[keycloak-user] Policy Enforcer in Spring Security Adapter
Илья Король
llivezking at gmail.com
Mon Mar 27 21:48:17 EDT 2017
Hi. I've just tried to make it working again but failed. I defined all
resources in keycloak and add appropriate configs to keycloak.json for
adapter.
I used default configs for adapter spring beans, taken from docs:
...
<security:http auto-config="false"
entry-point-ref="keycloakAuthenticationEntryPoint">
<security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
<security:custom-filter
ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"
/>
</security:http>
example of spring controller:
@RestController
public class ProfileController {
@RequestMapping(method = RequestMethod.GET, value = "/profile")
public AccessToken getUserByToken() throws KeycloakApiException {
Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
KeycloakPrincipal principal = (KeycloakPrincipal)
auth.getPrincipal();
return principal.getKeycloakSecurityContext().getToken();
}
...
}
Application is running on localhost:8080/apps/{spring-endpoint}, so
spring-root is localhost:8080/apps, and i set this url as base in client
settings in keycloak.
So far the most strange for me is that adapter doesn't print any logs
related to authorization during requests, i see only this:
DEBUG org.keycloak.adapters.PreAuthActionsHandler - adminRequest
http://localhost:8080/apps/profile
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Request is to process authentication
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Attempting Keycloak authentication
DEBUG
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator
- Completing bearer authentication. Bearer roles: [ROLE_USER, ROLE_ADMIN]
DEBUG org.keycloak.adapters.RequestAuthenticator - User
'aa93b5d9-f02a-4557-a8b6-c7f083475bd5' invoking '
http://localhost:8080/apps/profile' on client 'apps-backend'
DEBUG org.keycloak.adapters.RequestAuthenticator - Bearer AUTHENTICATED
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Auth outcome: AUTHENTICATED
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Authentication success using bearer token/basic authentication. Updating
SecurityContextHolder to contain:
org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken at 4259cc27:
Principal: aa93b5d9-f02a-4557-a8b6-c7f083475bd5; Credentials: [PROTECTED];
Authenticated: true; Details:
org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount at c4e0280;
Granted Authorities: KeycloakRole{role='ROLE_USER'},
KeycloakRole{role='ROLE_ADMIN'}
keycloak.json: ===========================================
{
"realm": "test",
"auth-server-url": "http://localhost:8081/auth",
"ssl-required": "external",
"resource": "apps-backend",
"bearer-only": true,
"credentials": {
"secret": "74070785-cabf-4d28-83d7-f2dc31f081f5"
},
"policy-enforcer": {
"user-managed-access": {},
"enforcement-mode" : "ENFORCING",
"paths": [
{
"name": "User Info",
"path" : "/profile/userinfo",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:userinfo:view"]
},
{
"method": "POST",
"scopes" : ["urn:apps-backend:scopes:userinfo:edit"]
}
]
},
{
"name" : "User Permissions",
"path" : "/profile/permissions",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:permissions:view"]
}
]
},
{
"name" : "User Profile",
"path" : "/profile",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:profile:view"]
}
]
},
{
"name" : "User Token",
"path" : "/profile/token"
},
{
"name" : "User Id Token"
}
]
}
}
keycloak-server authz-dump:=====================================
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "User Info",
"uri": "/profile/userinfo",
"type": "urn:apps-backend:resources:profile:userinfo",
"scopes": [
{
"name": "urn:apps-backend:scopes:userinfo:edit"
},
{
"name": "urn:apps-backend:scopes:userinfo:view"
}
],
"typedScopes": []
},
{
"name": "User Profile",
"uri": "/profile",
"type": "urn:apps-backend:resources:profile",
"scopes": [
{
"name": "urn:apps-backend:scopes:profile:view"
}
],
"typedScopes": []
},
{
"name": "User Permissions",
"uri": "/profile/permissions",
"type": "urn:apps-backend:resources:profile:permissions",
"scopes": [
{
"name": "urn:apps-backend:scopes:permissions:view"
}
],
"typedScopes": []
},
{
"name": "User Token",
"uri": "/profile/token",
"type": "urn:apps-backend:resources:profile:token",
"typedScopes": []
},
{
"name": "User Id Token",
"uri": "/profile/idtoken",
"type": "urn:apps-backend:resources:profile:idtoken",
"typedScopes": []
}
],
"policies": [
{
"name": "Is user",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"ROLE_USER\",\"required\":true}]"
}
},
{
"name": "Is merchant",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"ROLE_MERCHANT\",\"required\":true}]"
}
},
{
"name": "Edit User Info",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Info\"]",
"scopes": "[\"urn:apps-backend:scopes:userinfo:edit\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View User Permissions",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Permissions\"]",
"scopes": "[\"urn:apps-backend:scopes:permissions:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View User Info",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Info\"]",
"scopes": "[\"urn:apps-backend:scopes:userinfo:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View Profile",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Profile\"]",
"scopes": "[\"urn:apps-backend:scopes:profile:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "Access Profile",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Profile\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "Token Access",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Token\"]",
"applyPolicies": "[\"Is merchant\"]"
}
}
],
"scopes": [
{
"name": "urn:apps-backend:scopes:permissions:view"
},
{
"name": "urn:apps-backend:scopes:userinfo:view"
},
{
"name": "urn:apps-backend:scopes:userinfo:edit"
},
{
"name": "urn:apps-backend:scopes:profile:view"
}
]
}
More information about the keycloak-user
mailing list