java source code of RequireRoleAuthenticator

keycloak-extension-playground-master
- .github
  - FUNDING.yml
- plain-js-frontend
  - start3.sh
  - start.sh
  - webapp
    - styles.css
    - app.js
    - index.html
- simple-javascript-extensions
  - src
    - main
      - resources
        my-script-authenticator.js
        META-INF
        keycloak-scripts.json
        my-script-mapper.js
  - pom.xml
- simple-custom-saml-protocol
  - src
    - main
      - resources
        META-INF
        services
        org.keycloak.protocol.LoginProtocolFactory
        jboss-deployment-structure.xml
      - java
        com
        github
        thomasdarimont
        keycloak
        saml
        protocol
        CustomSamlProtocol.java
        CustomSamlProtocolFactory.java
  - pom.xml
- smallrye-metrics-extension
  - src
    - main
      - java
        demo
        keycloak
        smallrye
        KeycloakMetricRecorder.java
        KeycloakMetricsEventListener.java
        KeycloakAdminEvent.java
        KeycloakMetricsEventListenerFactory.java
        KeycloakMetrics.java
        KeycloakEvent.java
  - pom.xml
  - readme.md
- simple-auth-extension
  - src
    - main
      - resources
        META-INF
        services
        org.keycloak.authentication.AuthenticatorFactory
      - java
        com
        github
        thomasdarimont
        keycloak
        auth
        simple
        SimpleAuthenticatorFactory.java
        SimpleAuthenticator.java
  - pom.xml
- auth-check-authz-policy-extension
  - src
    - main
      - java
        com
        github
        thomasdarimont
        keycloak
        auth
        authzpolicy
        AuthzPolicyAuthenticator.java
        AuthzPolicyAuthenticatorFactory.java
  - pom.xml
  - readme.md
- reset-password-after-login-eventlistener-extension
  - src
    - main
      - java
        com
        github
        thomasdarimont
        keycloak
        events
        simple
        UnsetPasswordEventListenerProviderFactory.java
        UnsetPasswordEventListenerProvider.java
  - pom.xml
- simple-event-listener
  - src
    - main
      - resources
        META-INF
        services
        org.keycloak.events.EventListenerProviderFactory
      - java
        com
        github
        thomasdarimont
        keycloak
        events
        simple
        SimpleEventListenerProviderFactory.java
        SimpleEventListenerProvider.java
  - pom.xml
- smallrye-health-extension
  - src
    - main
      - java
        demo
        keycloak
        smallrye
        health
        KeycloakHealthChecks.java
  - pom.xml
  - readme.md
- pom.xml
- tenant-selection-form-extension
  - src
    - main
      - resources
        theme-resources
        templates
        tenant-select-form.ftl
      - java
        com
        github
        thomasdarimont
        keycloak
        auth
        mandselect
        TenantSelectorAuthenticatorFormFactory.java
        TenantSelectorAuthenticatorForm.java
  - pom.xml
- auth-require-group-extension
  - src
    - main
      - resources
        META-INF
        services
        org.keycloak.authentication.AuthenticatorFactory
      - java
        com
        github
        thomasdarimont
        keycloak
        auth
        requiregroup
        RequireGroupAuthenticator.java
        RequireGroupAuthenticatorFactory.java
  - pom.xml
  - media
  - README.md
- simple-saml-mapper
  - src
    - main
      - resources
        META-INF
        services
        org.keycloak.protocol.ProtocolMapper
      - java
        com
        github
        thomasdarimont
        keycloak
        saml
        simple
        SimpleSamlMapper.java
  - pom.xml
- LICENSE
- simple-formaction-extension
  - src
    - main
      - resources
        META-INF
        services
        org.keycloak.authentication.FormActionFactory
      - java
        com
        github
        thomasdarimont
        keycloak
        register
        MobileValidation.java
        RegistrationValidateMobileFormActionFactory.java
        RegistrationValidateMobileFormAction.java
  - pom.xml
- simple-oidc-mapper
  - src
    - main
      - resources
        META-INF
        services
        org.keycloak.protocol.ProtocolMapper
      - java
        com
        github
        thomasdarimont
        keycloak
        oidc
        mapper
        simple
        SimpleOidcMapper.java
  - pom.xml
- thirdparty-mfa-auth-extension
  - src
    - main
      - resources
        theme-resources
        templates
        custom-mfa-form-otp.ftl
        custom-mfa-form-push.ftl
        mfa-messages.properties
      - java
        keycloak
        auth
        MfaVerifyResponse.java
        MfaMessages.java
        ThirdPartyMfaAuthenticator.java
        MfaClient.java
        MfaChallengeRequest.java
        MfaChallengeResponse.java
        MfaResponse.java
        MfaMethod.java
        ThirdPartyMfaAuthenticatorFactory.java
        MockMfaClient.java
        MfaVerifyRequest.java
  - pom.xml
- keycloak-playground-server
  - src
    - main
      - resources
        logging.properties
      - java
        com
        github
        thomasdarimont
        keycloak
        server
        smallrye
        MetricsServlet.java
        KeycloakPlaygroundServer.java
  - pom.xml
  - data
    - .gitkeep
- auth-identity-first-extension
  - src
