[keycloak-user] Problems enable policy enforcer for spring security in spring boot.
Pedro Igor Silva
psilva at redhat.com
Tue May 23 07:14:53 EDT 2017
Can you take a look at https://github.com/keycloak/keycloak-quickstarts/
pull/26 ? It is a fairly simple SB quickstart using authorization services.
We do need more examples and better documentation for Spring Boot
integration. Any help is appreciated.
FYI, we have a open JIRA [1] for supporting keycloak.json with SB. This
should make things more simple when enabling authz to your applications.
[1] https://issues.jboss.org/browse/KEYCLOAK-4942
On Tue, May 23, 2017 at 12:09 AM, rafterjiang <rafterjiang at hotmail.com>
wrote:
> I have set up an URL resource policy (For ex: /greeting for USER role) for
> my
> bear only client on keycloak server. In this client, implemented by a
> spring
> security in spring boot, I have added keycloak.json:
> {
> "realm": "auth",
> "realm-public-key": "key",
> "bearer-only": true,
> "auth-server-url": "http://10.3.42.29:8080/auth",
> "ssl-required": "external",
> "resource": "auth-service",
> "credentials": {
> "secret": "secret"
> },
>
> "policy-enforcer": {
> "user-managed-access" : {},
> "enforcement-mode" : "ENFORCING",
> "paths": [
> {
> "name" : "resource-greeting"
> }
> ]
> }
> }
>
> the "resource-greeting" is the resource name set up in authorization of
> client "auth-service" on keycloak server, and only be accessible by USER
> role accounts (a role based policy is also configured with a permission).
>
> Now, I am very confused what need be done on spring security side, from
> what
> I have read the examples so far, I have not seen any example using spring
> security together with *policy enforcer*. Most examples enable the
> authentication/authorization in SecurityConfig (which extends
> KeycloakWebSecurityConfigurerAdapter), so override "config" method where
> it
> uses antMatcher to restrict URL (/greeting in my case) for certain ROLES.
>
> See following two examples:
>
> @Override
> protected void configure(HttpSecurity http) throws Exception
> {
> http
>
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.
> STATELESS)
>
> .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
> .and()
> .addFilterBefore(keycloakPreAuthActionsFilter(),
> LogoutFilter.class)
> .addFilterBefore(keycloakAuthenticationProcessingFilter(),
> X509AuthenticationFilter.class)
>
> .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
> .and()
> .authorizeRequests()
> .antMatchers("/**").authenticated()
> .anyRequest().permitAll();
> }
>
> @Override
> protected void *configure*(HttpSecurity http) throws Exception
> {
> super.configure(http);
> http
> .authorizeRequests()
> .antMatchers("/customers*").hasRole("USER")
> .antMatchers("/admin*").hasRole("ADMIN")
> .anyRequest().permitAll();
> }
>
>
> But as I understand so far for* policy enforcer*, all
> authentication/authorization should be pushed outside of the code, and be
> done by client adapter based on "paths" in keycloak.json,
> /*automatically*/.
>
> My question is, what need be done in method configure? If we can do authz
> through policy enforcer, why do we still need authorize in above configure
> method?
>
> I have also seen someone mention to add /*keycloakAuthenticatedActionsFi
> lter
> */to make policy enforcer work, how to do that?
>
> thanks,
> Rong
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/Problems-enable-policy-enforcer-for-spring-
> security-in-spring-boot-tp3933.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list