[keycloak-user] Spring sec - roles - how?

Wed Dec 14 11:18:49 EST 2016

Sebastien, sorry - yes done the role mapper in the brokering totally
forgot about this - so I guess this is how ldap role propagates to the
users' role.
OK - got the big picture -rest impl details.
You got me out of the swamp 2nd time - thanks

> I'm sorry I'm not sure what you are really asking then.
> I assume you defined a role mapper when you configured the LDAP brokering
> in KC ? So your LDAP role will be mapped to a KC role and your user will
> have that role.
>
> The SpringSec app needs to know these roles to be able to check.
>
>
> On Wed, Dec 14, 2016 at 4:24 PM, java_os <java at neposoft.com> wrote:
>
>> I get this Sebastien - thanks, but ....
>> My point is: where do you define MY_MAPPED_LDAP_ROLE in KC?
>> How is a user be able to 'aquire' automatically this MY_MAPPED_LDAP_ROLE
>> and who's setting the claim value into MY_MAPPED_LDAP_ROLE?
>> am a bit confused
>> thx
>>
>>
>> > You said that your SPA client can read out the roles from the token,
>> well
>> > for the Spring-sec app is exactly the same. When your SPA sends a
>> request
>> > to it, it also passes the token, the Spring-sec adapter will extract
>> the
>> > roles from there (happens here
>> > https://github.com/keycloak/keycloak/blob/master/adapters/
>> oidc/spring-security/src/main/java/org/keycloak/adapters/
>> springsecurity/authentication/SpringSecurityRequestAuthentic
>> ator.java#L91-L93
>> > ).
>> >
>> >
>> >
>> >
>> >
>> > On Wed, Dec 14, 2016 at 2:08 PM, java_os <java at neposoft.com> wrote:
>> >
>> >> Hi Sebastien
>> >> Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim?
>> Client
>> >> level in kc, any pointers on how this is done? Getting in the value
>> from
>> >> claim and set it into the MY_MAPPED_LDAP_ROLE??
>> >>
>> >> I am guessing all logged in users (withing the client) will take the
>> >> role
>> >> above which value will be the claim coming into from idp.
>> >> Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check
>> the
>> >> actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE
>> gets
>> >> defined in KC? Am a bit confused how spring-sec gets the value of the
>> >> MY_MAPPED_LDAP_ROLE.
>> >>
>> >> Am going to dig more on my side, but would be nice if you can shed
>> more
>> >> light from role setup in KC.
>> >> Thanks
>> >>
>> >>
>> >> > Is this not working  ?
>> >> > http.authorizeRequests().antMatchers("/products*").
>> >> hasRole("MY_MAPPED_LDAP_ROLE")
>> >> > ?
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > On Tue, Dec 13, 2016 at 11:51 PM, java_os <java at neposoft.com>
>> wrote:
>> >> >
>> >> >> Hi All,
>> >> >> I put up this question a while back and now back to it since no
>> >> answer,
>> >> >> this time with some hope.
>> >> >> I have this SPA (keycloak.js) calling into Rest api bearer
>> protected
>> >> by
>> >> >> KC
>> >> >> - all good.
>> >> >> I use KC brokering, so on the Idp side ADFS . User logs in against
>> >> idp,
>> >> >> where in ADFS is configured with a claim that acts as a role. On
>> SPA
>> >> I
>> >> >> can
>> >> >> map out that claim from the token.
>> >> >> The rest api is protected by kc spring sec. I want (and this is
>> what
>> >> I
>> >> >> do
>> >> >> not know) to configure spring sec to react when the call is made
>> to a
>> >> >> specific rest endpoint when the user does not have a specific role
>> >> >> (returning 401).
>> >> >> How can I do this spring sec way - how can I configure spring sec
>> to
>> >> say
>> >> >> check at runtime the users's role for a specific endpoint and deny
>> >> >> access
>> >> >> to the resource.
>> >> >> The big un-known to me is: how does KC client role (which is some
>> >> static
>> >> >> config) relates to the runtime user's role coming from Idp.
>> >> >> Anyone has done this - am sure this is a common use case.
>> >> >> Whoever knows this please share.
>> >> >> Thank you and appreciate it.
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> keycloak-user mailing list
>> >> >> keycloak-user at lists.jboss.org
>> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >> >>
>> >> >
>> >>
>> >>
>> >>
>> >
>>
>>
>>
>