[keycloak-user] Policy Enforcer in Spring Security Adapter
Ilya Korol
llivezking at gmail.com
Mon Mar 27 22:45:11 EDT 2017
Hi. I've just tried to make it working again but failed. I defined all
resources in keycloak and add appropriate configs to keycloak.json for
adapter.
I used default configs for adapter spring beans, taken from docs:
...
<security:http auto-config="false"
entry-point-ref="keycloakAuthenticationEntryPoint">
<security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
<security:custom-filter
ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<security:custom-filter ref="logoutFilter"
position="LOGOUT_FILTER" />
</security:http>
example of spring controller:
@RestController
public class ProfileController {
@RequestMapping(method = RequestMethod.GET, value = "/profile")
public AccessToken getUserByToken() throws KeycloakApiException {
Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
KeycloakPrincipal principal = (KeycloakPrincipal)
auth.getPrincipal();
return principal.getKeycloakSecurityContext().getToken();
}
...
}
Application is running on localhost:8080/apps/{spring-endpoint}, so
spring-root is localhost:8080/apps, and i set this url as base in client
settings in keycloak.
So far the most strange for me is that adapter doesn't print any logs
related to authorization during requests, i see only this:
DEBUG org.keycloak.adapters.PreAuthActionsHandler -
adminRequesthttp://localhost:8080/apps/profile
<http://localhost:8080/apps/profile>
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Request is to process authentication
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Attempting Keycloak authentication
DEBUG
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator
- Completing bearer authentication. Bearer roles: [ROLE_USER, ROLE_ADMIN]
DEBUG org.keycloak.adapters.RequestAuthenticator - User
'aa93b5d9-f02a-4557-a8b6-c7f083475bd5' invoking
'http://localhost:8080/apps/profile
<http://localhost:8080/apps/profile>' on client 'apps-backend'
DEBUG org.keycloak.adapters.RequestAuthenticator - Bearer AUTHENTICATED
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Auth outcome: AUTHENTICATED
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Authentication success using bearer token/basic authentication.
Updating SecurityContextHolder to contain:
org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken at 4259cc27:
Principal: aa93b5d9-f02a-4557-a8b6-c7f083475bd5; Credentials:
[PROTECTED]; Authenticated: true; Details:
org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount at c4e0280;
Granted Authorities: KeycloakRole{role='ROLE_USER'},
KeycloakRole{role='ROLE_ADMIN'}
keycloak.json: ===========================================
{
"realm": "test",
"auth-server-url": "http://localhost:8081/auth",
"ssl-required": "external",
"resource": "apps-backend",
"bearer-only": true,
"credentials": {
"secret": "74070785-cabf-4d28-83d7-f2dc31f081f5"
},
"policy-enforcer": {
"user-managed-access": {},
"enforcement-mode" : "ENFORCING",
"paths": [
{
"name": "User Info",
"path" : "/profile/userinfo",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:userinfo:view"]
},
{
"method": "POST",
"scopes" : ["urn:apps-backend:scopes:userinfo:edit"]
}
]
},
{
"name" : "User Permissions",
"path" : "/profile/permissions",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:permissions:view"]
}
]
},
{
"name" : "User Profile",
"path" : "/profile",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:profile:view"]
}
]
},
{
"name" : "User Token",
"path" : "/profile/token"
},
{
"name" : "User Id Token"
}
]
}
}
keycloak-server authz-dump:=====================================
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "User Info",
"uri": "/profile/userinfo",
"type": "urn:apps-backend:resources:profile:userinfo",
"scopes": [
{
"name": "urn:apps-backend:scopes:userinfo:edit"
},
{
"name": "urn:apps-backend:scopes:userinfo:view"
}
],
"typedScopes": []
},
{
"name": "User Profile",
"uri": "/profile",
"type": "urn:apps-backend:resources:profile",
"scopes": [
{
"name": "urn:apps-backend:scopes:profile:view"
}
],
"typedScopes": []
},
{
"name": "User Permissions",
"uri": "/profile/permissions",
"type": "urn:apps-backend:resources:profile:permissions",
