Hi Karol, Perhaps this might help you: http://www.keycloak.org/docs/latest/authorization_services/topics/enforce... Regards, Bettina -----Ursprüngliche Nachricht----- Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] Im Auftrag von Karol Buler Gesendet: Montag, 23. Oktober 2017 10:45 An: keycloak-user(a)lists.jboss.org Betreff: [keycloak-user] Securing GET/POST/DELETE in different way Hi all, is there any possibility to secure GET/POST/DELETE etc. methods in a different way? e.g. endpoint: /users GET: for Keycloak's role 'user' POST: for Keycloak's role 'users_admin' and so on. Result is that user with 'user' cannot create another user in our system. Regards, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com<https://www.adbglobal.com> [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<https:... [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] <https://twitter.com/adb_global> [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png] <https://pinterest.com/adbglobal/pins/> _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Are you in a Java EE app ? In your security constraints, you can specify which method is allowed along with the role. For instance : <security-constraint> <web-resource-collection> <web-resource-name>admin</web-resource-name> <url-pattern>/users</url-pattern> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>user</web-resource-name> <url-pattern>/users</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> On Tue, Oct 24, 2017 at 9:45 AM, Karol Buler <K.Buler(a)adbglobal.com <mailto:K.Buler@adbglobal.com>> wrote: Hi Bettina, thank you for response, but this is not exactly what I want. With enforcement filter we can define which methods (paths) should be protected, but not which ROLE has access to the resources. I realized this with API Gateway based on Zuul. Regards, Karol On 24.10.2017 08:09, Hübner, Bettina wrote: > Hi Karol, > > Perhaps this might help you: > http://www.keycloak.org/docs/latest/authorization_services/topics/enforce... <http://www.keycloak.org/docs/latest/authorization_services/topics/enforce... > > Regards, > Bettina > > > > > -----Ursprüngliche Nachricht----- > Von: keycloak-user-bounces(a)lists.jboss.org <mailto:keycloak-user-bounces@lists.jboss.org> [mailto:keycloak-user-bounces@lists.jboss.org <mailto:keycloak-user-bounces@lists.jboss.org>] Im Auftrag von Karol Buler > Gesendet: Montag, 23. Oktober 2017 10:45 > An: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > Betreff: [keycloak-user] Securing GET/POST/DELETE in different way > > Hi all, > > is there any possibility to secure GET/POST/DELETE etc. methods in a > different way? > > e.g. > > endpoint: /users > >       GET: for Keycloak's role 'user' > >       POST: for Keycloak's role 'users_admin' > > and so on. Result is that user with 'user' cannot create another user in > our system. > > Regards, > Karol > > [https://www.adbglobal.com/wp-content/uploads/adb.png <https://www.adbglobal.com/wp-content/uploads/adb.png>] > adbglobal.com <http://adbglobal.com><https://www.adbglobal.com <https://www.adbglobal.com>> > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png <https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png>]<ht... <https://www.linkedin.com/company/adb/>>        [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png <https://www.adbglobal.com/wp-content/uploads/twitter_logo.png>] <https://twitter.com/adb_global <https://twitter.com/adb_global>>       [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png <https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png>] <https://pinterest.com/adbglobal/pins/ <https://pinterest.com/adbglobal/pins/>> > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

Even easier with Spring Boot ;) : keycloak.security-constraints[0].authRoles[0]=admin keycloak.security-constraints[0].securityCollections[0].methods[0]=POST keycloak.security-constraints[0].securityCollections[0].patterns[0]=/products/* keycloak.security-constraints[1].authRoles[0]=user keycloak.security-constraints[1].securityCollections[0].methods[0]=GET keycloak.security-constraints[1].securityCollections[0].patterns[0]=/products/* On Tue, Oct 24, 2017 at 10:34 AM, Karol Buler <K.Buler(a)adbglobal.com <mailto:K.Buler@adbglobal.com>> wrote: Unfortunately this is spring-boot application, but there is possibility to attach web.xml I think. Thanks! I consider to use it instead of Zuul. On 24.10.2017 10:28, Sebastien Blanc wrote: > Are you in a Java EE app ? > > In your security constraints, you can specify which method is > allowed along with the role. For instance : > > <security-constraint> > <web-resource-collection> > <web-resource-name>admin</web-resource-name> > <url-pattern>/users</url-pattern> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>user</web-resource-name> > <url-pattern>/users</url-pattern> > <http-method>GET</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>user</role-name> > </auth-constraint> > </security-constraint> > > > > On Tue, Oct 24, 2017 at 9:45 AM, Karol Buler > <K.Buler(a)adbglobal.com <mailto:K.Buler@adbglobal.com>> wrote: > > Hi Bettina, > > thank you for response, but this is not exactly what I want. With > enforcement filter we can define which methods (paths) should be > protected, but not which ROLE has access to the resources. > > I realized this with API Gateway based on Zuul. > > Regards, > Karol > > > On 24.10.2017 08:09, Hübner, Bettina wrote: > > Hi Karol, > > > > Perhaps this might help you: > > > http://www.keycloak.org/docs/latest/authorization_services/topics/enforce... > <http://www.keycloak.org/docs/latest/authorization_services/topics/enforce... > > > > Regards, > > Bettina > > > > > > > > > > -----Ursprüngliche Nachricht----- > > Von: keycloak-user-bounces(a)lists.jboss.org > <mailto:keycloak-user-bounces@lists.jboss.org> > [mailto:keycloak-user-bounces@lists.jboss.org > <mailto:keycloak-user-bounces@lists.jboss.org>] Im Auftrag > von Karol Buler > > Gesendet: Montag, 23. Oktober 2017 10:45 > > An: keycloak-user(a)lists.jboss.org > <mailto:keycloak-user@lists.jboss.org> > > Betreff: [keycloak-user] Securing GET/POST/DELETE in > different way > > > > Hi all, > > > > is there any possibility to secure GET/POST/DELETE etc. > methods in a > > different way? > > > > e.g. > > > > endpoint: /users > > > >       GET: for Keycloak's role 'user' > > > >       POST: for Keycloak's role 'users_admin' > > > > and so on. Result is that user with 'user' cannot create > another user in > > our system. > > > > Regards, > > Karol > > > > [https://www.adbglobal.com/wp-content/uploads/adb.png > <https://www.adbglobal.com/wp-content/uploads/adb.png>] > > adbglobal.com > <http://adbglobal.com><https://www.adbglobal.com > <https://www.adbglobal.com>> > > > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png > <https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png>]<ht... > <https://www.linkedin.com/company/adb/>>       >  [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png > <https://www.adbglobal.com/wp-content/uploads/twitter_logo.png>] > <https://twitter.com/adb_global > <https://twitter.com/adb_global>>       > [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png > <https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png>] > <https://pinterest.com/adbglobal/pins/ > <https://pinterest.com/adbglobal/pins/>> > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > <mailto:keycloak-user@lists.jboss.org> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > <https://lists.jboss.org/mailman/listinfo/keycloak-user> > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > <https://lists.jboss.org/mailman/listinfo/keycloak-user> > >