[keycloak-user] Keycloak authorization support for spring boot.

Pedro Igor Silva psilva at redhat.com
Tue May 16 16:32:26 EDT 2017


On Tue, May 16, 2017 at 3:23 PM, Rong - <rafterjiang at hotmail.com> wrote:

> Hi,
>
> I am trying to set up a keycloak as an independent server for
> authorization purpose. Our rest API service is built on spring boot,
> implemented as a resource server as for "policy enforcer". However, I have
> many issues when trying to set this up.
>
> 1. spring boot works fine if I only set up the security constraints(for
> rest api) in configuration file. But I want to enable policy enforcer for
> spring boot, is this possible? Is there some example for how to enable
> policy enforcer in spring boot, especially for how to set up those
> parameters?
>

We don't have any example for spring boot, but regular JEE apps. Something
we should probably add to list of authz examples.

But if your application is already protected by Keycloak Spring Adapter,
you should be able to enable Policy Enforcer by just using this minimal
setting in your keycloak.json.

Have you looked docs
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/spring-boot-adapter.html
?


> 2. We also want to have an access control list of which user can access
> which project, I have set up a "user policy" in keycloak admin console in
> client's "authorization", whet else shall we do in spring boot
> configuration?
>

If your adapter is properly configured and you have the enabled policy
enforcement (config above), you should be pretty much done. Just make sure
you have created resources in Keycloak corresponding representing the paths
you want to protect.

For instance, if you want to protect "/*", make sure you have a resource in
Keycloak with a URI with a value "/*".



> 3. If I enable policy enforcer in authorization layer (in spring boot), is
> it still required to add the security constraints in spring boot's
> application properties? I assume if authorization is enabled for resource
> server and the web service/URL constraints are added in resource server's
> policy, there should be no further settings in configuration for the
> security constraints?
>

You still need to configure thins as described in docs. The policy enforcer
is basically your Keycloak adapter also acting as a policy enforcement.


>
> Thanks,
> Rong
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list