[keycloak-user] Securing subpaths with specific roles

Rodrigo Sasaki rodrigopsasaki at gmail.com
Thu Jul 17 08:09:21 EDT 2014 

Hello there.

I'm not a part of the keycloak team, so I think it's best to leave the 1st
question for them, but I do know the answer to you second one.

You can view any user's role mappings via the Keycloak REST API. Have a
look at this URL:
http://docs.jboss.org/keycloak/docs/1.0-beta-3/rest-api/admin/realms/%7Brealm%7D/users/%7Busername%7D/role-mappings/index.html


On Thu, Jul 17, 2014 at 8:14 AM, Edem Morny <emorny at gmail.com> wrote:

> Hi,
>
> I'm currently using beta2 of keycloak, and we are building a new
> application with keycloak as our security platform.
>
> In our web module, all pages are located under the path
> src/main/webapps/views. Navigation to the index.xhtml file under this path
> triggers keycloack login, as expected. We've enabled self-registration and
> assigned the default realm role to be "user", so a new user automatically
> obtains the "user" role.  Here is a snippet of our web.xml file.
>
>
> <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Users</web-resource-name>
>             <url-pattern>/views/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>user</role-name>
>         </auth-constraint>
>     </security-constraint>
> <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Supervisor</web-resource-name>
>             <url-pattern>/views/supervisor/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>supervisor</role-name>
>         </auth-constraint>
>     </security-constraint>
> ...
>
> In effect any person with "user" role can view any content directly under
> /views/*. However, the newly enrolled user is able to navigate to other
> subpaths under the /views like the /views/supervisor/* which should
> normally require the user to have the additional "supervisor" role in
> addition to being "user".
>
> So I have 2 questions.
> 1. Am I doing something wrong with regards to this setup? Does each
> registered application also need to have roles specified, or should the
> realm roles be enough. Or is my understanding wrong?
> 2. Is there an a means to obtain the roles that a user has after logging
> in? The IDToken doesn't seem to contain any such information.
>
> Looking forward to your response. Cheers.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140717/8c6a5253/attachment.html

More information about the keycloak-user mailing list