[keycloak-user] Securing GET/POST/DELETE in different way
Laszlo Szabo
sz.laszlo at falcon.io
Tue Oct 24 05:05:39 EDT 2017
Dear Karol,
We are using Spring Boot apps with Spring Security also and we have Zuul in
some places in our infra. Actually if you are using Spring Cloud Zuul then
it is irrelevant what is the purpose of it since that is also a fully
functional Spring Boot app. You can setup your security constraints in the
same way you would do with a plain Spring Boot app just you need to cover
more resource paths in a Zuul proxy (all the apps which are proxied through
your Zuul).
We are in the beginning of introducing KC into our full stack so authn is
on place but we are still trying to figure authz out. Most likely our first
try will be the UMA integration which is using the Policy enforcer too from
Keycloak libs (note that UMA is not mandatory for Policy Enforcer
functionalities). You can easily use Policy Enforcers with Spring Boot,
Spring Securty integration also just you need to setup Keycloak instance
accordingly.
What you need is the correctly configured PolicyEnforcerConfig class
injected into the AdapterConfig of Keycloak.
public KeycloakDeployment toKeycloakDeployment() {
final AdapterConfig adapterConfig = new AdapterConfig();
adapterConfig.setRealm(realm);
adapterConfig.setResource(resource);
adapterConfig.setAuthServerUrl(authServerUrl);
adapterConfig.setSslRequired(sslRequired);
adapterConfig.setCredentials(ImmutableMap.of("secret", secret));
adapterConfig.setBearerOnly(bearerOnly);
adapterConfig.setPolicyEnforcerConfig(new PolicyEnforcerConfig());
return KeycloakDeploymentBuilder.build(adapterConfig);
}
Here you can defined a similar config what "Sebastien Blanc" recommended so
you can protect the resource paths in your Zuul or plain Spring Boot app
with the Keycloak PolicyEnforcer instead of configuring the protected paths
and rules in the Spring Security WebSecurityConfigurerAdapter.
As a last piece PolicyEnforcer functionality offers you several type of
policies (role based on is only one of them) and these policies define
which permissions a requester will be granted. So if you configure multiple
role based policies to grant your custom permissions in each case you can
setup your PolicyEnforcer configuration to achieve your goals.
Note that: Spring Security and Keycloak adapters are not usable in the
"usual spring security way" out of the box. They are using a Keycloak token
in the SecurityContext and for example KeycloakAuthenticatedActionsFilter
is throwing errors on a different type of token. This way you cant use
different authn methods in the same security filter chain (for example a
PreAuth filter next to Keycloak filters).
Permissions are not pushed into Spring Security permission layer either and
http security configuration is not interchangeble with rules defined in
Policy Enforcer either.
Cheers,
László Szabó
Staff backend engineer
+36302939052
Budapest
Falcon.io
Kossuth Lajos utca 7-9, Regus First Site
1053 Budapest
CG no.: 01-09-270982/4
[image: Falcon Social]
<https://www.falcon.io/?utm_source=Employee%20emails&utm_medium=email&utm_content=L%C3%A1szl%C3%B3%20Szab%C3%B3&utm_campaign=Mail%20signature>
Meet Your Customers
On Tue, Oct 24, 2017 at 10:34 AM, Karol Buler <K.Buler at adbglobal.com> wrote:
> Unfortunately this is spring-boot application, but there is possibility
> to attach web.xml I think. Thanks! I consider to use it instead of Zuul.
>
>
> On 24.10.2017 10:28, Sebastien Blanc wrote:
> > Are you in a Java EE app ?
> >
> > In your security constraints, you can specify which method is allowed
> > along with the role. For instance :
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>admin</web-resource-name>
> > <url-pattern>/users</url-pattern>
> > <http-method>POST</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>admin</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>user</web-resource-name>
> > <url-pattern>/users</url-pattern>
> > <http-method>GET</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>user</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> >
> >
> > On Tue, Oct 24, 2017 at 9:45 AM, Karol Buler <K.Buler at adbglobal.com
> > <mailto:K.Buler at adbglobal.com>> wrote:
> >
> > Hi Bettina,
> >
> > thank you for response, but this is not exactly what I want. With
> > enforcement filter we can define which methods (paths) should be
> > protected, but not which ROLE has access to the resources.
> >
> > I realized this with API Gateway based on Zuul.
> >
> > Regards,
> > Karol
> >
> >
> > On 24.10.2017 08:09, Hübner, Bettina wrote:
> > > Hi Karol,
> > >
> > > Perhaps this might help you:
> > >
> > http://www.keycloak.org/docs/latest/authorization_services/
> topics/enforcer/keycloak-enforcement-filter.html
> > <http://www.keycloak.org/docs/latest/authorization_services/
> topics/enforcer/keycloak-enforcement-filter.html>
> > >
> > > Regards,
> > > Bettina
> > >
> > >
> > >
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: keycloak-user-bounces at lists.jboss.org
> > <mailto:keycloak-user-bounces at lists.jboss.org>
> > [mailto:keycloak-user-bounces at lists.jboss.org
> > <mailto:keycloak-user-bounces at lists.jboss.org>] Im Auftrag von
> > Karol Buler
> > > Gesendet: Montag, 23. Oktober 2017 10:45
> > > An: keycloak-user at lists.jboss.org
> > <mailto:keycloak-user at lists.jboss.org>
> > > Betreff: [keycloak-user] Securing GET/POST/DELETE in different way
> > >
> > > Hi all,
> > >
> > > is there any possibility to secure GET/POST/DELETE etc. methods in
> a
> > > different way?
> > >
> > > e.g.
> > >
> > > endpoint: /users
> > >
> > > GET: for Keycloak's role 'user'
> > >
> > > POST: for Keycloak's role 'users_admin'
> > >
> > > and so on. Result is that user with 'user' cannot create another
> > user in
> > > our system.
> > >
> > > Regards,
> > > Karol
> > >
> > > [https://www.adbglobal.com/wp-content/uploads/adb.png
> > <https://www.adbglobal.com/wp-content/uploads/adb.png>]
> > > adbglobal.com <http://adbglobal.com><https://www.adbglobal.com
> > <https://www.adbglobal.com>>
> > > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png
> > <https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png>]<
> https://www.linkedin.com/company/adb/
> > <https://www.linkedin.com/company/adb/>>
> > [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png
> > <https://www.adbglobal.com/wp-content/uploads/twitter_logo.png>]
> > <https://twitter.com/adb_global <https://twitter.com/adb_global>>
> >
> > [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png
> > <https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png>]
> > <https://pinterest.com/adbglobal/pins/
> > <https://pinterest.com/adbglobal/pins/>>
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
> jboss.org>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list