[keycloak-user] Policy Enforcement Mode cannot be changed.

Joey huazonglin at gmail.com
Wed Oct 26 12:48:02 EDT 2016 

Thanks Pedro, I think you are right.

I would like to ask one more question. I want to let keycloak protect
most of resources of my website. but I also want to expose some
resources to anonymous,
for example,  let anonymous user can visit all files within /resources
folder,  then I do something like this.

Tomcat web.xml

    <security-constraint>
       <web-resource-collection>
            <web-resource-name>All Resources</web-resource-name>
            <url-pattern>/user/login.action</url-pattern>
            <url-pattern>/jsp/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>All Resources</web-resource-name>
            <url-pattern>/resources/*</url-pattern>
        </web-resource-collection>
    </security-constraint>

    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>master</realm-name>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>

Keycloak

I don't create permission can control folder [/resources] or it's parent folder.

But when I tried to visit a file in folder [/resources], I got http 500 error.


java.lang.RuntimeException: Failed to enforce policy decisions.
org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:149)
org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60)
org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(AuthenticatedActionsValve.java:63)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:745)

root cause

java.lang.NullPointerException
org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:68)
org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:76)
org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:142)
org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60)
org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(AuthenticatedActionsValve.java:63)


Any suggest? thanks.

Joey


On Wed, Oct 26, 2016 at 7:55 PM, Pedro Igor Craveiro e Silva
<psilva at redhat.com> wrote:
> From your logs it seems that access was actually GRANTED. So your user
> should be able to access that resource:
>
>         Oct 26, 2016 7:37:33
> org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG:
> Returning authorization context with permissions:
>
> You don't have any permission in the logs because when you set
> enforcement-mode to DISABLE, the enforcer will just let the request to
> pass.
>
> Maybe you have some other constraint applied to your resource within
> your application ?
>
> On Wed, 2016-10-26 at 19:40 +0800, Joey wrote:
>> Hi Guys,
>>
>> I read from documents, and my understanding is if set Policy
>> Enforcement Mode to disable, then any users can access all resources.
>> but I tried to set it to disable. but nothing be changed.
>>
>> For example,
>>
>> I have a role call Role_A , and set a user Tom as this Role_A, if I
>> set a resource access policy without Role_A. this user Tom cannot
>> access this resource. And I can see some log in tomcat.
>>
>> Oct 26, 2016 7:37:33 PM
>> org.keycloak.adapters.authorization.PolicyEnforcer enforce
>>
>> DEBUG: Policy enforcement is enable. Enforcing policy decisions for
>> path [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatist
>> ics/portalLoginStatistics.jsp].
>>
>> Oct 26, 2016 7:37:33 PM
>> org.keycloak.adapters.authorization.PolicyEnforcer enforce
>>
>> DEBUG: Policy enforcement result for path
>> [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/p
>> ortalLoginStatistics.jsp]
>> is : GRANTED
>>
>> Oct 26, 2016 7:37:33 PM
>> org.keycloak.adapters.authorization.PolicyEnforcer enforce
>>
>> DEBUG: Returning authorization context with permissions:
>>
>>
>> Joey
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> --
> Pedro Igor

More information about the keycloak-user mailing list