    - main
      - resources
        theme
        auth-identity-first-extension-theme
        theme.properties
        login
        resources
        messages.properties
        messages_de.properties
        js
        identity-first.js
        css
        identity-first.css
        theme-resources
        templates
        validate-password-form.ftl
        select-user-form.ftl
        META-INF
        keycloak-themes.json
      - java
        com
        github
        thomasdarimont
        keycloak
        auth
        identityfirst
        SelectUserAuthenticatorFormFactory.java
        PasswordAuthenticatorForm.java
        AbstractIdentityFirstUsernameFormAuthenticator.java
        SelectUserAuthenticatorForm.java
        PasswordAuthenticatorFormFactory.java
  - pom.xml
  - readme.md
- auth-require-access-policy-extension
  - src
    - main
      - java
        com
        github
        thomasdarimont
        keycloak
        auth
        accesspolicy
        AccessPolicyAuthenticator.java
        AccessPolicyAuthenticatorFactory.java
        support
        AccessPolicyEntry.java
        AccessPolicyParser.java
        AccessPolicy.java
  - pom.xml
  - readme.md
- simple-realm-rest-resource
  - src
    - main
      - resources
        META-INF
        services
        org.keycloak.services.resource.RealmResourceProviderFactory
      - java
        com
        github
        thomasdarimont
        keycloak
        simple
        SimpleRealmResourceProviderFactory.java
        SimpleRealmResourceProvider.java
        SimpleRealmResource.java
  - pom.xml
- adhoc-keycloak-extensions
  - src
    - main
      - java
        demo
        keycloak
        oidcmappers
        OriginalSubClaimMapper.java
        RemoteOidcMapper.java
        PairwiseSubCollectorOidcMapper.java
        LdapQueryOidcMapper.java
        CrossRealmClientAuthMapper.java
        auth
        AdHocAuthenticator.java
        MinPasswordAgeAuthenticator.java
        MinPasswordAgeAuthenticatorFactory.java
        AdHocAuthenticatorFactory.java
        ConditionalOnScopePresentAuthenticatorFactory.java
        ConditionalOnScopePresentAuthenticator.java
  - pom.xml
- auth-dynamic-idp-redirector-extension
  - src
    - main
      - java
        com
        github
        thomasdarimont
        keycloak
        auth
        dynamicidp
        DynamicIdpRedirectAuthenticatorFactory.java
        DynamicIdpRedirectAuthenticator.java
  - pom.xml
- jaxrs-request-filter-extension
  - src
    - main
      - java
        com
        github
        thomasdarimont
        keycloak
        global
        GlobalRequestResponseFilterResourceProvider.java
        GlobalRequestResponseFilter.java
  - pom.xml
- auth-session-propagation-extension
  - src
    - main
      - java
        demo
        Main.java
        com
        github
        thomasdarimont
        keycloak
        auth
        sessionprop
        CryptoUtil.java
        SessionPropagationAuthenticator.java
        SessionPropagationAuthenticatorFactory.java
  - pom.xml
- virtual-client-storage-provider-extension
  - src
    - main
      - java
        com
        github
        thomasdarimont
        keycloak
        virtualclients
        VirtualClientModelGenerator.java
        mappers
        DynamicClaimMapper.java
        VirtualClientModel.java
        VirtualClientStorageProviderFactory.java
        VirtualClientStorageProvider.java
  - pom.xml
  - readme.md
- auth-require-role-extension
  - src
    - main
      - resources
        META-INF
        services
        org.keycloak.authentication.AuthenticatorFactory
      - java
        com
        github
        thomasdarimont
        keycloak
        auth
        requirerole
        RequireRoleAuthenticator.java
        RequireRoleAuthenticatorFactory.java
  - pom.xml
- tools
  - js-spa-frontend
    - start3.sh
    - start.bat
    - start.sh
    - webapp
      - styles.css
      - app.js
      - index.html
- readme.md
- simple-theme
  - src
    - main
      - themes
        demo
        account
        theme.properties
        messages
        messages_en.properties
        account.ftl
        template.ftl
        login
        register.ftl
        resources
        img
        jugsaar-logo.jpeg
        css
        login-custom.css
        theme.properties
        messages
        messages_en.properties
        wjax18
        login
        resources
        img
        WJAX_18_Website_Header_45485_v2_web.jpg
        css
        login-custom.css
        theme.properties
  - pom.xml
  - package.json
- .gitignore
- auth-login-notify-email-extension
  - src
    - main
      - resources
        messages.properties
      - java
        demo
        keycloak
        auth
        notify
        LoginNotifyEmailAuthenticator.java
        LoginNotifyEmailAuthenticatorFactory.java
        LoginNotifyEmailMessages.java
  - pom.xml
- simple-auth-form-extension
  - src
    - main
      - resources
        theme-resources
        templates
        simple-form.ftl
        META-INF
        services
        org.keycloak.authentication.AuthenticatorFactory
      - java
        com
        github
        thomasdarimont
        keycloak
        auth
        simpleform
        SimpleAuthenticatorFormFactory.java
        SimpleAuthenticatorForm.java
  - pom.xml

