[keycloak-user] Keycloak fine grained permissions with Spring Boot / Spring Security
Pedro Igor Silva
psilva at redhat.com
Thu May 9 09:31:41 EDT 2019
Hi,
As you noticed we don't have this capability yet. If you create some
interceptor which is bound to some annotation you should be able to perform
the policy enforcement.
I like the idea and if you want to open an RFE, please do it. If you end up
doing something feel free to contribute.
Regards.
Pedro Igor.
On Thu, May 9, 2019 at 4:47 AM David Marsh <dmarsh26 at outlook.com> wrote:
> I would like to use permissions or scopes or similar to allow fine grained
> access to REST resource.
>
> Ideally I would like to do something like:
>
>
> @PreAuthorize("hasPermission('Brands', 'brands:write')")
>
> ResponseEntity<Brand> getBrand(@PathVariable("brandCode") String
> brandCode);
>
> where 'Brands' is a keycloak client authorization resource with scopes
> 'brands:write, brands:read'.
>
> The only annotation that seems to work is @Secured with a role, I do not
> with to do RBAC.
>
> @Secured({"ROLE_STAFF"})
>
> I have looked at the PolicyEnforcer, it is unclear to me exactly how it is
> supposed to be used.
>
> I can write code of the form:
>
>
> KeycloakSecurityContext keycloakSecurityContext =
> (KeycloakSecurityContext)
> request.getAttribute(KeycloakSecurityContext.class.getName());
> AuthorizationContext authzContext =
> keycloakSecurityContext.getAuthorizationContext();
> if (authzContext.hasScopePermission("brands:write")) {
>
> // This works....
> }
>
> How can I tie the AuthorizationContext from PolicyEnforcing to the
> standard Spring security annotations ?
>
> thanks
> David
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list