[keycloak-user] Securing subpaths with specific roles
Edem Morny
emorny at gmail.com
Thu Jul 17 07:14:16 EDT 2014
Hi,
I'm currently using beta2 of keycloak, and we are building a new
application with keycloak as our security platform.
In our web module, all pages are located under the path
src/main/webapps/views. Navigation to the index.xhtml file under this path
triggers keycloack login, as expected. We've enabled self-registration and
assigned the default realm role to be "user", so a new user automatically
obtains the "user" role. Here is a snippet of our web.xml file.
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/views/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Supervisor</web-resource-name>
<url-pattern>/views/supervisor/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>supervisor</role-name>
</auth-constraint>
</security-constraint>
...
In effect any person with "user" role can view any content directly under
/views/*. However, the newly enrolled user is able to navigate to other
subpaths under the /views like the /views/supervisor/* which should
normally require the user to have the additional "supervisor" role in
addition to being "user".
So I have 2 questions.
1. Am I doing something wrong with regards to this setup? Does each
registered application also need to have roles specified, or should the
realm roles be enough. Or is my understanding wrong?
2. Is there an a means to obtain the roles that a user has after logging
in? The IDToken doesn't seem to contain any such information.
Looking forward to your response. Cheers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140717/2dfdac18/attachment.html
More information about the keycloak-user
mailing list