[keycloak-user] Secure RESTfull API with keycloak

Sebastien Blanc sblanc at redhat.com
Wed Jun 20 11:49:50 EDT 2018 

Hi !

I must admit that the Servlet Security constraints regarding METHODS is not
easy to grasp. If you add another security constraint that covers also the
POST/PUT/DELETE then it should work , something like that (sorry using old
school properties) :

keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/products/*
keycloak.security-constraints[0].securityCollections[0].methods[0]=GET

keycloak.security-constraints[1].authRoles[0]=super
keycloak.security-constraints[1].securityCollections[0].patterns[0]=/products/*
keycloak.security-constraints[1].securityCollections[0].methods[0]=POST
keycloak.security-constraints[1].securityCollections[0].methods[1]=PUT
keycloak.security-constraints[1].securityCollections[0].methods[2]=DELETE

Also make sure that the user that has full access has also the readonly
role.

Hope this helps.

Sebi


On Wed, Jun 20, 2018 at 3:22 PM, Alvaro Martin <alvaro.martin at bluetab.net>
wrote:

>  Hi,
>
> We are evaluating keycloak as an IAM for a future application. We are
> building a prototype with an Angular front app and a spring boot 2 backend.
> The bankend app exposes a RESTfull API whose access we want to restrict
> down to the HTTP verb level. At least we want to achive two access levels
> on each endpoint: readonly access (HTTP GET) and full access (GET, POST,
> PUT, DELETE).
>
> We have configured keycloak and built the application but the backend
> doesn´t seem to restrict the access. Here it is the application.yml. We are
> trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for
> full access).
>
> keycloak:
>     auth-server-url: http://localhost:8010/auth
>     bearer-only: true
>     public-client: true
>     realm: blue-energy
>     resource: client-service
>     securityConstraints:
>     -   authRoles:
>         - ROLE_CLIENT_RO
>         securityCollections:
>         -   name: protected resource
>             patterns:
>             - /clients
>             - /clients/
>             methods:
>             - GET
>     ssl-required: external
>
> The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP
> verb. If we assign the realm role ROLE_CLIENT_RO to the user that should
> grant just readonly access he has unrestricted access to the whole enpoint
> (i.e. all the verbs).
>
> We are using keycloak 4.0.0.Final.
>
> Is this configuration supposed to work? We haven´t found much references on
> how to setup and scenario like this?
>
> Thanks in advance,
>
>
> *Álvaro Martín García*[image: bluetab.net] <http://www.bluetab.net/>
> alvaro.martin at bluetab.net
>
> +34 91 457 16 97
>
> +34 687 398 622
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list