Re: [keycloak-user] Securing GET/POST/DELETE in different way

Are you in a Java EE app ? In your security constraints, you can specify which method is allowed along with the role. For instance : <security-constraint> <web-resource-collection> <web-resource-name>admin</web-resource-name> <url-pattern>/users</url-pattern> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>user</web-resource-name> <url-pattern>/users</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> On Tue, Oct 24, 2017 at 9:45 AM, Karol Buler <K.Buler(a)adbglobal.com <mailto:K.Buler@adbglobal.com>> wrote: Hi Bettina, thank you for response, but this is not exactly what I want. With enforcement filter we can define which methods (paths) should be protected, but not which ROLE has access to the resources. I realized this with API Gateway based on Zuul. Regards, Karol On 24.10.2017 08:09, Hübner, Bettina wrote: > Hi Karol, > > Perhaps this might help you: > http://www.keycloak.org/docs/latest/authorization_services/topics/enforce... <http://www.keycloak.org/docs/latest/authorization_services/topics/enforce... > > Regards, > Bettina > > > > > -----Ursprüngliche Nachricht----- > Von: keycloak-user-bounces(a)lists.jboss.org <mailto:keycloak-user-bounces@lists.jboss.org> [mailto:keycloak-user-bounces@lists.jboss.org <mailto:keycloak-user-bounces@lists.jboss.org>] Im Auftrag von Karol Buler > Gesendet: Montag, 23. Oktober 2017 10:45 > An: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > Betreff: [keycloak-user] Securing GET/POST/DELETE in different way > > Hi all, > > is there any possibility to secure GET/POST/DELETE etc. methods in a > different way? > > e.g. > > endpoint: /users > >       GET: for Keycloak's role 'user' > >       POST: for Keycloak's role 'users_admin' > > and so on. Result is that user with 'user' cannot create another user in > our system. > > Regards, > Karol > > [https://www.adbglobal.com/wp-content/uploads/adb.png <https://www.adbglobal.com/wp-content/uploads/adb.png>] > adbglobal.com <http://adbglobal.com><https://www.adbglobal.com <https://www.adbglobal.com>> > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png <https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png>]<ht... <https://www.linkedin.com/company/adb/>>        [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png <https://www.adbglobal.com/wp-content/uploads/twitter_logo.png>] <https://twitter.com/adb_global <https://twitter.com/adb_global>>       [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png <https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png>] <https://pinterest.com/adbglobal/pins/ <https://pinterest.com/adbglobal/pins/>> > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>