[keycloak-user] Spring sec - roles - how?
Sebastien Blanc
sblanc at redhat.com
Wed Dec 14 10:54:32 EST 2016
I'm sorry I'm not sure what you are really asking then.
I assume you defined a role mapper when you configured the LDAP brokering
in KC ? So your LDAP role will be mapped to a KC role and your user will
have that role.
The SpringSec app needs to know these roles to be able to check.
On Wed, Dec 14, 2016 at 4:24 PM, java_os <java at neposoft.com> wrote:
> I get this Sebastien - thanks, but ....
> My point is: where do you define MY_MAPPED_LDAP_ROLE in KC?
> How is a user be able to 'aquire' automatically this MY_MAPPED_LDAP_ROLE
> and who's setting the claim value into MY_MAPPED_LDAP_ROLE?
> am a bit confused
> thx
>
>
> > You said that your SPA client can read out the roles from the token, well
> > for the Spring-sec app is exactly the same. When your SPA sends a request
> > to it, it also passes the token, the Spring-sec adapter will extract the
> > roles from there (happens here
> > https://github.com/keycloak/keycloak/blob/master/adapters/
> oidc/spring-security/src/main/java/org/keycloak/adapters/
> springsecurity/authentication/SpringSecurityRequestAuthentic
> ator.java#L91-L93
> > ).
> >
> >
> >
> >
> >
> > On Wed, Dec 14, 2016 at 2:08 PM, java_os <java at neposoft.com> wrote:
> >
> >> Hi Sebastien
> >> Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim? Client
> >> level in kc, any pointers on how this is done? Getting in the value from
> >> claim and set it into the MY_MAPPED_LDAP_ROLE??
> >>
> >> I am guessing all logged in users (withing the client) will take the
> >> role
> >> above which value will be the claim coming into from idp.
> >> Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check the
> >> actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE gets
> >> defined in KC? Am a bit confused how spring-sec gets the value of the
> >> MY_MAPPED_LDAP_ROLE.
> >>
> >> Am going to dig more on my side, but would be nice if you can shed more
> >> light from role setup in KC.
> >> Thanks
> >>
> >>
> >> > Is this not working ?
> >> > http.authorizeRequests().antMatchers("/products*").
> >> hasRole("MY_MAPPED_LDAP_ROLE")
> >> > ?
> >> >
> >> >
> >> >
> >> >
> >> > On Tue, Dec 13, 2016 at 11:51 PM, java_os <java at neposoft.com> wrote:
> >> >
> >> >> Hi All,
> >> >> I put up this question a while back and now back to it since no
> >> answer,
> >> >> this time with some hope.
> >> >> I have this SPA (keycloak.js) calling into Rest api bearer protected
> >> by
> >> >> KC
> >> >> - all good.
> >> >> I use KC brokering, so on the Idp side ADFS . User logs in against
> >> idp,
> >> >> where in ADFS is configured with a claim that acts as a role. On SPA
> >> I
> >> >> can
> >> >> map out that claim from the token.
> >> >> The rest api is protected by kc spring sec. I want (and this is what
> >> I
> >> >> do
> >> >> not know) to configure spring sec to react when the call is made to a
> >> >> specific rest endpoint when the user does not have a specific role
> >> >> (returning 401).
> >> >> How can I do this spring sec way - how can I configure spring sec to
> >> say
> >> >> check at runtime the users's role for a specific endpoint and deny
> >> >> access
> >> >> to the resource.
> >> >> The big un-known to me is: how does KC client role (which is some
> >> static
> >> >> config) relates to the runtime user's role coming from Idp.
> >> >> Anyone has done this - am sure this is a common use case.
> >> >> Whoever knows this please share.
> >> >> Thank you and appreciate it.
> >> >>
> >> >>
> >> >> _______________________________________________
> >> >> keycloak-user mailing list
> >> >> keycloak-user at lists.jboss.org
> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >>
> >> >
> >>
> >>
> >>
> >
>
>
>
More information about the keycloak-user
mailing list