[keycloak-user] Securing subpaths with specific roles

Edem Morny emorny at gmail.com
Thu Jul 17 08:35:53 EDT 2014 

Thanks very much Stian. Will give your 2 suggestions immediate action.

On 7/17/2014 12:33 PM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Edem Morny" <emorny at gmail.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Thursday, 17 July, 2014 1:20:31 PM
>> Subject: [keycloak-user] Securing subpaths with specific roles
>>
>> Hi,
>>
>> I'm currently using beta2 of keycloak, and we are building a new application
>> with keycloak as our security platform.
>>
>> In our web module, all pages are located under the path
>> src/main/webapps/views. Navigation to the index.xhtml file under this path
>> triggers keycloack login, as expected. We've enabled self-registration and
>> assigned the default realm role to be "user", so a new user automatically
>> obtains the "user" role. Here is a snippet of our web.xml file.
>>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Users</web-resource-name>
>> <url-pattern>/views/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Supervisor</web-resource-name>
>> <url-pattern>/views/supervisor/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>supervisor</role-name>
>> </auth-constraint>
>> </security-constraint>
>> ...
>>
>> In effect any person with "user" role can view any content directly under
>> /views/*. However, the newly enrolled user is able to navigate to other
>> subpaths under the /views like the /views/supervisor/* which should normally
>> require the user to have the additional "supervisor" role in addition to
>> being "user".
>>
>> So I have 2 questions.
>> 1. Am I doing something wrong with regards to this setup? Does each
>> registered application also need to have roles specified, or should the
>> realm roles be enough. Or is my understanding wrong?
> You'll need to more explicitly specify what patterns a user can access, as with that constraint you're giving permission to everything under view to users with the role 'user'. For example:
>
> <web-resource-collection>
>    <web-resource-name>Users</web-resource-name>
>      <url-pattern>/views/*.jsp</url-pattern>
>      <url-pattern>/views/user/*</url-pattern>
>    </web-resource-collection>
>    <auth-constraint>
>      <role-name>user</role-name>
>    </auth-constraint>
> </security-constraint>
>
>
>> 2. Is there an a means to obtain the roles that a user has after logging in?
>> The IDToken doesn't seem to contain any such information so I can use that
>> with some other security implementation like DeltaSpike's security support
>> in case the above is not supported.
> The roles are available from the AccessToken with getRealmAccess and getResourceAccess methods. The AccessToken can be retrieved using getToken method on KeycloakSecurityContext
>
>> Looking forward to your response. Cheers.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

More information about the keycloak-user mailing list