[keycloak-user] default permissions
Emilien Bondu
dev.ebondu at gmail.com
Tue Nov 21 06:12:09 EST 2017
Hi,
As a first draft of an « unauthenticated » authz, you can have a look here :
https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/ <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/>
Interesting classes are :
keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/adapter-core <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core>/src <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src>/main <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main>/java <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java>/org <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org>/keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org/keycloak>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters>/UnauthenticatedActionsHandler.java
keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/adapter-core <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core>/src <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src>/main <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main>/java <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java>/org <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org>/keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org/keycloak>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters>/authorization <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization>/UnauthenticatedPolicyEnforcer.java
keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/spring-security <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security>/src <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src>/main <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main>/java <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java>/org <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java/org>/keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java/org/keycloak>/adapters <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters>/springsecurity <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity>/filter <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter>/KeycloakUnauthenticatedActionsFilter.java
Here a corresponding conf in spring to use it :
<beans:bean id="keycloakScopeProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakUnauthenticatedActionsFilter"/>
<http auto-config='false' pattern="/v1/public/**" entry-point-ref="authenticationEntryPoint" create-session="stateless" use-expressions="true">
...
<custom-filter ref="keycloakScopeProcessingFilter" before="FORM_LOGIN_FILTER" />
...
</http>
Emilien
> Le 10 nov. 2017 à 15:02, Pedro Igor Silva <psilva at redhat.com> a écrit :
>
> I'm glad to take a look on it and see how it could fit in our adapters.
> Could you create a JIRA and give some link to your code so we can discuss
> from there ?
>
> Thanks.
>
> On Fri, Nov 10, 2017 at 10:51 AM, Emilien Bondu <dev.ebondu at gmail.com>
> wrote:
>
>> To achieve this, I implemented a KeycloakAnonymousActionsFilter filter to
>> handle requests, associated to an AnonymousActionsHandler (extending the
>> official AuthenticatedActionsHandler) and an AnonymousPolicyEnforcer (extending
>> the official AbstractPolicyEnforcer). Do you think this code should be
>> added to the official spring-adapter ?
>>
>>
>> Le 10 nov. 2017 à 12:12, Pedro Igor Silva <psilva at redhat.com> a écrit :
>>
>> @Emilien Bondu, I was looking that thread again and now I'm wondering if
>> you end up with something you can share.
>>
>> On Fri, Nov 10, 2017 at 9:07 AM, Emilien Bondu <dev.ebondu at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Maybe you should have a look here :
>>>
>>> http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html
>>>
>>>
>>> Le 10 nov. 2017 à 11:33, Pedro Igor Silva <psilva at redhat.com> a écrit :
>>>
>>> Hi,
>>>
>>> I think you could probably change your application and remove the
>>> resources/paths you want to make public from the list of resources
>>> protected by the adapter.
>>>
>>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com>
>>> wrote:
>>>
>>> Another question: how to apply default authorizations?
>>>
>>> I want to protect my API with authorization in Keycloak. However some
>>> resources should be open to the public, accessible without any bearer
>>> token.
>>> My idea was:
>>> - create an "unregistered_user" composite role, containing some basic
>>> roles
>>> - create a "guest" user, with the unregistered_user role
>>> - on the API server, if there is no token in the request I will get the
>>> roles of the guest user and user them. If there is a token, I'll use that
>>> user permissions.
>>> What do you think of that process?
>>>
>>> Thanks
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list