[keycloak-user] Spring sec - roles - how?

java_os java at neposoft.com
Wed Dec 14 08:08:57 EST 2016


Hi Sebastien
Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim? Client
level in kc, any pointers on how this is done? Getting in the value from
claim and set it into the MY_MAPPED_LDAP_ROLE??

I am guessing all logged in users (withing the client) will take the role
above which value will be the claim coming into from idp.
Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check the
actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE gets
defined in KC? Am a bit confused how spring-sec gets the value of the
MY_MAPPED_LDAP_ROLE.

Am going to dig more on my side, but would be nice if you can shed more
light from role setup in KC.
Thanks


> Is this not working  ?
> http.authorizeRequests().antMatchers("/products*").hasRole("MY_MAPPED_LDAP_ROLE")
> ?
>
>
>
>
> On Tue, Dec 13, 2016 at 11:51 PM, java_os <java at neposoft.com> wrote:
>
>> Hi All,
>> I put up this question a while back and now back to it since no answer,
>> this time with some hope.
>> I have this SPA (keycloak.js) calling into Rest api bearer protected by
>> KC
>> - all good.
>> I use KC brokering, so on the Idp side ADFS . User logs in against idp,
>> where in ADFS is configured with a claim that acts as a role. On SPA I
>> can
>> map out that claim from the token.
>> The rest api is protected by kc spring sec. I want (and this is what I
>> do
>> not know) to configure spring sec to react when the call is made to a
>> specific rest endpoint when the user does not have a specific role
>> (returning 401).
>> How can I do this spring sec way - how can I configure spring sec to say
>> check at runtime the users's role for a specific endpoint and deny
>> access
>> to the resource.
>> The big un-known to me is: how does KC client role (which is some static
>> config) relates to the runtime user's role coming from Idp.
>> Anyone has done this - am sure this is a common use case.
>> Whoever knows this please share.
>> Thank you and appreciate it.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>




More information about the keycloak-user mailing list