[keycloak-user] Java Adapter - Claim body removes content
Felipe Roca
felipe at hopu.eu
Wed Aug 21 04:11:35 EDT 2019
Hi Guys,
I was creating a small PEP for a third party service API using the
keycloak authorization service.
My idea was to check whether an user is allowed to perform certain
operation based on some body parameters, but it turns out that the body
claim left the body content unsusable for the proxy application.
What do you think? Is this a bug or an expected behavior?
For a better understanding, here you can find my configuration file and
controller class. I am using keycloak-spring-boot-starter and
keycloak-authz-client version 6.0.0 maven modules but I tried also with
6.0.1 and same results.
keycloak.realm=spring-boot-quickstart keycloak.auth-server-url=http://example.local/keycloak/auth keycloak.ssl-required=external keycloak.resource=app keycloak.bearer-only=true keycloak.credentials.secret=c23a55c0-0c96-4e28-8922-c47f918c2102
keycloak.securityConstraints[0].authRoles[0]=user keycloak.securityConstraints[0].securityCollections[0].name=protected keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/version keycloak.securityConstraints[0].securityCollections[0].patterns[1]=/admin/* keycloak.securityConstraints[0].securityCollections[0].patterns[2]=/v1/* keycloak.securityConstraints[0].securityCollections[0].patterns[3]=/v2/* keycloak.policy-enforcer-config.enforcement-mode=ENFORCING
keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.uri]={request.relativePath}
keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.fiware-service]={request.header['service']}
keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.fiware-servicepath]={request.header['servicepath']}
keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.id]={request.body['/id']}
@RestController public class ProxyController {
@Value("${proxy.schema}")
private Stringschema;
@Value("${proxy.host}")
private Stringhost;
@Value("${proxy.port}")
private int port;
private RestTemplaterestTemplate;
@Autowired public ProxyController() {
restTemplate =new RestTemplate();
restTemplate.setRequestFactory(new HttpComponentsClientHttpRequestFactory());
restTemplate.setErrorHandler(new BlankResponseErrorHandler());
}
@RequestMapping(value ="/login", produces ="application/json", method =POST)
public ResponseEntity<Login> login(@RequestBody Login login) {
return ResponseEntity.ok().body(login);
}
@RequestMapping(value ="/**", produces ="application/json", method = {GET,DELETE,HEAD,OPTIONS})
public ResponseEntity<String> proxyRequestWithoutBody(HttpMethod method, HttpServletRequest request)throws URISyntaxException {
return restTemplate.exchange(buildUri(request), method,new HttpEntity<String>(copyHeaders(request)), String.class);
}
@RequestMapping(value ="/**", produces ="application/json", method = {POST,PUT,PATCH})
public ResponseEntity<String> proxyRequest(@RequestBody String body, HttpMethod method, HttpServletRequest request)throws URISyntaxException {
return restTemplate.exchange(buildUri(request), method,new HttpEntity<>(body, copyHeaders(request)), String.class);
}
private URI buildUri(HttpServletRequest request)throws URISyntaxException {
return new URI(schema,null,host,port, request.getRequestURI(), request.getQueryString(),null);
}
private HttpHeaders copyHeaders(HttpServletRequest request) {
HttpHeaders httpHeaders =new HttpHeaders();
for (String headerName : Collections.list(request.getHeaderNames())) {
if (!headerName.equals("host"))
httpHeaders.add(headerName, request.getHeader(headerName));
}
return httpHeaders;
}
}
Thank you in advance,
Best regards,
Felipe
--
Felipe Roca Blaya
Software Engineer
-
HOP Ubiquitous S.L.
www.hopu.eu <http://www.hopu.eu>
C/Luis Buñuel 6
30562, Ceutí, Murcia.
Spain
-
logo_hop <http://www.hopu.eu/>
-
face <https://www.facebook.com/hopubiquitous/> Twitter
<https://twitter.com/HOPUbiquitous> google
<https://plus.google.com/+HOPUbiquitousCeut%C3%AD?hl=es> vimeo
<https://vimeo.com/hopu> linkedin
<https://www.linkedin.com/company-beta/3810080/>
More information about the keycloak-user
mailing list