[keycloak-user] Spring Boot adapter with HTTP verb based authorization

Sebastien Blanc sblanc at redhat.com
Wed Feb 22 08:23:54 EST 2017


Hi,
Yes sorry, I replied yesterday without double checking the code, this
should work :

keycloak.securityConstraints[0].securityCollections[0].methods[0] = GET

I will create a ticket to improve the documentation for this.

On Wed, Feb 22, 2017 at 2:13 PM, Andreea Ciuprina <aciuprin at mpi-bremen.de>
wrote:

> Hi Sebasien,
>
>
> Thank you for your answer.
>
> After adding your suggestion to the security constrainst, I get the
> following error:
>
>
> Error creating bean with name 'keycloak-org.keycloak.adapters.springboot.KeycloakSpringBootProperties':
> Could not bind properties to KeycloakSpringBootProperties (prefix=keycloak,
> ignoreInvalidFields=false, ignoreUnknownFields=false,
> ignoreNestedProperties=false); nested exception is
> org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException:
> Failed to bind 'keycloak.securityConstraints[0].securityCollections[0].http-method'
> from 'applicationConfig: [classpath:/application.properties]' to
> 'securityConstraints[0].securityCollections[0].http-method' property on
> 'org.keycloak.adapters.springboot.KeycloakSpringBootProperties$
> SecurityConstraint'
>
>
> My configuration looks like this:
>
>
>
> keycloak.securityConstraints[0].securityCollections[0].name = secured end
> points
> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] =
> admin
> keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = user
> keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
> /api/v1/hello/*
> keycloak.securityConstraints[0].securityCollections[0].http-method = GET
>
> Do you know what could the problem be?
>
>
> Thank you!
>
> Best,
>
> Andreea
>
>
>
> -----Original message-----
> *From:* Sebastien Blanc <sblanc at redhat.com>
> *Sent:* Tuesday 21st February 2017 17:43
> *To:* Andreea Ciuprina <aciuprin at mpi-bremen.de>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Spring Boot adapter with HTTP verb based
> authorization
>
> You can add the configuration about the policy enforcer in your
> application.properties, just one difference with the keycloak.json is that
> you must write "policy-enforcer-config" (instead
>  of just policy-enforcer).
>
> Regarding HTTP Verb authz , it *should* work since Spring Boot Adapter
> just passes along the configuration to the underlying Servlet Container
> (Tomcat, undertow or Jetty).
>
> But even without using the authorization layer, you should be able to
> achieve this by configuring the security constraints.
>
> keycloak.securityConstraints[1].securityCollections[0].http-method = GET
> etc ...
>
>
>
> On Tue, Feb 21, 2017 at 5:18 PM, Andreea Ciuprina <aciuprin at mpi-bremen.de>
> wrote:
>
>> Hello!
>>
>>
>>
>> We are building an online application for which we are using Keycloak for
>> authentification and authorization, connected
>>
>> to our Spring Boot backend using the Spring Boot adapter.
>>
>>
>> We would like to achive more fine-grained authorization, more
>> specifically, we would like to set-up HTTP verb based
>>
>> authorization, for example, allow only GET requests for some end-points,
>> GET and POST for others, only POST for other end-points etc.
>>
>>
>>
>> I am aware of the Policy Enforcer adapter, but I could not find any
>> specific documentation regarding how to use that with Spring Boot, where
>> there is
>>
>> not keycloak.json file used for configuration.
>>
>>
>>
>> Therefore, my questions are:
>>
>> 1. Can HTTP verb based authorization be achieved using the Spring Boot
>> adapter?
>>
>> 2. If the answer to question 1 is yes, then could you please provide a
>> minimal configuration example?
>>
>>
>>
>> Thank you!
>>
>> Best regards,
>>
>> Andreea
>>
>> ---------------------------------------------------------
>>
>> Andreea Ciuprina
>>
>> Bioinformatics Group
>> Max Planck Institute for Marine Microbiology
>>
>> Celsiusstraße 1
>> 28359 Bremen
>> Germany
>>
>> Phone: +49(0) 421 2028 982
>> Email: aciuprin at mpi-bremen.de
>>
>> &
>>
>> Jacobs University Bremen,
>> 28759 Bremen, Germany
>> Email: a.ciuprina at jacobs-university.de
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


More information about the keycloak-user mailing list