[keycloak-user] Secure RESTfull API with keycloak
Sebastien Blanc
sblanc at redhat.com
Wed Jun 20 11:49:50 EDT 2018
Hi !
I must admit that the Servlet Security constraints regarding METHODS is not
easy to grasp. If you add another security constraint that covers also the
POST/PUT/DELETE then it should work , something like that (sorry using old
school properties) :
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/products/*
keycloak.security-constraints[0].securityCollections[0].methods[0]=GET
keycloak.security-constraints[1].authRoles[0]=super
keycloak.security-constraints[1].securityCollections[0].patterns[0]=/products/*
keycloak.security-constraints[1].securityCollections[0].methods[0]=POST
keycloak.security-constraints[1].securityCollections[0].methods[1]=PUT
keycloak.security-constraints[1].securityCollections[0].methods[2]=DELETE
Also make sure that the user that has full access has also the readonly
role.
Hope this helps.
Sebi
On Wed, Jun 20, 2018 at 3:22 PM, Alvaro Martin <alvaro.martin at bluetab.net>
wrote:
> Hi,
>
> We are evaluating keycloak as an IAM for a future application. We are
> building a prototype with an Angular front app and a spring boot 2 backend.
> The bankend app exposes a RESTfull API whose access we want to restrict
> down to the HTTP verb level. At least we want to achive two access levels
> on each endpoint: readonly access (HTTP GET) and full access (GET, POST,
> PUT, DELETE).
>
> We have configured keycloak and built the application but the backend
> doesn´t seem to restrict the access. Here it is the application.yml. We are
> trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for
> full access).
>
> keycloak:
> auth-server-url: http://localhost:8010/auth
> bearer-only: true
> public-client: true
> realm: blue-energy
> resource: client-service
> securityConstraints:
> - authRoles:
> - ROLE_CLIENT_RO
> securityCollections:
> - name: protected resource
> patterns:
> - /clients
> - /clients/
> methods:
> - GET
> ssl-required: external
>
> The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP
> verb. If we assign the realm role ROLE_CLIENT_RO to the user that should
> grant just readonly access he has unrestricted access to the whole enpoint
> (i.e. all the verbs).
>
> We are using keycloak 4.0.0.Final.
>
> Is this configuration supposed to work? We haven´t found much references on
> how to setup and scenario like this?
>
> Thanks in advance,
>
>
> *Álvaro Martín García*[image: bluetab.net] <http://www.bluetab.net/>
> alvaro.martin at bluetab.net
>
> +34 91 457 16 97
>
> +34 687 398 622
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list