10:09 p.m.
I have set up an URL resource policy (For ex: /greeting for USER role) for my
bear only client on keycloak server. In this client, implemented by a spring
security in spring boot, I have added keycloak.json:
{
"realm": "auth",
"realm-public-key": "key",
"bearer-only": true,
"auth-server-url": "http://10.3.42.29:8080/auth",
"ssl-required": "external",
"resource": "auth-service",
"credentials": {
"secret": "secret"
},
"policy-enforcer": {
"user-managed-access" : {},
"enforcement-mode" : "ENFORCING",
"paths": [
{
"name" : "resource-greeting"
}
]
}
}
the "resource-greeting" is the resource name set up in authorization of
client "auth-service" on keycloak server, and only be accessible by USER
role accounts (a role based policy is also configured with a permission).
Now, I am very confused what need be done on spring security side, from what
I have read the examples so far, I have not seen any example using spring
security together with *policy enforcer*. Most examples enable the
authentication/authorization in SecurityConfig (which extends
KeycloakWebSecurityConfigurerAdapter), so override "config" method where it
uses antMatcher to restrict URL (/greeting in my case) for certain ROLES.
See following two examples:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
.and()
.addFilterBefore(keycloakPreAuthActionsFilter(),
LogoutFilter.class)
.addFilterBefore(keycloakAuthenticationProcessingFilter(),
X509AuthenticationFilter.class)
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/**").authenticated()
.anyRequest().permitAll();
}
@Override
protected void *configure*(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/customers*").hasRole("USER")
.antMatchers("/admin*").hasRole("ADMIN")
.anyRequest().permitAll();
}
But as I understand so far for* policy enforcer*, all
authentication/authorization should be pushed outside of the code, and be
done by client adapter based on "paths" in keycloak.json, /*automatically*/.
My question is, what need be done in method configure? If we can do authz
through policy enforcer, why do we still need authorize in above configure
method?
I have also seen someone mention to add /*keycloakAuthenticatedActionsFilter
*/to make policy enforcer work, how to do that?
thanks,
Rong
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/Problems-enable-policy-enforcer-...
Sent from the keycloak-user mailing list archive at Nabble.com.
6:14 a.m.
Can you take a look at https://github.com/keycloak/keycloak-quickstarts/
pull/26 ? It is a fairly simple SB quickstart using authorization services.
We do need more examples and better documentation for Spring Boot
integration. Any help is appreciated.
FYI, we have a open JIRA [1] for supporting keycloak.json with SB. This
should make things more simple when enabling authz to your applications.
[1] https://issues.jboss.org/browse/KEYCLOAK-4942
On Tue, May 23, 2017 at 12:09 AM, rafterjiang <rafterjiang(a)hotmail.com>
wrote:
I have set up an URL resource policy (For ex: /greeting for USER
role) for
my
bear only client on keycloak server. In this client, implemented by a
spring
security in spring boot, I have added keycloak.json:
{
"realm": "auth",
"realm-public-key": "key",
"bearer-only": true,
"auth-server-url": "http://10.3.42.29:8080/auth",
"ssl-required": "external",
"resource": "auth-service",
"credentials": {
"secret": "secret"
},
"policy-enforcer": {
"user-managed-access" : {},
"enforcement-mode" : "ENFORCING",
"paths": [
{
"name" : "resource-greeting"
}
]
}
}
the "resource-greeting" is the resource name set up in authorization of
client "auth-service" on keycloak server, and only be accessible by USER
role accounts (a role based policy is also configured with a permission).
Now, I am very confused what need be done on spring security side, from
what
I have read the examples so far, I have not seen any example using spring
security together with *policy enforcer*. Most examples enable the
authentication/authorization in SecurityConfig (which extends
KeycloakWebSecurityConfigurerAdapter), so override "config" method where
it
uses antMatcher to restrict URL (/greeting in my case) for certain ROLES.
See following two examples:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.
STATELESS)
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
.and()
.addFilterBefore(keycloakPreAuthActionsFilter(),
LogoutFilter.class)
.addFilterBefore(keycloakAuthenticationProcessingFilter(),
X509AuthenticationFilter.class)
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/**").authenticated()
.anyRequest().permitAll();
}
@Override
protected void *configure*(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/customers*").hasRole("USER")
.antMatchers("/admin*").hasRole("ADMIN")
.anyRequest().permitAll();
}
But as I understand so far for* policy enforcer*, all
authentication/authorization should be pushed outside of the code, and be
done by client adapter based on "paths" in keycloak.json,
/*automatically*/.
My question is, what need be done in method configure? If we can do authz
through policy enforcer, why do we still need authorize in above configure
method?
I have also seen someone mention to add /*keycloakAuthenticatedActionsFi
lter
*/to make policy enforcer work, how to do that?
thanks,
Rong
--
View this message in context: http://keycloak-user.88327.x6.
nabble.com/Problems-enable-policy-enforcer-for-spring-
security-in-spring-boot-tp3933.html
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2775
days inactive
2775
days old
1 comments
2 participants
participants (2)
-
Pedro Igor Silva -
rafterjiang