[keycloak-user] Securing GET/POST/DELETE in different way

Sebastien Blanc sblanc at redhat.com
Tue Oct 24 04:36:49 EDT 2017


Even easier with Spring Boot ;) :

keycloak.security-constraints[0].authRoles[0]=admin
keycloak.security-constraints[0].securityCollections[0].methods[0]=POST
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/products/*

keycloak.security-constraints[1].authRoles[0]=user
keycloak.security-constraints[1].securityCollections[0].methods[0]=GET
keycloak.security-constraints[1].securityCollections[0].patterns[0]=/products/*


On Tue, Oct 24, 2017 at 10:34 AM, Karol Buler <K.Buler at adbglobal.com> wrote:

> Unfortunately this is spring-boot application, but there is possibility to
> attach web.xml I think. Thanks! I consider to use it instead of Zuul.
>
> On 24.10.2017 10:28, Sebastien Blanc wrote:
>
> Are you in a Java EE app ?
>
> In your security constraints, you can specify which method is allowed
> along with the role. For instance :
>
> <security-constraint>
>     <web-resource-collection>
>         <web-resource-name>admin</web-resource-name>
>         <url-pattern>/users</url-pattern>
>         <http-method>POST</http-method>
>     </web-resource-collection>
>     <auth-constraint>
>         <role-name>admin</role-name>
>     </auth-constraint></security-constraint>
> <security-constraint>
>     <web-resource-collection>
>         <web-resource-name>user</web-resource-name>
>         <url-pattern>/users</url-pattern>
>         <http-method>GET</http-method>
>     </web-resource-collection>
>     <auth-constraint>
>         <role-name>user</role-name>
>     </auth-constraint></security-constraint>
>
>
>
>
> On Tue, Oct 24, 2017 at 9:45 AM, Karol Buler <K.Buler at adbglobal.com>
> wrote:
>
>> Hi Bettina,
>>
>> thank you for response, but this is not exactly what I want. With
>> enforcement filter we can define which methods (paths) should be
>> protected, but not which ROLE has access to the resources.
>>
>> I realized this with API Gateway based on Zuul.
>>
>> Regards,
>> Karol
>>
>>
>> On 24.10.2017 08:09, Hübner, Bettina wrote:
>> > Hi Karol,
>> >
>> > Perhaps this might help you:
>> > http://www.keycloak.org/docs/latest/authorization_services/t
>> opics/enforcer/keycloak-enforcement-filter.html
>> >
>> > Regards,
>> > Bettina
>> >
>> >
>> >
>> >
>> > -----Ursprüngliche Nachricht-----
>> > Von: keycloak-user-bounces at lists.jboss.org [mailto:
>> keycloak-user-bounces at lists.jboss.org] Im Auftrag von Karol Buler
>> > Gesendet: Montag, 23. Oktober 2017 10:45
>> > An: keycloak-user at lists.jboss.org
>> > Betreff: [keycloak-user] Securing GET/POST/DELETE in different way
>> >
>> > Hi all,
>> >
>> > is there any possibility to secure GET/POST/DELETE etc. methods in a
>> > different way?
>> >
>> > e.g.
>> >
>> > endpoint: /users
>> >
>> >       GET: for Keycloak's role 'user'
>> >
>> >       POST: for Keycloak's role 'users_admin'
>> >
>> > and so on. Result is that user with 'user' cannot create another user in
>> > our system.
>> >
>> > Regards,
>> > Karol
>> >
>> > [https://www.adbglobal.com/wp-content/uploads/adb.png]
>> > adbglobal.com<https://www.adbglobal.com>
>> > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<
>> https://www.linkedin.com/company/adb/>         [
>> https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] <
>> https://twitter.com/adb_global>        [https://www.adbglobal.com/wp-
>> content/uploads/pinterest_logo.png] <https://pinterest.com/adbglob
>> al/pins/>
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>


More information about the keycloak-user mailing list