[keycloak-user] Policy Enforcer in Spring Security Adapter

Ilya Korol llivezking at gmail.com
Mon Mar 27 22:45:11 EDT 2017


Hi. I've just tried to make it working again but failed. I defined all 
resources in keycloak and add appropriate configs to keycloak.json for 
adapter.


I used default configs for adapter spring beans, taken from docs:

     ...
     <security:http auto-config="false" 
entry-point-ref="keycloakAuthenticationEntryPoint">
         <security:custom-filter ref="keycloakPreAuthActionsFilter" 
before="LOGOUT_FILTER" />
         <security:custom-filter 
ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
         <security:intercept-url pattern="/**" access="ROLE_USER"/>
         <security:custom-filter ref="logoutFilter" 
position="LOGOUT_FILTER" />
     </security:http>

example of spring controller:
@RestController
public class ProfileController {

     @RequestMapping(method = RequestMethod.GET, value = "/profile")
     public AccessToken getUserByToken() throws KeycloakApiException {
         Authentication auth = 
SecurityContextHolder.getContext().getAuthentication();
         KeycloakPrincipal principal = (KeycloakPrincipal) 
auth.getPrincipal();

         return principal.getKeycloakSecurityContext().getToken();
     }
     ...
}

Application is running on localhost:8080/apps/{spring-endpoint}, so 
spring-root is localhost:8080/apps, and i set this url as base in client 
settings in keycloak.

So far the most strange for me is that adapter doesn't print any logs 
related to authorization during requests, i see only this:
DEBUG org.keycloak.adapters.PreAuthActionsHandler - 
adminRequesthttp://localhost:8080/apps/profile 
<http://localhost:8080/apps/profile>
DEBUG 
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter 
- Request is to process authentication
DEBUG 
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter 
- Attempting Keycloak authentication
DEBUG 
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator 
- Completing bearer authentication. Bearer roles: [ROLE_USER, ROLE_ADMIN]
DEBUG org.keycloak.adapters.RequestAuthenticator - User 
'aa93b5d9-f02a-4557-a8b6-c7f083475bd5' invoking 
'http://localhost:8080/apps/profile 
<http://localhost:8080/apps/profile>' on client 'apps-backend'
DEBUG org.keycloak.adapters.RequestAuthenticator - Bearer AUTHENTICATED
DEBUG 
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter 
- Auth outcome: AUTHENTICATED
DEBUG 
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter 
- Authentication success using bearer token/basic authentication. 
Updating SecurityContextHolder to contain: 
org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken at 4259cc27: 
Principal: aa93b5d9-f02a-4557-a8b6-c7f083475bd5; Credentials: 
[PROTECTED]; Authenticated: true; Details: 
org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount at c4e0280; 
Granted Authorities: KeycloakRole{role='ROLE_USER'}, 
KeycloakRole{role='ROLE_ADMIN'}

keycloak.json: ===========================================
{
   "realm": "test",
   "auth-server-url": "http://localhost:8081/auth",
   "ssl-required": "external",
   "resource": "apps-backend",
   "bearer-only": true,
   "credentials": {
     "secret": "74070785-cabf-4d28-83d7-f2dc31f081f5"
   },
   "policy-enforcer": {
     "user-managed-access": {},
     "enforcement-mode" : "ENFORCING",
     "paths": [
       {
         "name": "User Info",
         "path" : "/profile/userinfo",
         "methods" : [
           {
             "method": "GET",
             "scopes" : ["urn:apps-backend:scopes:userinfo:view"]
           },
           {
             "method": "POST",
             "scopes" : ["urn:apps-backend:scopes:userinfo:edit"]
           }
         ]
       },
       {
         "name" : "User Permissions",
         "path" : "/profile/permissions",
         "methods" : [
           {
             "method": "GET",
             "scopes" : ["urn:apps-backend:scopes:permissions:view"]
           }
         ]
       },
       {
         "name" : "User Profile",
         "path" : "/profile",
         "methods" : [
           {
             "method": "GET",
             "scopes" : ["urn:apps-backend:scopes:profile:view"]
           }
         ]
       },
       {
         "name" : "User Token",
         "path" : "/profile/token"
       },
       {
         "name" : "User Id Token"
       }
     ]
   }
}


