
+        DB_DATABASE: keycloak
+        DB_USER: keycloak
+        DB_PASSWORD: 8KNM3flMpEyCYkFw5wrGoCN3
+        KEYCLOAK_USER: admin
+        KEYCLOAK_PASSWORD: cTWJiYZDutP6tYxXnv2yg0A
+      ports:
+        - 8080:8080
+      depends_on:
+        - keycloak_db
+
 networks:
   default:
     external:

pom.xml

@@ -57,6 +57,11 @@
 			<artifactId>jetty-server</artifactId>
 			<version>9.4.30.v20200611</version>
 		</dependency>
+		<dependency>
+			<groupId>org.keycloak</groupId>
+			<artifactId>keycloak-core</artifactId>
+			<version>11.0.2</version>
+		</dependency>
 	</dependencies>
 
 </project>

src/main/java/info/unterrainer/commons/httpserver/HttpServer.java

@@ -14,6 +14,7 @@
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
 
+import info.unterrainer.commons.httpserver.accessmanager.HttpAccessManager;
 import info.unterrainer.commons.httpserver.daos.DaoTransactionManager;
 import info.unterrainer.commons.httpserver.enums.Attribute;
 import info.unterrainer.commons.httpserver.exceptions.HttpException;
@@ -96,7 +97,7 @@ private void create() {
 		server.setConnectors(new ServerConnector[] { connector });
 
 		javalin = Javalin.create(config -> {
-			config.server(() -> server).enableCorsForAllOrigins();
+			config.server(() -> server).accessManager(new HttpAccessManager()).enableCorsForAllOrigins();
 		}).start(config.port());
 
 		javalin.before(ctx -> ctx.attribute(Attribute.JAVALIN_SERVER, this));

src/main/java/info/unterrainer/commons/httpserver/accessmanager/DefaultRoles.java

@@ -0,0 +1,7 @@
+package info.unterrainer.commons.httpserver.accessmanager;
+
+import io.javalin.core.security.Role;
+
+public enum DefaultRoles implements Role {
+	PUBLIC, AUTHENTICATED;
+}

src/main/java/info/unterrainer/commons/httpserver/accessmanager/HttpAccessManager.java

@@ -0,0 +1,84 @@
+package info.unterrainer.commons.httpserver.accessmanager;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.net.http.HttpResponse.BodyHandlers;
+import java.security.PublicKey;
+import java.util.Set;
+
+import org.eclipse.jetty.http.HttpHeader;
+import org.keycloak.TokenVerifier;
+import org.keycloak.common.VerificationException;
+import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.idm.PublishedRealmRepresentation;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import info.unterrainer.commons.httpserver.exceptions.ForbiddenException;
+import info.unterrainer.commons.httpserver.exceptions.UnauthorizedException;
+import io.javalin.core.security.AccessManager;
+import io.javalin.core.security.Role;
+import io.javalin.http.Context;
+import io.javalin.http.Handler;
+
+public class HttpAccessManager implements AccessManager {
+
+	private PublicKey publicKey;
+
+	public HttpAccessManager() {
+		try {
+			String authUrl = "http://localhost:8080" + "/auth/realms/" + "nexus";
+
+			HttpClient client = HttpClient.newHttpClient();
+			HttpRequest request = HttpRequest.newBuilder().uri(new URI(authUrl)).build();
+			ObjectMapper objectMapper = new ObjectMapper();
+
+			client.sendAsync(request, BodyHandlers.ofString()).thenApply(HttpResponse::body).thenAccept(body -> {
+				try {
+					publicKey = objectMapper.readValue(body, PublishedRealmRepresentation.class).getPublicKey();
+				} catch (IOException e) {
+					throw new UncheckedIOException(e);
+				}
+			}).join();
+		} catch (URISyntaxException e) {
+			throw new IllegalStateException(e);
+		}
+
+	}
+
+	@Override
+	public void manage(Handler handler, Context ctx, Set<Role> permittedRoles) throws Exception {
+
+		checkAccess(ctx, permittedRoles);
+
+		handler.handle(ctx);
+	}
+
+	private void checkAccess(Context ctx, Set<Role> permittedRoles) {
+
+		if (permittedRoles.isEmpty() || permittedRoles.contains(DefaultRoles.PUBLIC)) {
+			return;
+		}
+
+		String authorizationHeader = ctx.header(HttpHeader.AUTHORIZATION.asString());
+		TokenVerifier<AccessToken> accessToken = TokenVerifier.create(authorizationHeader, AccessToken.class);
+		accessToken.publicKey(publicKey);
+
+		try {
+			accessToken.verifySignature();
+		} catch (VerificationException e) {
+			throw new UnauthorizedException();
+		}
+
+		try {
+			accessToken.verify();
+		} catch (VerificationException e) {
+			throw new ForbiddenException();
+		}
+	}
+}

src/main/java/info/unterrainer/commons/httpserver/exceptions/ForbiddenException.java

@@ -0,0 +1,21 @@
+package info.unterrainer.commons.httpserver.exceptions;
+
+public class ForbiddenException extends HttpException {
+
+	private static final long serialVersionUID = -9128226690837369251L;
+
+	public static final int HTTP_STATUS = 403;
+	public static final String HTTP_TEXT = "Forbidden";
+
+	public ForbiddenException(final String message, final Throwable cause) {
+		super(HTTP_STATUS, HTTP_TEXT, message, cause);
+	}
+
+	public ForbiddenException(final String message) {
+		super(HTTP_STATUS, HTTP_TEXT, message);
+	}
+
+	public ForbiddenException() {
+		super(HTTP_STATUS, HTTP_TEXT);
+	}
+}

src/main/java/info/unterrainer/commons/httpserver/exceptions/UnauthorizedException.java

@@ -0,0 +1,21 @@
+package info.unterrainer.commons.httpserver.exceptions;
+
+public class UnauthorizedException extends HttpException {
+
+	private static final long serialVersionUID = -8429546406728629818L;
+
+	public static final int HTTP_STATUS = 401;
+	public static final String HTTP_TEXT = "Unauthorized";
+
+	public UnauthorizedException(final String message, final Throwable cause) {
+		super(HTTP_STATUS, HTTP_TEXT, message, cause);
+	}
+
+	public UnauthorizedException(final String message) {
+		super(HTTP_STATUS, HTTP_TEXT, message);
+	}
+
+	public UnauthorizedException() {
+		super(HTTP_STATUS, HTTP_TEXT);
+	}
+}

src/test/java/info/unterrainer/commons/httpserver/scripts/LocalTestServer.java

@@ -3,6 +3,7 @@
 import javax.persistence.EntityManagerFactory;
 
 import info.unterrainer.commons.httpserver.HttpServer;
+import info.unterrainer.commons.httpserver.accessmanager.DefaultRoles;
 import info.unterrainer.commons.httpserver.daos.JpqlDao;
 import info.unterrainer.commons.httpserver.daos.JpqlTransactionManager;
 import info.unterrainer.commons.httpserver.enums.Endpoint;
@@ -42,7 +43,7 @@ public static void main(final String[] args) throws Exception {
 	private static void startServer() {
 		HttpServer server = HttpServer.builder().applicationName("local-test-server").build();
 
-		server.get("/status", new StatusHandler(mapper));
+		server.get("/status", new StatusHandler(mapper), DefaultRoles.AUTHENTICATED);
 		server.handlerGroupFor(TestJpa.class, TestJson.class, new JpqlTransactionManager(emf))
 				.path("/test")
 				.endpoints(Endpoint.ALL)