[keycloak-user] Securing GET/POST/DELETE in different way

Tue Oct 24 04:44:17 EDT 2017

Sebastien... you are my HERO ! Thanks ;)

On 24.10.2017 10:36, Sebastien Blanc wrote:
> Even easier with Spring Boot ;) :
>
> keycloak.security-constraints[0].authRoles[0]=admin keycloak.security-constraints[0].securityCollections[0].methods[0]=POST keycloak.security-constraints[0].securityCollections[0].patterns[0]=/products/* keycloak.security-constraints[1].authRoles[0]=user keycloak.security-constraints[1].securityCollections[0].methods[0]=GET keycloak.security-constraints[1].securityCollections[0].patterns[0]=/products/*
>
> On Tue, Oct 24, 2017 at 10:34 AM, Karol Buler <K.Buler at adbglobal.com 
> <mailto:K.Buler at adbglobal.com>> wrote:
>
>     Unfortunately this is spring-boot application, but there is
>     possibility to attach web.xml I think. Thanks! I consider to use
>     it instead of Zuul.
>
>
>     On 24.10.2017 10:28, Sebastien Blanc wrote:
>>     Are you in a Java EE app ?
>>
>>     In your security constraints, you can specify which method is
>>     allowed along with the role. For instance :
>>
>>     <security-constraint>
>>          <web-resource-collection>
>>              <web-resource-name>admin</web-resource-name>
>>              <url-pattern>/users</url-pattern>
>>              <http-method>POST</http-method>
>>          </web-resource-collection>
>>          <auth-constraint>
>>              <role-name>admin</role-name>
>>          </auth-constraint>
>>     </security-constraint>
>>
>>     <security-constraint>
>>          <web-resource-collection>
>>              <web-resource-name>user</web-resource-name>
>>              <url-pattern>/users</url-pattern>
>>              <http-method>GET</http-method>
>>          </web-resource-collection>
>>          <auth-constraint>
>>              <role-name>user</role-name>
>>          </auth-constraint>
>>     </security-constraint>
>>
>>
>>
>>     On Tue, Oct 24, 2017 at 9:45 AM, Karol Buler
>>     <K.Buler at adbglobal.com <mailto:K.Buler at adbglobal.com>> wrote:
>>
>>         Hi Bettina,
>>
>>         thank you for response, but this is not exactly what I want. With
>>         enforcement filter we can define which methods (paths) should be
>>         protected, but not which ROLE has access to the resources.
>>
>>         I realized this with API Gateway based on Zuul.
>>
>>         Regards,
>>         Karol
>>
>>
>>         On 24.10.2017 08:09, Hübner, Bettina wrote:
>>         > Hi Karol,
>>         >
>>         > Perhaps this might help you:
>>         >
>>         http://www.keycloak.org/docs/latest/authorization_services/topics/enforcer/keycloak-enforcement-filter.html
>>         <http://www.keycloak.org/docs/latest/authorization_services/topics/enforcer/keycloak-enforcement-filter.html>
>>         >
>>         > Regards,
>>         > Bettina
>>         >
>>         >
>>         >
>>         >
>>         > -----Ursprüngliche Nachricht-----
>>         > Von: keycloak-user-bounces at lists.jboss.org
>>         <mailto:keycloak-user-bounces at lists.jboss.org>
>>         [mailto:keycloak-user-bounces at lists.jboss.org
>>         <mailto:keycloak-user-bounces at lists.jboss.org>] Im Auftrag
>>         von Karol Buler
>>         > Gesendet: Montag, 23. Oktober 2017 10:45
>>         > An: keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         > Betreff: [keycloak-user] Securing GET/POST/DELETE in
>>         different way
>>         >
>>         > Hi all,
>>         >
>>         > is there any possibility to secure GET/POST/DELETE etc.
>>         methods in a
>>         > different way?
>>         >
>>         > e.g.
>>         >
>>         > endpoint: /users
>>         >
>>         >       GET: for Keycloak's role 'user'
>>         >
>>         >       POST: for Keycloak's role 'users_admin'
>>         >
>>         > and so on. Result is that user with 'user' cannot create
>>         another user in
>>         > our system.
>>         >
>>         > Regards,
>>         > Karol
>>         >
>>         > [https://www.adbglobal.com/wp-content/uploads/adb.png
>>         <https://www.adbglobal.com/wp-content/uploads/adb.png>]
>>         > adbglobal.com
>>         <http://adbglobal.com><https://www.adbglobal.com
>>         <https://www.adbglobal.com>>
>>         >
>>         [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png
>>         <https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png>]<https://www.linkedin.com/company/adb/
>>         <https://www.linkedin.com/company/adb/>>      
>>          [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png
>>         <https://www.adbglobal.com/wp-content/uploads/twitter_logo.png>]
>>         <https://twitter.com/adb_global
>>         <https://twitter.com/adb_global>>      
>>         [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png
>>         <https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png>]
>>         <https://pinterest.com/adbglobal/pins/
>>         <https://pinterest.com/adbglobal/pins/>>
>>         >
>>         > _______________________________________________
>>         > keycloak-user mailing list
>>         > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>
>