[keycloak-user] access grated when testing on admin console but denied by browser
Nhut Thai Le
ntle at castortech.com
Thu Mar 15 15:34:31 EDT 2018
Hello,
I have 1 realm with 2 clients (client0 and client1). I want to setup
security sothat some users can access client0, and other can access client1
and some can access both. Here are what i did:
.Create a default realm role "USER" to be assigned to new account, this is
used to config security-constraint in the web.xml of my app
.Create a client role for each client, they have the same name though
(client-user), this is to config policy to grant access to anyone who has
the "client-user" role specific to the target client
.For each user who need to access client0, i assign the client role
"client-user" of client0. The same thing for anyone who want to access
client1
Here is my authorization config for client0
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "Default Resource",
"uri": "/*",
"type": "urn:client0:resources:default"
}
],
"policies": [
{
"name": "Default Policy",
"description": "A policy that grants access only for users within
this realm",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {
"code": "// by default, grants any permission associated with this
policy\n$evaluation.grant();\n"
}
},
{
"name": "Client Isolation By Role Policy",
"description": "Anyone who has client-user role specific to this
client",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"client0/client-user\",\"required\":true}]"
}
},
{
"name": "Default Permission",
"description": "A permission that applies to the default resource
type",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"defaultResourceType": "urn:client0:resources:default",
"applyPolicies": "[\"Default Policy\"]"
}
},
{
"name": "Client Isolation By Role Permission",
"description": "Anyone who has client-user role specific to this
client can access this client",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Default Resource\"]",
"applyPolicies": "[\"Client Isolation By Role Policy\"]"
}
}
],
"scopes": []
}
Authorization config for client1 is the same.
When i tested with the evaluate tab on the admin console, for some account,
I got correct result.
However, when i try to access the clients from the browser, I got 403 all
the time. I think it has something todo with my web.xml config because I
see 403 reason is !role when i am trying to access a client that i SHOULD
be able to access.
Here is my web.xml:
<module-name>client0</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>not-found-any-where</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>bigrealm</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
Do i need to declare the client role in the web.xml? If not, what am i
missing?
Thank you in advance
Thai
More information about the keycloak-user
mailing list