0

I've currently got some issue when it comes to configure keycloaks policy enforcement/fine graining. I'm trying to secure a path which has a Wildcard in the middle of the URL. for example: /test/{UUID}/bla It works when I secure a path with a wildcard at the end of it like /test/bla/{uuid} but I can't get it to work when there's some variable in the middle of a path.

The Documentation of keycloak says:

Currently a very basic logic for path matching is supported. Examples of valid paths are:
Wildcards: /*
Suffix: /*.html
Sub-paths: /path/*
Path parameters: /resource/{id}
Exact match: /resource
Patterns: /{version}/resource, /api/{version}/resource, /api/{version}/resource/*

I've tried to put {version}, * or {id} but doesnt seem to change anything. My application.properties:

keycloak.securityConstraints[0].securityCollections[0].patterns[1]=/data/{id}/test1
keycloak.securityConstraints[0].securityCollections[0].patterns[2]=/data/*/test2
keycloak.securityConstraints[0].securityCollections[0].patterns[3]=/data/test3/*

I'm able to secure test3 with an id but not the other endpoints. Actually they are secured I just can't get access/policy enforcement to work on them* On my Keycloak config I've also tried alot of URI varaitions like this.

Would be nice if anyone can help me out :) I've also tried this post: Fetch resource given partial url path or based on a regex pattern using keycloak rest admin apis but the matchingURI didn't seem to work.

Matteo
  • 3
  • 3

1 Answers1

0

This does not answer your question, but:

  • do not use Keycloak libs for Spring, it is deprecated.
  • why use policy enforcer which has at least two major drawbacks compared to JWT decoding and spring-security expressions?
    • far less efficient: it requires a call from resource-server to Keycloak for each and every request when a JWT access-token can be validated and interpreted by resource-server only (a single call to Keycloak is issued at startup to fetch signing key).
    • you can't unit-test security rules: a keycloak instance must be up and reachable for policies to be tested in integration tests.

To secure a Spring resource server without Keycloak libs, define spring-security expressions and unit-test it, refer to this article: https://dzone.com/articles/spring-oauth2-resource-servers

Sample (quite advanced) access control rule: @PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")

In action, this gives:

@RestController
public class GreetingController {
    @GetMapping("/greet/{username}")
    @PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
    public String getGreetingFor(@PathVariable("username") String username, Authentication auth) {
        return "Hi %s from %s!".formatted(username, auth.getName());
    }
}

And matching unit-tests:

    @Test
    @ProxiesAuth(
            authorities = { "AUTHOR" },
            claims = @OpenIdClaims(preferredUsername = "Tonton Pirate"),
            proxies = { @Proxy(onBehalfOf = "ch4mpy", can = { "greet" }) })
    void whenNotNiceWithProxyThenCanGreetFor() throws Exception {
        mockMvc.perform(get("/greet/ch4mpy"))
            .andExpect(status().isOk())
            .andExpect(content().string("Hi ch4mpy from Tonton Pirate!"));
    }

    @Test
    @ProxiesAuth(
            authorities = { "AUTHOR", "NICE" },
            claims = @OpenIdClaims(preferredUsername = "Tonton Pirate"))
    void whenNiceWithoutProxyThenCanGreetFor() throws Exception {
        mockMvc.perform(get("/greet/ch4mpy"))
            .andExpect(status().isOk())
            .andExpect(content().string("Hi ch4mpy from Tonton Pirate!"));
    }

    @Test
    @ProxiesAuth(
            authorities = { "AUTHOR" },
            claims = @OpenIdClaims(preferredUsername = "Tonton Pirate"),
            proxies = { @Proxy(onBehalfOf = "jwacongne", can = { "greet" }) })
    void whenNotNiceWithoutRequiredProxyThenForbiddenToGreetFor() throws Exception {
        mockMvc.perform(get("/greet/greeted"))
            .andExpect(status().isForbidden());
    }

    @Test
    @ProxiesAuth(
            authorities = { "AUTHOR" },
            claims = @OpenIdClaims(preferredUsername = "Tonton Pirate"))
    void whenHimselfThenCanGreetFor() throws Exception {
        mockMvc.perform(get("/greet/Tonton Pirate"))
            .andExpect(status().isOk())
            .andExpect(content().string("Hi Tonton Pirate from Tonton Pirate!"));
    }
ch4mp
  • 6,622
  • 6
  • 29
  • 49