10:18 a.m.
Hello!
We are building an online application for which we are using Keycloak for authentification
and authorization, connected
to our Spring Boot backend using the Spring Boot adapter.
We would like to achive more fine-grained authorization, more specifically, we would like
to set-up HTTP verb based
authorization, for example, allow only GET requests for some end-points, GET and POST for
others, only POST for other end-points etc.
I am aware of the Policy Enforcer adapter, but I could not find any specific documentation
regarding how to use that with Spring Boot, where there is
not keycloak.json file used for configuration.
Therefore, my questions are:
1. Can HTTP verb based authorization be achieved using the Spring Boot adapter?
2. If the answer to question 1 is yes, then could you please provide a minimal
configuration example?
Thank you!
Best regards,
Andreea
---------------------------------------------------------
Andreea Ciuprina
Bioinformatics Group
Max Planck Institute for Marine Microbiology
Celsiusstraße 1
28359 Bremen
Germany
Phone: +49(0) 421 2028 982
Email: aciuprin@mpi-bremen.de
&
Jacobs University Bremen,
28759 Bremen, Germany
Email: a.ciuprina@jacobs-university.de
10:43 a.m.
You can add the configuration about the policy enforcer in your
application.properties, just one difference with the keycloak.json is that
you must write "policy-enforcer-config" (instead
of just policy-enforcer).
Regarding HTTP Verb authz , it *should* work since Spring Boot Adapter just
passes along the configuration to the underlying Servlet Container (Tomcat,
undertow or Jetty).
But even without using the authorization layer, you should be able to
achieve this by configuring the security constraints.
keycloak.securityConstraints[1].securityCollections[0].http-method = GET
etc ...
On Tue, Feb 21, 2017 at 5:18 PM, Andreea Ciuprina <aciuprin(a)mpi-bremen.de>
wrote:
Hello!
We are building an online application for which we are using Keycloak for
authentification and authorization, connected
to our Spring Boot backend using the Spring Boot adapter.
We would like to achive more fine-grained authorization, more
specifically, we would like to set-up HTTP verb based
authorization, for example, allow only GET requests for some end-points,
GET and POST for others, only POST for other end-points etc.
I am aware of the Policy Enforcer adapter, but I could not find any
specific documentation regarding how to use that with Spring Boot, where
there is
not keycloak.json file used for configuration.
Therefore, my questions are:
1. Can HTTP verb based authorization be achieved using the Spring Boot
adapter?
2. If the answer to question 1 is yes, then could you please provide a
minimal configuration example?
Thank you!
Best regards,
Andreea
---------------------------------------------------------
Andreea Ciuprina
Bioinformatics Group
Max Planck Institute for Marine Microbiology
Celsiusstraße 1
28359 Bremen
Germany
Phone: +49(0) 421 2028 982
Email: aciuprin(a)mpi-bremen.de
&
Jacobs University Bremen,
28759 Bremen, Germany
Email: a.ciuprina(a)jacobs-university.de
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:21 a.m.
Hi, Sebastien
1. Is there some example for how to enable policy enforcer in spring boot,
especially for those parameters?
2. If I enable policy enforcer in authorization layer (in spring boot), is
it still required to add the security constraints in configuration? I assume
if authorization is enabled for resource server and the web service
constraints are added in its policy, there should be no further settings in
configuration for the security constraints?
Thanks,
Rong
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Spring-Boot-adapte...
Sent from the keycloak-user mailing list archive at Nabble.com.
2728
days inactive
2812
days old
2 comments
3 participants
participants (3)
-
Andreea Ciuprina -
rafterjiang -
Sebastien Blanc