[keycloak-user] Securing GET/POST/DELETE in different way
Karol Buler
K.Buler at adbglobal.com
Tue Oct 24 04:34:41 EDT 2017
Unfortunately this is spring-boot application, but there is possibility
to attach web.xml I think. Thanks! I consider to use it instead of Zuul.
On 24.10.2017 10:28, Sebastien Blanc wrote:
> Are you in a Java EE app ?
>
> In your security constraints, you can specify which method is allowed
> along with the role. For instance :
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>admin</web-resource-name>
> <url-pattern>/users</url-pattern>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>user</web-resource-name>
> <url-pattern>/users</url-pattern>
> <http-method>GET</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
>
>
> On Tue, Oct 24, 2017 at 9:45 AM, Karol Buler <K.Buler at adbglobal.com
> <mailto:K.Buler at adbglobal.com>> wrote:
>
> Hi Bettina,
>
> thank you for response, but this is not exactly what I want. With
> enforcement filter we can define which methods (paths) should be
> protected, but not which ROLE has access to the resources.
>
> I realized this with API Gateway based on Zuul.
>
> Regards,
> Karol
>
>
> On 24.10.2017 08:09, Hübner, Bettina wrote:
> > Hi Karol,
> >
> > Perhaps this might help you:
> >
> http://www.keycloak.org/docs/latest/authorization_services/topics/enforcer/keycloak-enforcement-filter.html
> <http://www.keycloak.org/docs/latest/authorization_services/topics/enforcer/keycloak-enforcement-filter.html>
> >
> > Regards,
> > Bettina
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: keycloak-user-bounces at lists.jboss.org
> <mailto:keycloak-user-bounces at lists.jboss.org>
> [mailto:keycloak-user-bounces at lists.jboss.org
> <mailto:keycloak-user-bounces at lists.jboss.org>] Im Auftrag von
> Karol Buler
> > Gesendet: Montag, 23. Oktober 2017 10:45
> > An: keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > Betreff: [keycloak-user] Securing GET/POST/DELETE in different way
> >
> > Hi all,
> >
> > is there any possibility to secure GET/POST/DELETE etc. methods in a
> > different way?
> >
> > e.g.
> >
> > endpoint: /users
> >
> > GET: for Keycloak's role 'user'
> >
> > POST: for Keycloak's role 'users_admin'
> >
> > and so on. Result is that user with 'user' cannot create another
> user in
> > our system.
> >
> > Regards,
> > Karol
> >
> > [https://www.adbglobal.com/wp-content/uploads/adb.png
> <https://www.adbglobal.com/wp-content/uploads/adb.png>]
> > adbglobal.com <http://adbglobal.com><https://www.adbglobal.com
> <https://www.adbglobal.com>>
> > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png
> <https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png>]<https://www.linkedin.com/company/adb/
> <https://www.linkedin.com/company/adb/>>
> [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png
> <https://www.adbglobal.com/wp-content/uploads/twitter_logo.png>]
> <https://twitter.com/adb_global <https://twitter.com/adb_global>>
>
> [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png
> <https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png>]
> <https://pinterest.com/adbglobal/pins/
> <https://pinterest.com/adbglobal/pins/>>
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
More information about the keycloak-user
mailing list