[keycloak-user] Securing GET/POST/DELETE in different way

Sebastien Blanc sblanc at redhat.com
Tue Oct 24 04:28:47 EDT 2017 

Are you in a Java EE app ?

In your security constraints, you can specify which method is allowed along
with the role. For instance :

<security-constraint>
    <web-resource-collection>
        <web-resource-name>admin</web-resource-name>
        <url-pattern>/users</url-pattern>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>user</web-resource-name>
        <url-pattern>/users</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>




On Tue, Oct 24, 2017 at 9:45 AM, Karol Buler <K.Buler at adbglobal.com> wrote:

> Hi Bettina,
>
> thank you for response, but this is not exactly what I want. With
> enforcement filter we can define which methods (paths) should be
> protected, but not which ROLE has access to the resources.
>
> I realized this with API Gateway based on Zuul.
>
> Regards,
> Karol
>
>
> On 24.10.2017 08:09, Hübner, Bettina wrote:
> > Hi Karol,
> >
> > Perhaps this might help you:
> > http://www.keycloak.org/docs/latest/authorization_services/
> topics/enforcer/keycloak-enforcement-filter.html
> >
> > Regards,
> > Bettina
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] Im Auftrag von Karol Buler
> > Gesendet: Montag, 23. Oktober 2017 10:45
> > An: keycloak-user at lists.jboss.org
> > Betreff: [keycloak-user] Securing GET/POST/DELETE in different way
> >
> > Hi all,
> >
> > is there any possibility to secure GET/POST/DELETE etc. methods in a
> > different way?
> >
> > e.g.
> >
> > endpoint: /users
> >
> >       GET: for Keycloak's role 'user'
> >
> >       POST: for Keycloak's role 'users_admin'
> >
> > and so on. Result is that user with 'user' cannot create another user in
> > our system.
> >
> > Regards,
> > Karol
> >
> > [https://www.adbglobal.com/wp-content/uploads/adb.png]
> > adbglobal.com<https://www.adbglobal.com>
> > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<
> https://www.linkedin.com/company/adb/>         [
> https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] <
> https://twitter.com/adb_global>        [https://www.adbglobal.com/wp-
> content/uploads/pinterest_logo.png] <https://pinterest.com/adbglobal/pins/
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list