6:43 a.m.
Using correct dev mailing list...
Von: "Scheuermann, Marco (059)" <marco.scheuermann(a)daimler.com>
Datum: Dienstag, 6. November 2018 um 13:41
An: "keycloak-dev-bounces(a)lists.jboss.org"
<keycloak-dev-bounces(a)lists.jboss.org>
Cc: "Herrmann, David Christian (059)"
<david_christian.herrmann(a)daimler.com>
Betreff: Custom REST endpoint - how to make sure that only admins can call it?
Hi Community,
we just implemented a custom REST endpoint based on
org.keycloak.services.resource.RealmResourceProvider;
How can we make sure that only users with admin role can call these endpoints?
Due to the fact that it is a SPI implementation, I have not deployment descriptors to
configure security for the endpoint...
Greetings,
Marco
If you are not the addressee, please inform us immediately that you have received this
e-mail by mistake, and delete it. We thank you for your support.
7:17 a.m.
New subject: Custom REST endpoint - how to make sure that only admins can call it?
Hi Marco!
I think you should have a look at the AccountRestService,
https://github.com/keycloak/keycloak/blob/11374a27078266bebe5239d59579658...,
and AccountLoader,
https://github.com/keycloak/keycloak/blob/11374a27078266bebe5239d59579658....
This is how role checking is done internally in Keycloak and should
work in a custom REST endpoint as well.
Typically something like this should be a good start:
AuthenticationManager.AuthResult authResult = new
AppAuthManager().authenticateBearerToken(session);
if (authResult == null) {
throw new NotAuthorizedException("Bearer token required");
}
Auth auth = new Auth(session.getContext().getRealm(),
authResult.getToken(), authResult.getUser(), client,
authResult.getSession(), false);
The Auth object has several methods to do role checks:
auth.hasOneOfAppRole, auth.hasRealmRole, auth.hasClientRole, and
auth.hasOneOfRealmRole.
Hope this gets you started :)
Regards,
Johannes Knutsen
On Tue, Nov 6, 2018 at 1:45 PM <marco.scheuermann(a)daimler.com> wrote:
Using correct dev mailing list...
Von: "Scheuermann, Marco (059)" <marco.scheuermann(a)daimler.com>
Datum: Dienstag, 6. November 2018 um 13:41
An: "keycloak-dev-bounces(a)lists.jboss.org"
<keycloak-dev-bounces(a)lists.jboss.org>
Cc: "Herrmann, David Christian (059)"
<david_christian.herrmann(a)daimler.com>
Betreff: Custom REST endpoint - how to make sure that only admins can call it?
Hi Community,
we just implemented a custom REST endpoint based on
org.keycloak.services.resource.RealmResourceProvider;
How can we make sure that only users with admin role can call these endpoints?
Due to the fact that it is a SPI implementation, I have not deployment descriptors to
configure security for the endpoint...
Greetings,
Marco
If you are not the addressee, please inform us immediately that you have received this
e-mail by mistake, and delete it. We thank you for your support.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2243
days inactive
2243
days old
1 comments
2 participants
participants (2)
-
Johannes Knutsen -
marco.scheuermann@daimler.com