[keycloak-user] Policy Enforcement Mode cannot be changed.
Pedro Igor Craveiro e Silva
psilva at redhat.com
Thu Oct 27 09:13:47 EDT 2016
This one smells like a bug. Can you create a JIRA, please ?
On Thu, 2016-10-27 at 00:48 +0800, Joey wrote:
> Thanks Pedro, I think you are right.
>
> I would like to ask one more question. I want to let keycloak protect
> most of resources of my website. but I also want to expose some
> resources to anonymous,
> for example, let anonymous user can visit all files within
> /resources
> folder, then I do something like this.
>
> Tomcat web.xml
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>All Resources</web-resource-name>
> <url-pattern>/user/login.action</url-pattern>
> <url-pattern>/jsp/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>All Resources</web-resource-name>
> <url-pattern>/resources/*</url-pattern>
> </web-resource-collection>
> </security-constraint>
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>master</realm-name>
> </login-config>
>
> <security-role>
> <role-name>admin</role-name>
> </security-role>
>
> Keycloak
>
> I don't create permission can control folder [/resources] or it's
> parent folder.
>
> But when I tried to visit a file in folder [/resources], I got http
> 500 error.
>
>
> java.lang.RuntimeException: Failed to enforce policy decisions.
> org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(Authen
> ticatedActionsHandler.java:149)
> org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(Auth
> enticatedActionsHandler.java:60)
> org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(Authent
> icatedActionsValve.java:63)
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
> torBase.java:505)
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invok
> e(AbstractKeycloakAuthenticatorValve.java:187)
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
> ava:103)
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
> 956)
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
> a:436)
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
> 11Processor.java:1078)
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
> AbstractProtocol.java:625)
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
> t.java:316)
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1142)
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:617)
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
> read.java:61)
> java.lang.Thread.run(Thread.java:745)
>
> root cause
>
> java.lang.NullPointerException
> org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(
> AbstractPolicyEnforcer.java:68)
> org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnfo
> rcer.java:76)
> org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(Authen
> ticatedActionsHandler.java:142)
> org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(Auth
> enticatedActionsHandler.java:60)
> org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(Authent
> icatedActionsValve.java:63)
>
>
> Any suggest? thanks.
>
> Joey
>
>
> On Wed, Oct 26, 2016 at 7:55 PM, Pedro Igor Craveiro e Silva
> <psilva at redhat.com> wrote:
> >
> > From your logs it seems that access was actually GRANTED. So your
> > user
> > should be able to access that resource:
> >
> > Oct 26, 2016 7:37:33
> > org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG:
> > Returning authorization context with permissions:
> >
> > You don't have any permission in the logs because when you set
> > enforcement-mode to DISABLE, the enforcer will just let the request
> > to
> > pass.
> >
> > Maybe you have some other constraint applied to your resource
> > within
> > your application ?
> >
> > On Wed, 2016-10-26 at 19:40 +0800, Joey wrote:
> > >
> > > Hi Guys,
> > >
> > > I read from documents, and my understanding is if set Policy
> > > Enforcement Mode to disable, then any users can access all
> > > resources.
> > > but I tried to set it to disable. but nothing be changed.
> > >
> > > For example,
> > >
> > > I have a role call Role_A , and set a user Tom as this Role_A, if
> > > I
> > > set a resource access policy without Role_A. this user Tom cannot
> > > access this resource. And I can see some log in tomcat.
> > >
> > > Oct 26, 2016 7:37:33 PM
> > > org.keycloak.adapters.authorization.PolicyEnforcer enforce
> > >
> > > DEBUG: Policy enforcement is enable. Enforcing policy decisions
> > > for
> > > path [http://operation.iishang-intr.com:9111/op/jsp/base/loginSta
> > > tist
> > > ics/portalLoginStatistics.jsp].
> > >
> > > Oct 26, 2016 7:37:33 PM
> > > org.keycloak.adapters.authorization.PolicyEnforcer enforce
> > >
> > > DEBUG: Policy enforcement result for path
> > > [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatisti
> > > cs/p
> > > ortalLoginStatistics.jsp]
> > > is : GRANTED
> > >
> > > Oct 26, 2016 7:37:33 PM
> > > org.keycloak.adapters.authorization.PolicyEnforcer enforce
> > >
> > > DEBUG: Returning authorization context with permissions:
> > >
> > >
> > > Joey
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > --
> > Pedro Igor
--
Pedro Igor
More information about the keycloak-user
mailing list