lurodrig/CustomKeycloakSamlFilter.java

## CustomKeycloakSamlFilter.java
/*
web.xml fragment

    <filter>
        <filter-name>CustomKeycloakSamlFilter</filter-name>
        <filter-class>ch.cern.sso.cross.context.security.filter.CustomKeycloakSamlFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CustomKeycloakSamlFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
*/

import org.keycloak.adapters.saml.servlet.SamlFilter;

public class CustomKeycloakSamlFilter extends SamlFilter implements Filter {

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain fc) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        LOGGER.log(Level.FINEST, "Context: {0} RequestURI: {1}", new Object[]{request.getServletContext().getContextPath(), request.getRequestURI()});
        Optional<Cookie> authToken = sessionUtils.searchCookie(request, SessionConstants.AUTH_TOKEN);
        if (authToken.isPresent() && sessionUtils.isValid(authToken.get()) && samlSessionAPI.get(authToken.get().getValue()) != null) {
            if (sessionUtils.isLogoutRequest(request)) {
                // Kill our custom secret
                if (sessionUtils.isCustomLogoutRequest(request)) {
                    // Remove the shared-context session object
                    SamlSessionBean samlSessionBean = samlSessionAPI.remove(authToken.get().getValue());
                    LOGGER.log(Level.FINEST, "Session of user {0} killed", samlSessionBean.getSamlSession().getPrincipal().getName());
                    // Invalidate this session
                    response.addCookie(expireCookie(authToken.get()));
                }
                // No SAMLSession in the current session means that the user did not logged in via this context
                if (request.getSession().getAttribute(SamlSession.class.getName()) == null) {
                    // Trigger the SAML Single Logout from the initial context
                    response.sendRedirect(samlSessionAPI.get(authToken.get().getValue()).getInitialContextPath() + "/?GLO=true");
                } else {
                    // Leave always the SAMLFilter to deal with the logout request/response
                    super.doFilter(request, response, fc);
                }
            } else {
                // All good! Invoke next filter/resource in the chain
                fc.doFilter(servletRequest, servletResponse);
            }
        } else {
            // User has not been authenticated: leave SAMLFilter to deal with it
            super.doFilter(request, response, fc);
            // User has been authenticated. Create the secret for accesing other contexts
            Optional<SamlSession> samlSession = Optional.ofNullable((SamlSession) request.getSession().getAttribute(SamlSession.class.getName()));
            if (samlSession.isPresent()) {
                authToken = setCookie(response);
                storeSession(samlSession, authToken, request.getServletContext().getContextPath());
            }
        }
    }
}
	/*
	web.xml fragment

	<filter>
	<filter-name>CustomKeycloakSamlFilter</filter-name>
	<filter-class>ch.cern.sso.cross.context.security.filter.CustomKeycloakSamlFilter</filter-class>
	</filter>
	<filter-mapping>
	<filter-name>CustomKeycloakSamlFilter</filter-name>
	<url-pattern>/*</url-pattern>
	</filter-mapping>
	*/

	import org.keycloak.adapters.saml.servlet.SamlFilter;

	public class CustomKeycloakSamlFilter extends SamlFilter implements Filter {

	@Override
	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain fc) throws IOException, ServletException {
	HttpServletRequest request = (HttpServletRequest) servletRequest;
	HttpServletResponse response = (HttpServletResponse) servletResponse;
	LOGGER.log(Level.FINEST, "Context: {0} RequestURI: {1}", new Object[]{request.getServletContext().getContextPath(), request.getRequestURI()});
	Optional<Cookie> authToken = sessionUtils.searchCookie(request, SessionConstants.AUTH_TOKEN);
	if (authToken.isPresent() && sessionUtils.isValid(authToken.get()) && samlSessionAPI.get(authToken.get().getValue()) != null) {
	if (sessionUtils.isLogoutRequest(request)) {
	// Kill our custom secret
	if (sessionUtils.isCustomLogoutRequest(request)) {
	// Remove the shared-context session object
	SamlSessionBean samlSessionBean = samlSessionAPI.remove(authToken.get().getValue());
	LOGGER.log(Level.FINEST, "Session of user {0} killed", samlSessionBean.getSamlSession().getPrincipal().getName());
	// Invalidate this session
	response.addCookie(expireCookie(authToken.get()));
	}
	// No SAMLSession in the current session means that the user did not logged in via this context
	if (request.getSession().getAttribute(SamlSession.class.getName()) == null) {
	// Trigger the SAML Single Logout from the initial context
	response.sendRedirect(samlSessionAPI.get(authToken.get().getValue()).getInitialContextPath() + "/?GLO=true");
	} else {
	// Leave always the SAMLFilter to deal with the logout request/response
	super.doFilter(request, response, fc);
	}
	} else {
	// All good! Invoke next filter/resource in the chain
	fc.doFilter(servletRequest, servletResponse);
	}
	} else {
	// User has not been authenticated: leave SAMLFilter to deal with it
	super.doFilter(request, response, fc);
	// User has been authenticated. Create the secret for accesing other contexts
	Optional<SamlSession> samlSession = Optional.ofNullable((SamlSession) request.getSession().getAttribute(SamlSession.class.getName()));
	if (samlSession.isPresent()) {
	authToken = setCookie(response);
	storeSession(samlSession, authToken, request.getServletContext().getContextPath());
	}
	}
	}
	}