Thanks very much Stian. Will give your 2 suggestions immediate action.
On 7/17/2014 12:33 PM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Edem Morny" <emorny(a)gmail.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 17 July, 2014 1:20:31 PM
> Subject: [keycloak-user] Securing subpaths with specific roles
>
> Hi,
>
> I'm currently using beta2 of keycloak, and we are building a new application
> with keycloak as our security platform.
>
> In our web module, all pages are located under the path
> src/main/webapps/views. Navigation to the index.xhtml file under this path
> triggers keycloack login, as expected. We've enabled self-registration and
> assigned the default realm role to be "user", so a new user automatically
> obtains the "user" role. Here is a snippet of our web.xml file.
>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Users</web-resource-name>
> <url-pattern>/views/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Supervisor</web-resource-name>
> <url-pattern>/views/supervisor/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>supervisor</role-name>
> </auth-constraint>
> </security-constraint>
> ...
>
> In effect any person with "user" role can view any content directly under
> /views/*. However, the newly enrolled user is able to navigate to other
> subpaths under the /views like the /views/supervisor/* which should normally
> require the user to have the additional "supervisor" role in addition to
> being "user".
>
> So I have 2 questions.
> 1. Am I doing something wrong with regards to this setup? Does each
> registered application also need to have roles specified, or should the
> realm roles be enough. Or is my understanding wrong?
You'll need to more explicitly specify what patterns a user can access, as with that
constraint you're giving permission to everything under view to users with the role
'user'. For example:
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/views/*.jsp</url-pattern>
<url-pattern>/views/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
> 2. Is there an a means to obtain the roles that a user has after logging in?
> The IDToken doesn't seem to contain any such information so I can use that
> with some other security implementation like DeltaSpike's security support
> in case the above is not supported.
The roles are available from the AccessToken with getRealmAccess and getResourceAccess
methods. The AccessToken can be retrieved using getToken method on
KeycloakSecurityContext
> Looking forward to your response. Cheers.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
---
This email is free from viruses and malware because avast! Antivirus protection is
active.