[keycloak-user] Spring Boot adapter with HTTP verb based authorization

Andreea Ciuprina aciuprin at mpi-bremen.de
Wed Feb 22 10:04:08 EST 2017 

This works, thank you very much for your help! :)



And yes, a bit more documentation would be nice.



Best, 

Andreea



-----Original message-----
From: Sebastien Blanc <sblanc at redhat.com>
Sent: Wednesday 22nd February 2017 14:24
To: Andreea Ciuprina <aciuprin at mpi-bremen.de>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization

Hi,
Yes sorry, I replied yesterday without double checking the code, this should work :
 
keycloak.securityConstraints[0].securityCollections[0].methods[0] = GET

I will create a ticket to improve the documentation for this. 

On Wed, Feb 22, 2017 at 2:13 PM, Andreea Ciuprina <aciuprin at mpi-bremen.de <mailto:aciuprin at mpi-bremen.de> > wrote:
Hi Sebasien, 



Thank you for your answer.

After adding your suggestion to the security constrainst, I get the following error:



Error creating bean with name 'keycloak-org.keycloak.adapters.springboot.KeycloakSpringBootProperties': Could not bind properties to KeycloakSpringBootProperties (prefix=keycloak, ignoreInvalidFields=false, ignoreUnknownFields=false, ignoreNestedProperties=false); nested exception is org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException: Failed to bind 'keycloak.securityConstraints[0].securityCollections[0].http-method' from 'applicationConfig: [classpath:/application.properties]' to 'securityConstraints[0].securityCollections[0].http-method' property on 'org.keycloak.adapters.springboot.KeycloakSpringBootProperties$SecurityConstraint'



My configuration looks like this:





keycloak.securityConstraints[0].securityCollections[0].name = secured end points
keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin
keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api/v1/hello/*
keycloak.securityConstraints[0].securityCollections[0].http-method = GET

Do you know what could the problem be?



Thank you!

Best, 

Andreea





-----Original message-----
From: Sebastien Blanc <sblanc at redhat.com <mailto:sblanc at redhat.com> >
Sent: Tuesday 21st February 2017 17:43
To: Andreea Ciuprina <aciuprin at mpi-bremen.de <mailto:aciuprin at mpi-bremen.de> >
Cc: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
Subject: Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization

You can add the configuration about the policy enforcer in your application.properties, just one difference with the keycloak.json is that you must write "policy-enforcer-config" (instead
 of just policy-enforcer).

Regarding HTTP Verb authz , it *should* work since Spring Boot Adapter just passes along the configuration to the underlying Servlet Container (Tomcat, undertow or Jetty).

But even without using the authorization layer, you should be able to achieve this by configuring the security constraints. 

keycloak.securityConstraints[1].securityCollections[0].http-method = GET
 etc ...



On Tue, Feb 21, 2017 at 5:18 PM, Andreea Ciuprina <aciuprin at mpi-bremen.de <mailto:aciuprin at mpi-bremen.de> > wrote:
Hello!
 
 
 
 We are building an online application for which we are using Keycloak for authentification and authorization, connected
 
 to our Spring Boot backend using the Spring Boot adapter.
 
 
 We would like to achive more fine-grained authorization, more specifically, we would like to set-up HTTP verb based 
 
 authorization, for example, allow only GET requests for some end-points, GET and POST for others, only POST for other end-points etc.
 
 
 
 I am aware of the Policy Enforcer adapter, but I could not find any specific documentation regarding how to use that with Spring Boot, where there is 
 
 not keycloak.json file used for configuration.
 
 
 
 Therefore, my questions are:
 
 1. Can HTTP verb based authorization be achieved using the Spring Boot adapter? 
 
 2. If the answer to question 1 is yes, then could you please provide a minimal configuration example?
 
 
 
 Thank you!
 
 Best regards, 
 
 Andreea
 
 ---------------------------------------------------------
 
 Andreea Ciuprina
  
 Bioinformatics Group
 Max Planck Institute for Marine Microbiology 
 
 Celsiusstraße 1
 28359 Bremen
 Germany
  
 Phone: +49(0) 421 2028 982
 Email: aciuprin at mpi-bremen.de <mailto:aciuprin at mpi-bremen.de> 
 
 & 
 
 Jacobs University Bremen, 
 28759 Bremen, Germany
 Email: a.ciuprina at jacobs-university.de <mailto:a.ciuprina at jacobs-university.de> 
 
 _______________________________________________
 keycloak-user mailing list
 keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
 https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list