[keycloak-user] Policy Enforcement Mode cannot be changed.

Pedro Igor Craveiro e Silva psilva at redhat.com
Thu Oct 27 09:13:47 EDT 2016


This one smells like a bug. Can you create a JIRA, please ?


On Thu, 2016-10-27 at 00:48 +0800, Joey wrote:
> Thanks Pedro, I think you are right.
> 
> I would like to ask one more question. I want to let keycloak protect
> most of resources of my website. but I also want to expose some
> resources to anonymous,
> for example,  let anonymous user can visit all files within
> /resources
> folder,  then I do something like this.
> 
> Tomcat web.xml
> 
>     <security-constraint>
>        <web-resource-collection>
>             <web-resource-name>All Resources</web-resource-name>
>             <url-pattern>/user/login.action</url-pattern>
>             <url-pattern>/jsp/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>admin</role-name>
>         </auth-constraint>
>     </security-constraint>
> 
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>All Resources</web-resource-name>
>             <url-pattern>/resources/*</url-pattern>
>         </web-resource-collection>
>     </security-constraint>
> 
>     <login-config>
>         <auth-method>KEYCLOAK</auth-method>
>         <realm-name>master</realm-name>
>     </login-config>
> 
>     <security-role>
>         <role-name>admin</role-name>
>     </security-role>
> 
> Keycloak
> 
> I don't create permission can control folder [/resources] or it's
> parent folder.
> 
> But when I tried to visit a file in folder [/resources], I got http
> 500 error.
> 
> 
> java.lang.RuntimeException: Failed to enforce policy decisions.
> org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(Authen
> ticatedActionsHandler.java:149)
> org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(Auth
> enticatedActionsHandler.java:60)
> org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(Authent
> icatedActionsValve.java:63)
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
> torBase.java:505)
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invok
> e(AbstractKeycloakAuthenticatorValve.java:187)
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
> ava:103)
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
> 956)
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
> a:436)
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
> 11Processor.java:1078)
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
> AbstractProtocol.java:625)
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
> t.java:316)
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1142)
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:617)
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
> read.java:61)
> java.lang.Thread.run(Thread.java:745)
> 
> root cause
> 
> java.lang.NullPointerException
> org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(
> AbstractPolicyEnforcer.java:68)
> org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnfo
> rcer.java:76)
> org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(Authen
> ticatedActionsHandler.java:142)
> org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(Auth
> enticatedActionsHandler.java:60)
> org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(Authent
> icatedActionsValve.java:63)
> 
> 
> Any suggest? thanks.
> 
> Joey
> 
> 
> On Wed, Oct 26, 2016 at 7:55 PM, Pedro Igor Craveiro e Silva
> <psilva at redhat.com> wrote:
> > 
> > From your logs it seems that access was actually GRANTED. So your
> > user
> > should be able to access that resource:
> > 
> >         Oct 26, 2016 7:37:33
> > org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG:
> > Returning authorization context with permissions:
> > 
> > You don't have any permission in the logs because when you set
> > enforcement-mode to DISABLE, the enforcer will just let the request
> > to
> > pass.
> > 
> > Maybe you have some other constraint applied to your resource
> > within
> > your application ?
> > 
> > On Wed, 2016-10-26 at 19:40 +0800, Joey wrote:
> > > 
> > > Hi Guys,
> > > 
> > > I read from documents, and my understanding is if set Policy
> > > Enforcement Mode to disable, then any users can access all
> > > resources.
> > > but I tried to set it to disable. but nothing be changed.
> > > 
> > > For example,
> > > 
> > > I have a role call Role_A , and set a user Tom as this Role_A, if
> > > I
> > > set a resource access policy without Role_A. this user Tom cannot
> > > access this resource. And I can see some log in tomcat.
> > > 
> > > Oct 26, 2016 7:37:33 PM
> > > org.keycloak.adapters.authorization.PolicyEnforcer enforce
> > > 
> > > DEBUG: Policy enforcement is enable. Enforcing policy decisions
> > > for
> > > path [http://operation.iishang-intr.com:9111/op/jsp/base/loginSta
> > > tist
> > > ics/portalLoginStatistics.jsp].
> > > 
> > > Oct 26, 2016 7:37:33 PM
> > > org.keycloak.adapters.authorization.PolicyEnforcer enforce
> > > 
> > > DEBUG: Policy enforcement result for path
> > > [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatisti
> > > cs/p
> > > ortalLoginStatistics.jsp]
> > > is : GRANTED
> > > 
> > > Oct 26, 2016 7:37:33 PM
> > > org.keycloak.adapters.authorization.PolicyEnforcer enforce
> > > 
> > > DEBUG: Returning authorization context with permissions:
> > > 
> > > 
> > > Joey
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > --
> > Pedro Igor
-- 
Pedro Igor


More information about the keycloak-user mailing list