6:40 a.m.
Hi Guys,
I read from documents, and my understanding is if set Policy
Enforcement Mode to disable, then any users can access all resources.
but I tried to set it to disable. but nothing be changed.
For example,
I have a role call Role_A , and set a user Tom as this Role_A, if I
set a resource access policy without Role_A. this user Tom cannot
access this resource. And I can see some log in tomcat.
Oct 26, 2016 7:37:33 PM
org.keycloak.adapters.authorization.PolicyEnforcer enforce
DEBUG: Policy enforcement is enable. Enforcing policy decisions for
path
[http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/portal...].
Oct 26, 2016 7:37:33 PM
org.keycloak.adapters.authorization.PolicyEnforcer enforce
DEBUG: Policy enforcement result for path
[http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/portal...]
is : GRANTED
Oct 26, 2016 7:37:33 PM
org.keycloak.adapters.authorization.PolicyEnforcer enforce
DEBUG: Returning authorization context with permissions:
Joey
6:55 a.m.
From your logs it seems that access was actually GRANTED. So your user
should be able to access that resource:
Oct 26, 2016 7:37:33
org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG:
Returning authorization context with permissions:
You don't have any permission in the logs because when you set
enforcement-mode to DISABLE, the enforcer will just let the request to
pass.
Maybe you have some other constraint applied to your resource within
your application ?
On Wed, 2016-10-26 at 19:40 +0800, Joey wrote:
Hi Guys,
I read from documents, and my understanding is if set Policy
Enforcement Mode to disable, then any users can access all resources.
but I tried to set it to disable. but nothing be changed.
For example,
I have a role call Role_A , and set a user Tom as this Role_A, if I
set a resource access policy without Role_A. this user Tom cannot
access this resource. And I can see some log in tomcat.
Oct 26, 2016 7:37:33 PM
org.keycloak.adapters.authorization.PolicyEnforcer enforce
DEBUG: Policy enforcement is enable. Enforcing policy decisions for
path [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatist
ics/portalLoginStatistics.jsp].
Oct 26, 2016 7:37:33 PM
org.keycloak.adapters.authorization.PolicyEnforcer enforce
DEBUG: Policy enforcement result for path
[http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/p
ortalLoginStatistics.jsp]
is : GRANTED
Oct 26, 2016 7:37:33 PM
org.keycloak.adapters.authorization.PolicyEnforcer enforce
DEBUG: Returning authorization context with permissions:
Joey
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Pedro Igor
11:48 a.m.
Thanks Pedro, I think you are right.
I would like to ask one more question. I want to let keycloak protect
most of resources of my website. but I also want to expose some
resources to anonymous,
for example, let anonymous user can visit all files within /resources
folder, then I do something like this.
Tomcat web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/user/login.action</url-pattern>
<url-pattern>/jsp/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>master</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
Keycloak
I don't create permission can control folder [/resources] or it's parent folder.
But when I tried to visit a file in folder [/resources], I got http 500 error.
java.lang.RuntimeException: Failed to enforce policy decisions.
org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:149)
org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60)
org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(AuthenticatedActionsValve.java:63)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:745)
root cause
java.lang.NullPointerException
org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:68)
org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:76)
org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:142)
org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60)
org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(AuthenticatedActionsValve.java:63)
Any suggest? thanks.
Joey
On Wed, Oct 26, 2016 at 7:55 PM, Pedro Igor Craveiro e Silva
<psilva(a)redhat.com> wrote:
From your logs it seems that access was actually GRANTED. So your
user
should be able to access that resource:
Oct 26, 2016 7:37:33
org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG:
Returning authorization context with permissions:
You don't have any permission in the logs because when you set
enforcement-mode to DISABLE, the enforcer will just let the request to
pass.
Maybe you have some other constraint applied to your resource within
your application ?
On Wed, 2016-10-26 at 19:40 +0800, Joey wrote:
> Hi Guys,
>
> I read from documents, and my understanding is if set Policy
> Enforcement Mode to disable, then any users can access all resources.
> but I tried to set it to disable. but nothing be changed.
>
> For example,
>
> I have a role call Role_A , and set a user Tom as this Role_A, if I
> set a resource access policy without Role_A. this user Tom cannot
> access this resource. And I can see some log in tomcat.
