[keycloak-user] Secure RESTfull API with keycloak

Alvaro Martin alvaro.martin at bluetab.net
Wed Jun 20 11:54:27 EDT 2018 

Hi Sebi,

It has worked!

Thanks a lot for your help,

*Álvaro Martín García*[image: bluetab.net] <http://www.bluetab.net/>
alvaro.martin at bluetab.net

+34 91 457 16 97

+34 687 398 622


2018-06-20 17:49 GMT+02:00 Sebastien Blanc <sblanc at redhat.com>:

> Hi !
>
> I must admit that the Servlet Security constraints regarding METHODS is
> not easy to grasp. If you add another security constraint that covers also
> the POST/PUT/DELETE then it should work , something like that (sorry using
> old school properties) :
>
> keycloak.security-constraints[0].authRoles[0]=user
> keycloak.security-constraints[0].securityCollections[0].
> patterns[0]=/products/*
> keycloak.security-constraints[0].securityCollections[0].methods[0]=GET
>
> keycloak.security-constraints[1].authRoles[0]=super
> keycloak.security-constraints[1].securityCollections[0].
> patterns[0]=/products/*
> keycloak.security-constraints[1].securityCollections[0].methods[0]=POST
> keycloak.security-constraints[1].securityCollections[0].methods[1]=PUT
> keycloak.security-constraints[1].securityCollections[0].methods[2]=DELETE
>
> Also make sure that the user that has full access has also the readonly
> role.
>
> Hope this helps.
>
> Sebi
>
>
> On Wed, Jun 20, 2018 at 3:22 PM, Alvaro Martin <alvaro.martin at bluetab.net>
> wrote:
>
>>  Hi,
>>
>> We are evaluating keycloak as an IAM for a future application. We are
>> building a prototype with an Angular front app and a spring boot 2
>> backend.
>> The bankend app exposes a RESTfull API whose access we want to restrict
>> down to the HTTP verb level. At least we want to achive two access levels
>> on each endpoint: readonly access (HTTP GET) and full access (GET, POST,
>> PUT, DELETE).
>>
>> We have configured keycloak and built the application but the backend
>> doesn´t seem to restrict the access. Here it is the application.yml. We
>> are
>> trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for
>> full access).
>>
>> keycloak:
>>     auth-server-url: http://localhost:8010/auth
>>     bearer-only: true
>>     public-client: true
>>     realm: blue-energy
>>     resource: client-service
>>     securityConstraints:
>>     -   authRoles:
>>         - ROLE_CLIENT_RO
>>         securityCollections:
>>         -   name: protected resource
>>             patterns:
>>             - /clients
>>             - /clients/
>>             methods:
>>             - GET
>>     ssl-required: external
>>
>> The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP
>> verb. If we assign the realm role ROLE_CLIENT_RO to the user that should
>> grant just readonly access he has unrestricted access to the whole enpoint
>> (i.e. all the verbs).
>>
>> We are using keycloak 4.0.0.Final.
>>
>> Is this configuration supposed to work? We haven´t found much references
>> on
>> how to setup and scenario like this?
>>
>> Thanks in advance,
>>
>>
>> *Álvaro Martín García*[image: bluetab.net] <http://www.bluetab.net/>
>> alvaro.martin at bluetab.net
>>
>> +34 91 457 16 97
>>
>> +34 687 398 622
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

More information about the keycloak-user mailing list