Hey Gabriel, thanks for looking this.
The configuration happens
on org.keycloak.adapters.authorization.PolicyEnforcer.
Regards.
Pedro Igor
On Mon, Mar 27, 2017 at 9:43 AM, Gabriel Trisca <gtrisca(a)cignifi.com> wrote:
Hi Pedro,
I have the whole Keycloak project locally (about to create a pull request
on a different bug). Can you point me towards where the Authz configuration
happens? I could take a look.
On Mon, Mar 27, 2017 at 8:00 AM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Hi Gabriel,
>
> I need to check this out. It has been a while from last time I checked
> AuthZ with Jetty.
>
> Regards.
> Pedro Igor
>
> On Fri, Mar 24, 2017 at 8:22 PM, Gabriel Trisca <gtrisca(a)cignifi.com>
> wrote:
>
>> Hello,
>>
>> I'm attempting to set up resource permission enforcement on a simple
>> Dropwizard application (Jersey->Jetty).
>>
>> I believe the PolicyEnforcer is set up correctly, because I see debugging
>> info along these lines:
>>
>> DEBUG [19:04:23.574] [dw-41] o.k.a.PreAuthActionsHandler - adminRequest
>>
http://localhost:9090/v1/XXXX
>> DEBUG [19:04:23.601] [dw-41] o.k.a.j.c.JettyRequestAuthenticator -
>> Completing bearer authentication. Bearer roles: [uma_authorization]
>> DEBUG [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator - User
>> 'c9e8208e-56f5-42e0-9efb-f8d05600f5de' invoking '
>>
http://localhost:9090/v1/XXXX' on client 'XXXX-api'
>> DEBUG [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator - Bearer
>> AUTHENTICATED
>> DEBUG [19:04:27.781] [dw-41] o.k.a.AuthenticatedActionsHandler -
>> AuthenticatedActionsValve.invoke
http://localhost:9090/v1/XXXX
>> DEBUG [19:04:30.341] [dw-41] o.k.a.a.PolicyEnforcer - Policy
>> enforcement
>> is enable. Enforcing policy decisions for path [
>>
http://localhost:9090/v1/XXXX].
>> DEBUG [19:05:22.741] [dw-41] o.k.a.a.AbstractPolicyEnforcer - Checking
>> permissions for path [
http://localhost:9090/v1/XXXX] with config
>> [PathConfig{name='XXXX Resources', type='uma:XXXXXX',
path='/v1/XXXX/*',
>> scopes=[], id='43bd3cdf-c15b-487a-a259-79e8de00d764',
>> enforcerMode='ENFORCING'}].
>> DEBUG [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer - Policy
>> enforcement
>> result for path [
http://localhost:9090/v1/XXXX] is : DENIED
>> DEBUG [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer - Returning
>> authorization context with permissions:
>> 127.0.0.1 - c9e8208e-56f5-42e0-9efb-f8d05600f5de [24/Mar/2017:23:11:56
>> +0000] "GET /v1/XXXX HTTP/1.1" 401 0 "-" "Mozilla/5.0
(X11; Linux x86_64)
>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
>> 453164
>>
>>
>> Specifically, the error occurs when Keycloak attempts to retrieve an
>> "Authorization" object from the AccessToken. This authorization object
is
>> always null and the permissions cannot be loaded.
>>
>> Without permissions, the request is marked as Unauthorized.
>>
>> Is there something that I'm missing here? As far as I know everything is
>> configured correctly, I can evaluate policies on the Keycloak admin
>> console, and the client is set up as access type "confidential". I can
>> see
>> the resource definitions from Keycloak being loaded when the app
>> launches.
>>
>> Any help greatly appreciated.
>>
>> --
>> *Gabriel Trisca, Software Developer*
>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
--
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA