[keycloak-dev] Restricting the scope of admin

Bruno Oliveira bruno at abstractj.org
Tue May 27 15:06:03 EDT 2014


On 2014-05-27, Bill Burke wrote:
> You can use RoleAllowed on JAX-RS methods, but you'll need to enable the
> resteasy config for that.  If that's what you mean.  You can also use

Nailed it Bill, that's exactly what I mean.

> web.xml servlet security too, but you can't get as fine-grained.
>
> I'll update the example we have for Aerogear, if you want to take one of
> those approaches.

Thanks a lot, I will take a look at the documentation.

>
>
> On 5/27/2014 1:19 PM, Bruno Oliveira wrote:
> >Thank you Bill. If I want to restrict the access for my endpoint, for example:
> >
> >- admin: can do anything: read, update, delete, create at my endpoints
> >   (on UPS)
> >- regular user: read only
> >
> >Which approach would be the best with KC? Interceptors? Servlet filter?
> >Or there's something already implemented?
> >
> >On 2014-05-27, Bill Burke wrote:
> >>Please check out the project here.  IMO, this is how you'll want to set
> >>up aerogear:
> >>
> >>https://github.com/keycloak/keycloak/tree/master/project-integrations/aerogear-ups
> >>
> >>With aerogear, IMO, you'll want to remove the admin user of the master
> >>realm.  We added a feature that you can have a admin user directly in
> >>your realm within the admin console.  Please read this:
> >>
> >>https://github.com/keycloak/keycloak/tree/master/project-integrations/aerogear-ups
> >>
> >>
> >>The realm import enables an admin user with permissions to modify the
> >>aerogear realm.
> >>
> >>https://github.com/keycloak/keycloak/blob/master/project-integrations/aerogear-ups/auth-server/src/main/webapp/WEB-INF/testrealm.json
> >>
> >>On 5/27/2014 7:58 AM, Bruno Oliveira wrote:
> >>>Good morning guys, following the requirements of Push server. We on
> >>>AeroGear would like to restrict the scope of Admin.
> >>>
> >>>Following the integration samples here:
> >>>https://github.com/keycloak/keycloak/blob/master/project-integrations/aerogear-ups/auth-server/src/main/java/org/aerogear/ups/security/UpsSecurityApplication.java#L32.
> >>>
> >>>The downside of remove the admin is that we can't manage our users anymore (correct me if I'm wrong).
> >>>This is not a big deal if you add a new user or update the current admin with the appropriate
> >>>permissions. The odd thing is: after login I'm immediately kicked out of KC
> >>>admin, probably I'm doing something wrong for sure, but I couldn't figure
> >>>out yet.
> >>>
> >>>This is the piece of code being tested:
> >>>https://github.com/abstractj/aerogear-unifiedpush-server/commit/4814e75f1e5bfc31919bb51f00623a3948829861#diff-fb1187c03792f02a16e7bb8642ad6052R67
> >>>
> >>>And this is the log file:
> >>>https://gist.github.com/abstractj/eb75d6210eb29394d139. It seems like
> >>>everything goes well here:
> >>>https://gist.github.com/abstractj/eb75d6210eb29394d139#file-log-txt-L5,
> >>>but maybe I'm missing the mgmt configuration?
> >>>https://gist.github.com/abstractj/eb75d6210eb29394d139#file-log-txt-L7
> >>>
> >>>Thanks in advance.
> >>>
> >>>--
> >>>
> >>>abstractj
> >>>_______________________________________________
> >>>keycloak-dev mailing list
> >>>keycloak-dev at lists.jboss.org
> >>>https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>
> >>--
> >>Bill Burke
> >>JBoss, a division of Red Hat
> >>http://bill.burkecentral.com
> >>_______________________________________________
> >>keycloak-dev mailing list
> >>keycloak-dev at lists.jboss.org
> >>https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >--
> >
> >abstractj
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com

--

abstractj


More information about the keycloak-dev mailing list