"scopes": [
{
"name": "urn:apps-backend:scopes:permissions:view"
}
],
"typedScopes": []
},
{
"name": "User Token",
"uri": "/profile/token",
"type": "urn:apps-backend:resources:profile:token",
"typedScopes": []
},
{
"name": "User Id Token",
"uri": "/profile/idtoken",
"type": "urn:apps-backend:resources:profile:idtoken",
"typedScopes": []
}
],
"policies": [
{
"name": "Is user",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"ROLE_USER\",\"required\":true}]"
}
},
{
"name": "Is merchant",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"ROLE_MERCHANT\",\"required\":true}]"
}
},
{
"name": "Edit User Info",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Info\"]",
"scopes": "[\"urn:apps-backend:scopes:userinfo:edit\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View User Permissions",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Permissions\"]",
"scopes": "[\"urn:apps-backend:scopes:permissions:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View User Info",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Info\"]",
"scopes": "[\"urn:apps-backend:scopes:userinfo:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View Profile",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Profile\"]",
"scopes": "[\"urn:apps-backend:scopes:profile:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "Access Profile",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Profile\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "Token Access",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Token\"]",
"applyPolicies": "[\"Is merchant\"]"
}
}
],
"scopes": [
{
"name": "urn:apps-backend:scopes:permissions:view"
},
{
"name": "urn:apps-backend:scopes:userinfo:view"
},
{
"name": "urn:apps-backend:scopes:userinfo:edit"
},
{
"name": "urn:apps-backend:scopes:profile:view"
}
]
}
On 28.03.2017 00:02, ebondu wrote:
> Илья Король wrote
>> Hi. Thanks for comment. Please could you share you configs or at least
>> what methods did you use? manual configuration in keycloak.json or
>> relying on resources defined in keycloak?
> Both, all resources are defined in the keycloak.json (methods paths) and
> also as resources in the keycloak server
>
>
> Илья Король wrote
>> And correct me if i'm wrong:
>>
>> Authorization require RPT token, so for bearer-only client (backend) i
>> must provide this token, which is preliminary retrieved via Entitlement
>> api or UMA protocol?
> You are right, I am using UMA protocol but it should also works with
> Entitlement.
>
>
> Илья Король wrote
>> And how should be configured client in keycloak? as bearer-only or
>> confidential? As i said my application started only if i configured it
>> in keycloak as confidential (if make it as bearer-only it fails to start
>> and complains to credentials)
> I configured the client as confidential.
>
>
> Илья Король wrote
>> Another thing that i didn't catch is resource method configuration (for
>> instance):
>> { "method": "DELETE", "scopes" : ["urn:app.com:scopes:delete"] }
>> If i configure adapter to retrieve all resource settings from keycloak how
>> can i configure methods for resources and its scopes in Keycloak Admin
>> Console?
> Methods and associated scopes are configured in the keycloak.json only.
> Resources, scopes and associated policies are defined in keycloak.
>
> A small extract from the conf :
>
> keycloak.json :
>
> {
> "realm": "...",
> "resource": "backend",
> ...
> "bearer-only": true,
> ...
> "policy-enforcer": {
> "create-resources":false,
> "user-managed-access": {
> },
> "enforcement-mode": "ENFORCING",
> "paths": [
> {
> "path": "/yourMethod",
> "methods": [
> {
> "method": "POST",
> "scopes": [
> "urn:app:scopes:create"
> ]
> },
> ...
> }
> ]
> }
> }
>
> realm authz json :
>
> {
> "allowRemoteResourceManagement": true,
> "policyEnforcementMode": "ENFORCING",
> "resources": [
> {
> "name": "My Resource",
> "uri": "/myMethod",
> "scopes": [
> {
> "name": "urn:app:scopes:create"
> },
> ...
> }],
> "policies": [...your policies],
> "scopes": [
> {
> "name": "urn:app:scopes:create"
> },
> ...
> ]
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Policy-Enforcer-in-Spring-Security-Adapter-tp3324p3334.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list