Hi Sebi,
It has worked!
Thanks a lot for your help,
*Álvaro Martín García*[image:
alvaro.martin(a)bluetab.net
+34 91 457 16 97
+34 687 398 622
2018-06-20 17:49 GMT+02:00 Sebastien Blanc <sblanc(a)redhat.com>:
Hi !
I must admit that the Servlet Security constraints regarding METHODS is
not easy to grasp. If you add another security constraint that covers also
the POST/PUT/DELETE then it should work , something like that (sorry using
old school properties) :
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].
patterns[0]=/products/*
keycloak.security-constraints[0].securityCollections[0].methods[0]=GET
keycloak.security-constraints[1].authRoles[0]=super
keycloak.security-constraints[1].securityCollections[0].
patterns[0]=/products/*
keycloak.security-constraints[1].securityCollections[0].methods[0]=POST
keycloak.security-constraints[1].securityCollections[0].methods[1]=PUT
keycloak.security-constraints[1].securityCollections[0].methods[2]=DELETE
Also make sure that the user that has full access has also the readonly
role.
Hope this helps.
Sebi
On Wed, Jun 20, 2018 at 3:22 PM, Alvaro Martin <alvaro.martin(a)bluetab.net>
wrote:
> Hi,
>
> We are evaluating keycloak as an IAM for a future application. We are
> building a prototype with an Angular front app and a spring boot 2
> backend.
> The bankend app exposes a RESTfull API whose access we want to restrict
> down to the HTTP verb level. At least we want to achive two access levels
> on each endpoint: readonly access (HTTP GET) and full access (GET, POST,
> PUT, DELETE).
>
> We have configured keycloak and built the application but the backend
> doesn´t seem to restrict the access. Here it is the application.yml. We
> are
> trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for
> full access).
>
> keycloak:
> auth-server-url:
http://localhost:8010/auth
> bearer-only: true
> public-client: true
> realm: blue-energy
> resource: client-service
> securityConstraints:
> - authRoles:
> - ROLE_CLIENT_RO
> securityCollections:
> - name: protected resource
> patterns:
> - /clients
> - /clients/
> methods:
> - GET
> ssl-required: external
>
> The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP
> verb. If we assign the realm role ROLE_CLIENT_RO to the user that should
> grant just readonly access he has unrestricted access to the whole enpoint
> (i.e. all the verbs).
>
> We are using keycloak 4.0.0.Final.
>
> Is this configuration supposed to work? We haven´t found much references
> on
> how to setup and scenario like this?
>
> Thanks in advance,
>
>
> *Álvaro Martín García*[image:
bluetab.net] <
http://www.bluetab.net/>
> alvaro.martin(a)bluetab.net
>
> +34 91 457 16 97
>
> +34 687 398 622
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user