2:45 a.m.
I would like to use permissions or scopes or similar to allow fine grained access to REST
resource.
Ideally I would like to do something like:
@PreAuthorize("hasPermission('Brands', 'brands:write')")
ResponseEntity<Brand> getBrand(@PathVariable("brandCode") String
brandCode);
where 'Brands' is a keycloak client authorization resource with scopes
'brands:write, brands:read'.
The only annotation that seems to work is @Secured with a role, I do not with to do RBAC.
@Secured({"ROLE_STAFF"})
I have looked at the PolicyEnforcer, it is unclear to me exactly how it is supposed to be
used.
I can write code of the form:
KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
if (authzContext.hasScopePermission("brands:write")) {
// This works....
}
How can I tie the AuthorizationContext from PolicyEnforcing to the standard Spring
security annotations ?
thanks
David
6:03 a.m.
New subject: Keycloak fine grained permissions with Spring Boot / Spring Security
Seems this is what i needed:
@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
@Autowired
private HttpServletRequest request;
@Override
public boolean hasPermission(Authentication auth, Object targetDomainObject, Object
permission) {
if ((auth == null) || (targetDomainObject == null) || !(permission instanceof
String)){
return false;
}
KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
AuthorizationContext authzContext =
keycloakSecurityContext.getAuthorizationContext();
if(targetDomainObject instanceof String) {
return authzContext.hasPermission((String)targetDomainObject,
(String)permission);
} else if(targetDomainObject == null) {
return authzContext.hasScopePermission((String)permission);
} else {
return false;
}
}
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of David Marsh <dmarsh26(a)outlook.com>
Sent: 09 May 2019 08:45
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Keycloak fine grained permissions with Spring Boot / Spring
Security
I would like to use permissions or scopes or similar to allow fine grained access to REST
resource.
Ideally I would like to do something like:
@PreAuthorize("hasPermission('Brands', 'brands:write')")
ResponseEntity<Brand> getBrand(@PathVariable("brandCode") String
brandCode);
where 'Brands' is a keycloak client authorization resource with scopes
'brands:write, brands:read'.
The only annotation that seems to work is @Secured with a role, I do not with to do RBAC.
@Secured({"ROLE_STAFF"})
I have looked at the PolicyEnforcer, it is unclear to me exactly how it is supposed to be
used.
I can write code of the form:
KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
if (authzContext.hasScopePermission("brands:write")) {
// This works....
}
How can I tie the AuthorizationContext from PolicyEnforcing to the standard Spring
security annotations ?
thanks
David
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:31 a.m.
Hi,
As you noticed we don't have this capability yet. If you create some
interceptor which is bound to some annotation you should be able to perform
the policy enforcement.
I like the idea and if you want to open an RFE, please do it. If you end up
doing something feel free to contribute.
Regards.
Pedro Igor.
On Thu, May 9, 2019 at 4:47 AM David Marsh <dmarsh26(a)outlook.com> wrote:
I would like to use permissions or scopes or similar to allow fine
grained
access to REST resource.
Ideally I would like to do something like:
@PreAuthorize("hasPermission('Brands', 'brands:write')")
ResponseEntity<Brand> getBrand(@PathVariable("brandCode") String
brandCode);
where 'Brands' is a keycloak client authorization resource with scopes
'brands:write, brands:read'.
The only annotation that seems to work is @Secured with a role, I do not
with to do RBAC.
@Secured({"ROLE_STAFF"})
I have looked at the PolicyEnforcer, it is unclear to me exactly how it is
supposed to be used.
I can write code of the form:
KeycloakSecurityContext keycloakSecurityContext =
(KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
AuthorizationContext authzContext =
keycloakSecurityContext.getAuthorizationContext();
if (authzContext.hasScopePermission("brands:write")) {
// This works....
}
How can I tie the AuthorizationContext from PolicyEnforcing to the
standard Spring security annotations ?
thanks
David
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2071
days inactive
2071
days old
2 comments
2 participants
participants (2)
-
David Marsh -
Pedro Igor Silva