On Tue, May 16, 2017 at 3:23 PM, Rong - <rafterjiang(a)hotmail.com> wrote:
Hi,
I am trying to set up a keycloak as an independent server for
authorization purpose. Our rest API service is built on spring boot,
implemented as a resource server as for "policy enforcer". However, I have
many issues when trying to set this up.
1. spring boot works fine if I only set up the security constraints(for
rest api) in configuration file. But I want to enable policy enforcer for
spring boot, is this possible? Is there some example for how to enable
policy enforcer in spring boot, especially for how to set up those
parameters?
We don't have any example for spring boot, but regular JEE apps. Something
we should probably add to list of authz examples.
But if your application is already protected by Keycloak Spring Adapter,
you should be able to enable Policy Enforcer by just using this minimal
setting in your keycloak.json.
Have you looked docs
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java...
?
2. We also want to have an access control list of which user can
access
which project, I have set up a "user policy" in keycloak admin console in
client's "authorization", whet else shall we do in spring boot
configuration?
If your adapter is properly configured and you have the enabled policy
enforcement (config above), you should be pretty much done. Just make sure
you have created resources in Keycloak corresponding representing the paths
you want to protect.
For instance, if you want to protect "/*", make sure you have a resource in
Keycloak with a URI with a value "/*".
3. If I enable policy enforcer in authorization layer (in spring
boot), is
it still required to add the security constraints in spring boot's
application properties? I assume if authorization is enabled for resource
server and the web service/URL constraints are added in resource server's
policy, there should be no further settings in configuration for the
security constraints?
You still need to configure thins as described in docs. The policy enforcer
is basically your Keycloak adapter also acting as a policy enforcement.
Thanks,
Rong
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user