Hi,

I'm currently using beta2 of keycloak, and we are building a new application with keycloak as our security platform.

In our web module, all pages are located under the path src/main/webapps/views. Navigation to the index.xhtml file under this path triggers keycloack login, as expected. We've enabled self-registration and assigned the default realm role to be "user", so a new user automatically obtains the "user" role.  Here is a snippet of our web.xml file.

<security-constraint>

        <web-resource-collection>

            <web-resource-name>Users</web-resource-name>

            <url-pattern>/views/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>user</role-name>

        </auth-constraint>

    </security-constraint>

<security-constraint>

        <web-resource-collection>

            <web-resource-name>Supervisor</web-resource-name>

            <url-pattern>/views/supervisor/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>supervisor</role-name>

        </auth-constraint>

    </security-constraint>

...

In effect any person with "user" role can view any content directly under /views/*. However, the newly enrolled user is able to navigate to other subpaths under the /views like the /views/supervisor/* which should normally require the user to have the additional "supervisor" role in addition to being "user".

So I have 2 questions.

1. Am I doing something wrong with regards to this setup? Does each registered application also need to have roles specified, or should the realm roles be enough. Or is my understanding wrong?

2. Is there an a means to obtain the roles that a user has after logging in? The IDToken doesn't seem to contain any such information.

Looking forward to your response. Cheers.

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user