Re: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit

Hi, Your configuration looks correct. But I noticed that in the postman request you are sending requests to `http://localhost:7200/{app}/ keycloak/secure/role` <http://localhost:7200/%7Bapp%7D/keycloak/secure/role>;. However in your resource definition the URI is configured to `/secure/role`. Both URIs should match otherwise the adapter won't be able to map the URI in your application to a resource in Keycloak (and related permissions). Regards. Pedro Igor On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo <testoauth55(a)gmail.com&gt; wrote: > With all the configuration(shared below), when I test using the evaluate > option under authorization tab, result is permit: > > *But when I make a request to this resource through postman, I get 403.* > > *Which part of configuration is wrong which is leading to 403 error?* > > CONFIGURATION: > > > *Detailed configuration with images shown here:* > > *https://stackoverflow.com/questions/51761779/keycloak-403- > forbidden-error-while-accessing-rest-resource-where-as-evaluate-api > <https://stackoverflow.com/questions/51761779/keycloak-403- > forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>* > > *1.* Following the <goog_1387888133> > https://www.keycloak.org/docs/4.2/authorization_services/ , I created a > realm role : *role_special_user* and created a user : *user_special* with > this role and role *user*. > > *2.* Next, my resource server / client is with *full scope enabled*: > *3.* Under authorization tab, I created a resource with the role based > policy is. > > *4.* Now, keycloak json is: > > { > "realm": "demo12", > "auth-server-url": "http://localhost:8180/auth", > "ssl-required": "none", > "resource": "server12", > "credentials": { > "secret": "XXXXXXX" > }, > "confidential-port": 0, > "policy-enforcer": {}} > > *5.* And Keycloak Jetty adapter configuration is: > > final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; > InputStream is = > Thread.currentThread().getContextClassLoader().getResourceAs > Stream(KEYCLOAK_JSON);AdapterConfig > keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new > SystemPropertiesJsonParserFactory()); > mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); > keyCloakConfig = mapper.readValue(is, AdapterConfig.class); > KeycloakJettyAuthenticator kcAuthenticator = > KeyCloakConfig;if(kcAuthenticator != null) { > ConstraintSecurityHandler securityHandler = new > ConstraintSecurityHandler(); > ConstraintMapping constraintMapping = new ConstraintMapping(); > constraintMapping.setPathSpec("/*"); > Constraint constraint = new Constraint(); > constraint.setAuthenticate(true); > constraint.setRoles(new String[]{"**"}); > constraintMapping.setConstraint(constraint); > securityHandler.addConstraintMapping(constraintMapping); > securityHandler.setAuthenticator(kcAuthenticator); > context.setSecurityHandler(securityHandler);} > > *6.* Also, the decoded jwt token sample is: > > { > "jti": "XXXXXXX", > "exp": 1533798704, > "nbf": 0, > "iat": 1533798404, > "iss": "http://localhost:8180/auth/realms/demo12", > "aud": "server12", > "sub": "XXXXXXX", > "typ": "Bearer", > "azp": "server12", > "auth_time": 1533798404, > "session_state": "XXXXXX", > "acr": "1", > "allowed-origins": [], > "realm_access": { > "roles": [ > "role_special_user", > "offline_access", > "uma_authorization", > "user" > ] > }, > "resource_access": { > "server12": { > "roles": [ > "uma_protection" > ] > }, > "account": { > "roles": [ > "manage-account", > "manage-account-links", > "view-profile" > ] > } > }, > "scope": "openid email profile", > "email_verified": false, > "preferred_username": "user_special"} > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >