[keycloak-user] Anonymous access to scoped resources

Pedro Igor Silva psilva at redhat.com
Mon Mar 6 17:22:32 EST 2017 

I see. Recently, we added a DISABLED enforcement mode to adapter config
[1]. But I think your use case requires something different ...

If I understood your use case correctly, you don't want to change
deployment descriptors (web.xml or spring security chain) to mark those
resources as public because the decision if a resource is public or not is
dynamic, determined by a permission associated with the anonymous policy.
Am I correct ? So users can decide whether a resource + scope can be
accessed without forcing authentication ?

I think you are right about your proposal. A new filter before KC filter
kicks in should do the trick, specially if you have a specific endpoint
from where those public resources are served.

Regards.
Pedro Igor

[1] https://issues.jboss.org/browse/KEYCLOAK-3830

On Mon, Mar 6, 2017 at 3:34 PM, ebondu <dev.ebondu at gmail.com> wrote:

> Hi and thanks for your reply,
>
> Serving public resources is not a problem here, I can either change the
> web.xml or change the Spring security chain to serve public resources. But
> what I need is to provide a public access to a set of KC protected
> resources
> (the decision to authorize the public access to resources have to be done
> by
> the KC server with the "anonymous policy").
>
> To illustrate, here is the corresponding use case :
>
> - An admin can create some images with an set of scopes for restricted CRUD
> operations and optionnally a "public" scope to allow a public access (read
> only) to some images
> - An user can create some private images with an set of scopes for
> restricted the CRUD operation and without public access.
> - A service is in charge of CRUD operations on all images (the service is
> protected by KC Spring filters to manage auth/authz).
> - A public web pages have to show the public images created by the admin.
> As
> it is a public page, images must to be accessible without an access token,
> so I can use the CRUD service. Consequently, I need another dedicated
> service that can serve images with the "public" scope only.
>
> My first idea was to secure this service with the same authz Spring filter
> only but as it depends on the auth filter, I can't do it (the auth filter
> create the security context from the passed access token).
>
> => A new spring filter asking directly permissions to access to the
> "public"
> scope + an "anonymous" policy on the KC side seems to be the only solution
> here ?
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/Anonymous-access-to-scoped-resources-tp2929p3042.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list