>
> Oct 26, 2016 7:37:33 PM
> org.keycloak.adapters.authorization.PolicyEnforcer enforce
>
> DEBUG: Policy enforcement is enable. Enforcing policy decisions for
> path [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatist
> ics/portalLoginStatistics.jsp].
>
> Oct 26, 2016 7:37:33 PM
> org.keycloak.adapters.authorization.PolicyEnforcer enforce
>
> DEBUG: Policy enforcement result for path
> [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/p
> ortalLoginStatistics.jsp]
> is : GRANTED
>
> Oct 26, 2016 7:37:33 PM
> org.keycloak.adapters.authorization.PolicyEnforcer enforce
>
> DEBUG: Returning authorization context with permissions:
>
>
> Joey
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Pedro Igor
8:13 a.m.
This one smells like a bug. Can you create a JIRA, please ?
On Thu, 2016-10-27 at 00:48 +0800, Joey wrote:
Thanks Pedro, I think you are right.
I would like to ask one more question. I want to let keycloak protect
most of resources of my website. but I also want to expose some
resources to anonymous,
for example, let anonymous user can visit all files within
/resources
folder, then I do something like this.
Tomcat web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/user/login.action</url-pattern>
<url-pattern>/jsp/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>master</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
Keycloak
I don't create permission can control folder [/resources] or it's
parent folder.
But when I tried to visit a file in folder [/resources], I got http
500 error.
java.lang.RuntimeException: Failed to enforce policy decisions.
org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(Authen
ticatedActionsHandler.java:149)
org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(Auth
enticatedActionsHandler.java:60)
org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(Authent
icatedActionsValve.java:63)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:505)
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invok
e(AbstractKeycloakAuthenticatorValve.java:187)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:103)
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
956)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:436)
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
11Processor.java:1078)
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
AbstractProtocol.java:625)
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
t.java:316)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:617)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
read.java:61)
java.lang.Thread.run(Thread.java:745)
root cause
java.lang.NullPointerException
org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(
AbstractPolicyEnforcer.java:68)
org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnfo
rcer.java:76)
org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(Authen
ticatedActionsHandler.java:142)
org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(Auth
enticatedActionsHandler.java:60)
org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(Authent
icatedActionsValve.java:63)
Any suggest? thanks.
Joey
On Wed, Oct 26, 2016 at 7:55 PM, Pedro Igor Craveiro e Silva
<psilva(a)redhat.com> wrote:
>
> From your logs it seems that access was actually GRANTED. So your
> user
> should be able to access that resource:
>
> Oct 26, 2016 7:37:33
> org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG:
> Returning authorization context with permissions:
>
> You don't have any permission in the logs because when you set
> enforcement-mode to DISABLE, the enforcer will just let the request
> to
> pass.
>
> Maybe you have some other constraint applied to your resource
> within
> your application ?
>
> On Wed, 2016-10-26 at 19:40 +0800, Joey wrote:
> >
> > Hi Guys,
> >
> > I read from documents, and my understanding is if set Policy
> > Enforcement Mode to disable, then any users can access all
> > resources.
> > but I tried to set it to disable. but nothing be changed.
> >
> > For example,
> >
> > I have a role call Role_A , and set a user Tom as this Role_A, if
> > I
> > set a resource access policy without Role_A. this user Tom cannot
> > access this resource. And I can see some log in tomcat.
> >
> > Oct 26, 2016 7:37:33 PM
> > org.keycloak.adapters.authorization.PolicyEnforcer enforce
> >
> > DEBUG: Policy enforcement is enable. Enforcing policy decisions
> > for
> > path [http://operation.iishang-intr.com:9111/op/jsp/base/loginSta
> > tist
> > ics/portalLoginStatistics.jsp].
> >
> > Oct 26, 2016 7:37:33 PM
> > org.keycloak.adapters.authorization.PolicyEnforcer enforce
> >
> > DEBUG: Policy enforcement result for path
> > [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatisti
> > cs/p
> > ortalLoginStatistics.jsp]
> > is : GRANTED
> >
> > Oct 26, 2016 7:37:33 PM
> > org.keycloak.adapters.authorization.PolicyEnforcer enforce
> >
> > DEBUG: Returning authorization context with permissions:
> >
> >
> > Joey
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> --
> Pedro Igor
--
Pedro Igor
2967
days inactive
2968
days old
3 comments
2 participants
participants (2)
-
Joey -
Pedro Igor Craveiro e Silva