[keycloak-user] Restrict access to admin console by checking if header exists
Dmitry Telegin
dt at acutus.pro
Tue Feb 5 12:19:30 EST 2019
Hello Mark,
Try this:
<expression-filter module="io.undertow.core" name="restrict-admin-console-access" expression="path-prefix(/auth/admin/master/console) and not exists(%{i,CF-Connecting-IP}) -> response-code(403)" />
First, there should be no space between the comma and the header name. Second, you need to provide a handler (response code in your case).
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Tue, 2019-02-05 at 11:55 +0100, Mark de Jng wrote:
> Hi,
>
> I want to restrict the access to admin console by checking if the `CF-Connecting-IP` does not exist for a specific path.
>
> I’ve checked this documentation: http://undertow.io/undertow-docs/undertow-docs-2.0.0/#predicates-attributes-and-handlers
>
> And I’ve come this far, but undertow complains that my expression is not valid:
>
> <expression-filtermodule="io.undertow.core" name="restrict-admin-console-access" expression="path-prefix(/auth/admin/console) and not exists(%{i, CF-Connecting-IP})" />
>
> Any clue?
>
> Thanks
>
> Mark
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list