[keycloak-user] Spring sec - roles - how?

java_os java at neposoft.com
Wed Dec 14 10:24:03 EST 2016


I get this Sebastien - thanks, but ....
My point is: where do you define MY_MAPPED_LDAP_ROLE in KC?
How is a user be able to 'aquire' automatically this MY_MAPPED_LDAP_ROLE
and who's setting the claim value into MY_MAPPED_LDAP_ROLE?
am a bit confused
thx


> You said that your SPA client can read out the roles from the token, well
> for the Spring-sec app is exactly the same. When your SPA sends a request
> to it, it also passes the token, the Spring-sec adapter will extract the
> roles from there (happens here
> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/SpringSecurityRequestAuthenticator.java#L91-L93
> ).
>
>
>
>
>
> On Wed, Dec 14, 2016 at 2:08 PM, java_os <java at neposoft.com> wrote:
>
>> Hi Sebastien
>> Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim? Client
>> level in kc, any pointers on how this is done? Getting in the value from
>> claim and set it into the MY_MAPPED_LDAP_ROLE??
>>
>> I am guessing all logged in users (withing the client) will take the
>> role
>> above which value will be the claim coming into from idp.
>> Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check the
>> actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE gets
>> defined in KC? Am a bit confused how spring-sec gets the value of the
>> MY_MAPPED_LDAP_ROLE.
>>
>> Am going to dig more on my side, but would be nice if you can shed more
>> light from role setup in KC.
>> Thanks
>>
>>
>> > Is this not working  ?
>> > http.authorizeRequests().antMatchers("/products*").
>> hasRole("MY_MAPPED_LDAP_ROLE")
>> > ?
>> >
>> >
>> >
>> >
>> > On Tue, Dec 13, 2016 at 11:51 PM, java_os <java at neposoft.com> wrote:
>> >
>> >> Hi All,
>> >> I put up this question a while back and now back to it since no
>> answer,
>> >> this time with some hope.
>> >> I have this SPA (keycloak.js) calling into Rest api bearer protected
>> by
>> >> KC
>> >> - all good.
>> >> I use KC brokering, so on the Idp side ADFS . User logs in against
>> idp,
>> >> where in ADFS is configured with a claim that acts as a role. On SPA
>> I
>> >> can
>> >> map out that claim from the token.
>> >> The rest api is protected by kc spring sec. I want (and this is what
>> I
>> >> do
>> >> not know) to configure spring sec to react when the call is made to a
>> >> specific rest endpoint when the user does not have a specific role
>> >> (returning 401).
>> >> How can I do this spring sec way - how can I configure spring sec to
>> say
>> >> check at runtime the users's role for a specific endpoint and deny
>> >> access
>> >> to the resource.
>> >> The big un-known to me is: how does KC client role (which is some
>> static
>> >> config) relates to the runtime user's role coming from Idp.
>> >> Anyone has done this - am sure this is a common use case.
>> >> Whoever knows this please share.
>> >> Thank you and appreciate it.
>> >>
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >
>>
>>
>>
>




More information about the keycloak-user mailing list