keycloak-server authz-dump:=====================================

{
   "allowRemoteResourceManagement": true,
   "policyEnforcementMode": "ENFORCING",
   "resources": [
     {
       "name": "User Info",
       "uri": "/profile/userinfo",
       "type": "urn:apps-backend:resources:profile:userinfo",
       "scopes": [
         {
           "name": "urn:apps-backend:scopes:userinfo:edit"
         },
         {
           "name": "urn:apps-backend:scopes:userinfo:view"
         }
       ],
       "typedScopes": []
     },
     {
       "name": "User Profile",
       "uri": "/profile",
       "type": "urn:apps-backend:resources:profile",
       "scopes": [
         {
           "name": "urn:apps-backend:scopes:profile:view"
         }
       ],
       "typedScopes": []
     },
     {
       "name": "User Permissions",
       "uri": "/profile/permissions",
       "type": "urn:apps-backend:resources:profile:permissions",
       "scopes": [
         {
           "name": "urn:apps-backend:scopes:permissions:view"
         }
       ],
       "typedScopes": []
     },
     {
       "name": "User Token",
       "uri": "/profile/token",
       "type": "urn:apps-backend:resources:profile:token",
       "typedScopes": []
     },
     {
       "name": "User Id Token",
       "uri": "/profile/idtoken",
       "type": "urn:apps-backend:resources:profile:idtoken",
       "typedScopes": []
     }
   ],
   "policies": [
     {
       "name": "Is user",
       "type": "role",
       "logic": "POSITIVE",
       "decisionStrategy": "UNANIMOUS",
       "config": {
         "roles": "[{\"id\":\"ROLE_USER\",\"required\":true}]"
       }
     },
     {
       "name": "Is merchant",
       "type": "role",
       "logic": "POSITIVE",
       "decisionStrategy": "UNANIMOUS",
       "config": {
         "roles": "[{\"id\":\"ROLE_MERCHANT\",\"required\":true}]"
       }
     },
     {
       "name": "Edit User Info",
       "type": "scope",
       "logic": "POSITIVE",
       "decisionStrategy": "UNANIMOUS",
       "config": {
         "resources": "[\"User Info\"]",
         "scopes": "[\"urn:apps-backend:scopes:userinfo:edit\"]",
         "applyPolicies": "[\"Is user\"]"
       }
     },
     {
       "name": "View User Permissions",
       "type": "scope",
       "logic": "POSITIVE",
       "decisionStrategy": "UNANIMOUS",
       "config": {
         "resources": "[\"User Permissions\"]",
         "scopes": "[\"urn:apps-backend:scopes:permissions:view\"]",
         "applyPolicies": "[\"Is user\"]"
       }
     },
     {
       "name": "View User Info",
       "type": "scope",
       "logic": "POSITIVE",
       "decisionStrategy": "UNANIMOUS",
       "config": {
         "resources": "[\"User Info\"]",
         "scopes": "[\"urn:apps-backend:scopes:userinfo:view\"]",
         "applyPolicies": "[\"Is user\"]"
       }
     },
     {
       "name": "View Profile",
       "type": "scope",
       "logic": "POSITIVE",
       "decisionStrategy": "UNANIMOUS",
       "config": {
         "resources": "[\"User Profile\"]",
         "scopes": "[\"urn:apps-backend:scopes:profile:view\"]",
         "applyPolicies": "[\"Is user\"]"
       }
     },
     {
       "name": "Access Profile",
       "type": "resource",
       "logic": "POSITIVE",
       "decisionStrategy": "UNANIMOUS",
       "config": {
         "resources": "[\"User Profile\"]",
         "applyPolicies": "[\"Is user\"]"
       }
     },
     {
       "name": "Token Access",
       "type": "resource",
       "logic": "POSITIVE",
       "decisionStrategy": "UNANIMOUS",
       "config": {
         "resources": "[\"User Token\"]",
         "applyPolicies": "[\"Is merchant\"]"
       }
     }
   ],
   "scopes": [
     {
       "name": "urn:apps-backend:scopes:permissions:view"
     },
     {
       "name": "urn:apps-backend:scopes:userinfo:view"
     },
     {
       "name": "urn:apps-backend:scopes:userinfo:edit"
     },
     {
       "name": "urn:apps-backend:scopes:profile:view"
     }
   ]
}

On 28.03.2017 00:02, ebondu wrote:
> Илья Король wrote
>> Hi. Thanks for comment. Please could you share you configs or at least
>> what methods did you use? manual configuration in keycloak.json or
>> relying on resources defined in keycloak?
> Both, all resources are defined in the keycloak.json (methods paths) and
> also as resources in the keycloak server
>
>
> Илья Король wrote
>> And correct me if i'm wrong:
>>
>> Authorization require RPT token, so for bearer-only client (backend) i
>> must provide this token, which is preliminary retrieved via Entitlement
>> api or UMA protocol?
> You are right, I am using UMA protocol but it should also works with
> Entitlement.
>
>
> Илья Король wrote
>> And how should be configured client in keycloak? as bearer-only or
>> confidential? As i said my application started only if i configured it
>> in keycloak as confidential (if make it as bearer-only it fails to start
>> and complains to credentials)
> I configured the client as confidential.
>
>
> Илья Король wrote
>> Another thing that i didn't catch is resource method configuration (for
>> instance):
>> { "method": "DELETE", "scopes" : ["urn:app.com:scopes:delete"] }
>> If i configure adapter to retrieve all resource settings from keycloak how
>> can i configure methods for resources and its scopes in Keycloak Admin
>> Console?
> Methods and associated scopes are configured in the keycloak.json only.
> Resources, scopes and associated policies are defined in keycloak.
>
> A small extract from the conf :
>
> keycloak.json :
>
> {
>     "realm": "...",
>     "resource": "backend",
>      ...
>     "bearer-only": true,
>     ...
>     "policy-enforcer": {
>        "create-resources":false,
>        "user-managed-access": {
>        },
>        "enforcement-mode": "ENFORCING",
>        "paths": [
>           {
>              "path": "/yourMethod",
>              "methods": [
>                 {
>                    "method": "POST",
>                    "scopes": [
>                       "urn:app:scopes:create"
>                    ]
>                 },
> 	     ...
>           }
>        ]
>     }
> }
>
> realm authz json :
>
> {
>    "allowRemoteResourceManagement": true,
>    "policyEnforcementMode": "ENFORCING",
>    "resources": [
>      {
>        "name": "My Resource",
>        "uri": "/myMethod",
>        "scopes": [
>          {
>            "name": "urn:app:scopes:create"
>          },
>         ...
>      }],
>      "policies": [...your policies],
>       "scopes": [
>      {
>        "name": "urn:app:scopes:create"
>      },
>      ...
>      ]
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Policy-Enforcer-in-Spring-Security-Adapter-tp3324p3334.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list