Re: [keycloak-dev] Authz services feedback
Hi Pedro,
I can confirm that everything works with global PERMISSIVE + per-path DISABLED + no
security constraint. The correct body is returned with 200 OK. I clearly remember I've
tried this approach before, but most likely that time I've put double quotes around
the path value, and that's why it didn't work.
Thanks a lot!
Dmitry
On Thu, 2019-01-31 at 13:39 -0200, Pedro Igor Silva wrote:
Now I see the issue. You should be able to DISABLE policy enforcement
for a specific path and request sent to this path will return successfully
(KEYCLOAK-8142). However, if the path is public (no security constraint) and set with
ENFORCING mode, then you get 403 + body.
I'll create a JIRA for this and submit a fix.
> On Thu, Jan 31, 2019 at 11:28 AM Dmitry Telegin <dt(a)acutus.pro> wrote:
> Hi, just a quick update,
>
> On Thu, 2019-01-31 at 10:19 -0200, Pedro Igor Silva wrote:
> > > 1. It may sound crazy, but seems that with enforcer enabled there is no
way to have public endpoints, i.e. those that are not protected by the adapter security
constraints. I've tried every possible combination of global and per-path
enforcement-mode, tried creating the corresponding resource in Keycloak, but the enforcer
would always deny access. The only scenario that worked was setting global
enforcement-mode to DISABLED, which is obviously not an option.
> > > I'm not sure if it's Spring Boot specific or not; I'm planning
to test the same setup with other adapters too and report the result.
> >
> > AFAIK, we fixed this already. I think in 4.4.0. Could you
check https://issues.jboss.org/browse/KEYCLOAK-8142.
>
> I'm experiencing exactly the same, the correct body is returned together with
HTTP 403. Keycloak Spring Boot Adapter is 4.8.3.
>
> Dmitry
>
>