I have set up an URL resource policy (For ex: /greeting for USER role) for my
bear only client on keycloak server. In this client, implemented by a spring
security in spring boot, I have added keycloak.json:
{
"realm": "auth",
"realm-public-key": "key",
"bearer-only": true,
"auth-server-url": "http://10.3.42.29:8080/auth",
"ssl-required": "external",
"resource": "auth-service",
"credentials": {
"secret": "secret"
},
"policy-enforcer": {
"user-managed-access" : {},
"enforcement-mode" : "ENFORCING",
"paths": [
{
"name" : "resource-greeting"
}
]
}
}
the "resource-greeting" is the resource name set up in authorization of
client "auth-service" on keycloak server, and only be accessible by USER
role accounts (a role based policy is also configured with a permission).
Now, I am very confused what need be done on spring security side, from what
I have read the examples so far, I have not seen any example using spring
security together with *policy enforcer*. Most examples enable the
authentication/authorization in SecurityConfig (which extends
KeycloakWebSecurityConfigurerAdapter), so override "config" method where it
uses antMatcher to restrict URL (/greeting in my case) for certain ROLES.
See following two examples:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
.and()
.addFilterBefore(keycloakPreAuthActionsFilter(),
LogoutFilter.class)
.addFilterBefore(keycloakAuthenticationProcessingFilter(),
X509AuthenticationFilter.class)
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/**").authenticated()
.anyRequest().permitAll();
}
@Override
protected void *configure*(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/customers*").hasRole("USER")
.antMatchers("/admin*").hasRole("ADMIN")
.anyRequest().permitAll();
}
But as I understand so far for* policy enforcer*, all
authentication/authorization should be pushed outside of the code, and be
done by client adapter based on "paths" in keycloak.json, /*automatically*/.
My question is, what need be done in method configure? If we can do authz
through policy enforcer, why do we still need authorize in above configure
method?
I have also seen someone mention to add /*keycloakAuthenticatedActionsFilter
*/to make policy enforcer work, how to do that?
thanks,
Rong
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/Problems-enable-policy-enforcer-...
Sent from the keycloak-user mailing list archive at
Nabble.com.