[keycloak-user] Problems enable policy enforcer for spring security in spring boot.

rafterjiang rafterjiang at hotmail.com
Mon May 22 23:09:23 EDT 2017 

I have set up an URL resource policy (For ex: /greeting for USER role) for my
bear only client on keycloak server. In this client, implemented by a spring
security in spring boot, I have added keycloak.json: 
{
    "realm": "auth",
    "realm-public-key": "key",
    "bearer-only": true,
    "auth-server-url": "http://10.3.42.29:8080/auth",
    "ssl-required": "external",
    "resource": "auth-service",
    "credentials": {
        "secret": "secret"
    },

    "policy-enforcer": {
        "user-managed-access" : {},
        "enforcement-mode" : "ENFORCING",
        "paths": [
            {
                "name" : "resource-greeting"
            }
        ]
    }
}

the "resource-greeting" is the resource name set up in authorization of
client "auth-service" on keycloak server, and only be accessible by USER
role accounts (a role based policy is also configured with a permission).

Now, I am very confused what need be done on spring security side, from what
I have read the examples so far, I have not seen any example using spring
security together with *policy enforcer*. Most examples enable the
authentication/authorization in SecurityConfig (which extends
KeycloakWebSecurityConfigurerAdapter), so override "config" method where it
uses antMatcher to restrict URL (/greeting in my case) for certain ROLES. 

See following two examples: 

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http
               
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
               
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
                .and()
                .addFilterBefore(keycloakPreAuthActionsFilter(),
LogoutFilter.class)
                .addFilterBefore(keycloakAuthenticationProcessingFilter(),
X509AuthenticationFilter.class)
               
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
                .and()
                .authorizeRequests()
                .antMatchers("/**").authenticated()
                .anyRequest().permitAll();
    }

    @Override
    protected void *configure*(HttpSecurity http) throws Exception
    {
        super.configure(http);
        http
                .authorizeRequests()
                .antMatchers("/customers*").hasRole("USER")
                .antMatchers("/admin*").hasRole("ADMIN")
                .anyRequest().permitAll();
    }


But as I understand so far for* policy enforcer*, all
authentication/authorization should be pushed outside of the code, and be
done by client adapter based on "paths" in keycloak.json, /*automatically*/. 

My question is, what need be done in method configure? If we can do authz
through policy enforcer, why do we still need authorize in above configure
method?

I have also seen someone mention to add /*keycloakAuthenticatedActionsFilter
*/to make policy enforcer work, how to do that?

thanks,
Rong



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Problems-enable-policy-enforcer-for-spring-security-in-spring-boot-tp3933.html
Sent from the keycloak-user mailing list archive at Nabble.com.

More information about the keycloak-user mailing list