package com.github.thomasdarimont.keycloak.auth.requirerole;

import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.Authenticator;
import org.keycloak.events.Errors;
import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.services.messages.Messages;

import java.util.Set;

import static org.keycloak.models.utils.KeycloakModelUtils.getRoleFromString;

/**
 * Simple {@link Authenticator} that checks of the user has a given {@link RoleModel Role}.
 */
public class RequireRoleAuthenticator implements Authenticator {

    private static final Logger LOG = Logger.getLogger(RequireRoleAuthenticator.class);

    @Override
    public void authenticate(AuthenticationFlowContext context) {

        AuthenticatorConfigModel configModel = context.getAuthenticatorConfig();

        String roleName = configModel.getConfig().get(RequireRoleAuthenticatorFactory.ROLE);
        RealmModel realm = context.getRealm();
        UserModel user = context.getUser();

        if (userHasRole(realm, user, roleName)) {
            context.success();
            return;
        }

        LOG.debugf("Access denied because of missing role. realm=%s username=%s role=%s", realm.getName(), user.getUsername(), roleName);
        context.getEvent().user(user);
        context.getEvent().error(Errors.NOT_ALLOWED);
        context.forkWithErrorMessage(new FormMessage(Messages.NO_ACCESS));
    }

    /**
     * @param realm
     * @param user
     * @param roleName
     * @return true if roleName is in any of all user role mappings including all groups of user
     */
    private boolean userHasRole(RealmModel realm, UserModel user, String roleName) {

        if (roleName == null) {
            return false;
        }

        LOG.debugf("Checking if user=%s has role=%s", user.getUsername(), roleName);
        RoleModel requiredRole = getRoleFromString(realm, roleName);

        // First perform cheap role check for direct or composite roles
        Set<RoleModel> directAssignedRoles = user.getRoleMappings();
        if (RoleUtils.hasRole(directAssignedRoles, requiredRole)) {
            return true;
        }

        // Next perform more expensive roles check for group membership role mappings
        Set<RoleModel> nestedAssignedRoles = RoleUtils.getDeepUserRoleMappings(user);
        if (RoleUtils.hasRole(nestedAssignedRoles, requiredRole)) {
            return true;
        }

        LOG.debugf("User does not have the required role. user=%s role=%s assignedRoles=%s", user.getUsername(), requiredRole, nestedAssignedRoles);
        return false;
    }


    @Override
    public boolean requiresUser() {
        return false;
    }

    @Override
    public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
        return true;
    }

    @Override
    public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
        // NOOP
    }

    @Override
    public void action(AuthenticationFlowContext context) {
        // NOOP
    }

    @Override
    public void close() {
        // NOOP
    }
}