[keycloak-user] Policy Enforcer in Spring Security Adapter

Илья Король llivezking at gmail.com
Mon Mar 27 21:48:17 EDT 2017


Hi. I've just tried to make it working again but failed. I defined all
resources in keycloak and add appropriate configs to keycloak.json for
adapter.

I used default configs for adapter spring beans, taken from docs:

    ...
    <security:http auto-config="false"
entry-point-ref="keycloakAuthenticationEntryPoint">
        <security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
        <security:custom-filter
ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
        <security:intercept-url pattern="/**" access="ROLE_USER"/>
        <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"
/>
    </security:http>

example of spring controller:
@RestController
public class ProfileController {

    @RequestMapping(method = RequestMethod.GET, value = "/profile")
    public AccessToken getUserByToken() throws KeycloakApiException {
        Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
        KeycloakPrincipal principal = (KeycloakPrincipal)
auth.getPrincipal();

        return principal.getKeycloakSecurityContext().getToken();
    }
    ...
}

Application is running on localhost:8080/apps/{spring-endpoint}, so
spring-root is localhost:8080/apps, and i set this url as base in client
settings in keycloak.

So far the most strange for me is that adapter doesn't print any logs
related to authorization during requests, i see only this:
DEBUG org.keycloak.adapters.PreAuthActionsHandler - adminRequest
http://localhost:8080/apps/profile
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Request is to process authentication
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Attempting Keycloak authentication
DEBUG
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator
- Completing bearer authentication. Bearer roles: [ROLE_USER, ROLE_ADMIN]
DEBUG org.keycloak.adapters.RequestAuthenticator - User
'aa93b5d9-f02a-4557-a8b6-c7f083475bd5' invoking '
http://localhost:8080/apps/profile' on client 'apps-backend'
DEBUG org.keycloak.adapters.RequestAuthenticator - Bearer AUTHENTICATED
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Auth outcome: AUTHENTICATED
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Authentication success using bearer token/basic authentication. Updating
SecurityContextHolder to contain:
org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken at 4259cc27:
Principal: aa93b5d9-f02a-4557-a8b6-c7f083475bd5; Credentials: [PROTECTED];
Authenticated: true; Details:
org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount at c4e0280;
Granted Authorities: KeycloakRole{role='ROLE_USER'},
KeycloakRole{role='ROLE_ADMIN'}

keycloak.json: ===========================================
{
  "realm": "test",
  "auth-server-url": "http://localhost:8081/auth",
  "ssl-required": "external",
  "resource": "apps-backend",
  "bearer-only": true,
  "credentials": {
    "secret": "74070785-cabf-4d28-83d7-f2dc31f081f5"
  },
  "policy-enforcer": {
    "user-managed-access": {},
    "enforcement-mode" : "ENFORCING",
    "paths": [
      {
        "name": "User Info",
        "path" : "/profile/userinfo",
        "methods" : [
          {
            "method": "GET",
            "scopes" : ["urn:apps-backend:scopes:userinfo:view"]
          },
          {
            "method": "POST",
            "scopes" : ["urn:apps-backend:scopes:userinfo:edit"]
          }
        ]
      },
      {
        "name" : "User Permissions",
        "path" : "/profile/permissions",
        "methods" : [
          {
            "method": "GET",
            "scopes" : ["urn:apps-backend:scopes:permissions:view"]
          }
        ]
      },
      {
        "name" : "User Profile",
        "path" : "/profile",
        "methods" : [
          {
            "method": "GET",
            "scopes" : ["urn:apps-backend:scopes:profile:view"]
          }
        ]
      },
      {
        "name" : "User Token",
        "path" : "/profile/token"
      },
      {
        "name" : "User Id Token"
      }
    ]
  }
}


keycloak-server authz-dump:=====================================

{
  "allowRemoteResourceManagement": true,
  "policyEnforcementMode": "ENFORCING",
  "resources": [
    {
      "name": "User Info",
      "uri": "/profile/userinfo",
      "type": "urn:apps-backend:resources:profile:userinfo",
      "scopes": [
        {
          "name": "urn:apps-backend:scopes:userinfo:edit"
        },
        {
          "name": "urn:apps-backend:scopes:userinfo:view"
        }
      ],
      "typedScopes": []
    },
    {
      "name": "User Profile",
      "uri": "/profile",
      "type": "urn:apps-backend:resources:profile",
      "scopes": [
        {
          "name": "urn:apps-backend:scopes:profile:view"
        }
      ],
      "typedScopes": []
    },
    {
      "name": "User Permissions",
      "uri": "/profile/permissions",
      "type": "urn:apps-backend:resources:profile:permissions",
      "scopes": [
        {
          "name": "urn:apps-backend:scopes:permissions:view"
        }
      ],
      "typedScopes": []
    },
    {
      "name": "User Token",
      "uri": "/profile/token",
      "type": "urn:apps-backend:resources:profile:token",
      "typedScopes": []
    },
    {
      "name": "User Id Token",
      "uri": "/profile/idtoken",
      "type": "urn:apps-backend:resources:profile:idtoken",
      "typedScopes": []
    }
  ],
  "policies": [
    {
      "name": "Is user",
      "type": "role",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "roles": "[{\"id\":\"ROLE_USER\",\"required\":true}]"
      }
    },
    {
      "name": "Is merchant",
      "type": "role",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "roles": "[{\"id\":\"ROLE_MERCHANT\",\"required\":true}]"
      }
    },
    {
      "name": "Edit User Info",
      "type": "scope",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"User Info\"]",
        "scopes": "[\"urn:apps-backend:scopes:userinfo:edit\"]",
        "applyPolicies": "[\"Is user\"]"
      }
    },
    {
      "name": "View User Permissions",
      "type": "scope",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"User Permissions\"]",
        "scopes": "[\"urn:apps-backend:scopes:permissions:view\"]",
        "applyPolicies": "[\"Is user\"]"
      }
    },
    {
      "name": "View User Info",
      "type": "scope",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"User Info\"]",
        "scopes": "[\"urn:apps-backend:scopes:userinfo:view\"]",
        "applyPolicies": "[\"Is user\"]"
      }
    },
    {
      "name": "View Profile",
      "type": "scope",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"User Profile\"]",
        "scopes": "[\"urn:apps-backend:scopes:profile:view\"]",
        "applyPolicies": "[\"Is user\"]"
      }
    },
    {
      "name": "Access Profile",
      "type": "resource",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"User Profile\"]",
        "applyPolicies": "[\"Is user\"]"
      }
    },
    {
      "name": "Token Access",
      "type": "resource",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"User Token\"]",
        "applyPolicies": "[\"Is merchant\"]"
      }
    }
  ],
  "scopes": [
    {
      "name": "urn:apps-backend:scopes:permissions:view"
    },
    {
      "name": "urn:apps-backend:scopes:userinfo:view"
    },
    {
      "name": "urn:apps-backend:scopes:userinfo:edit"
    },
    {
      "name": "urn:apps-backend:scopes:profile:view"
    }
  ]
}


More information about the keycloak-user mailing list