GET , POST , PUT , DELETE type based Authentication in keycloak

Question

I have a resource in an API for which URI is /product/{id} and doing three operations VIEW, GET, DELETE basse on HttpMethod.

How can I manage one user is allowed to only VIEW and admin is allowed to VIEW, GET, DELETE i.e. all options.

I had seen Keycloak Adapter Policy Enforcer but, I don't understand how it works. I am not getting methods option in create permission.

Can somebody help me in implementing this or suggest some way to do it.

Answer 1

I guess you installed Keycloak for being able to control not just authentication, but also authorization. Then you don't need spring security at all. You need to enable authorization for your client and configure resources, policies and permissions using Keycloak admin console. Here is documentation

To be able to control your resources more granular use policy enforcers and map HTTP methods to scopes like described here: How to add HTTP methods in Keycloak resources for Authorization (Without adapters).

One of the good examples worth to look at is authz-spring-boot. It has complete authorization flow, but without method restriction that can be manually added.

You also can check how does your policy work using "Evalute" tab at Keycloak. This simulates client call to the resource and shows the result

Answer 2

I also had the same problem. The following answer provides the explanation.

Thus, you can define the HTTP methods as scopes and check for permission via the following Keycloak API.

curl -X POST \
  http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
  -H "Authorization: Bearer ${access_token}" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience={resource_server_client_id}" \
  --data "permission=Resource A#GET"

Answer 3

What you need is spring security. You can add it to your project using:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

You could define your security settings like this (I'm assuming that other configuration is already done):

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

// ...

  @Override
  protected void configure(HttpSecurity http) throws Exception {

        http
                //HTTP Basic authentication
                .httpBasic()
                .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/product/**").hasRole("USER")
                .antMatchers(HttpMethod.POST, "/product").hasRole("ADMIN")
                .antMatchers(HttpMethod.PUT, "/product/**").hasRole("ADMIN")
                .antMatchers(HttpMethod.PATCH, "/product/**").hasRole("ADMIN")
                .antMatchers(HttpMethod.DELETE, "/product/**").hasRole("ADMIN")
                .and()
                .csrf().disable()
                .formLogin().disable();
      }
}

Answer 4

First of all the best suitable option is to use annotation based policy michanisam. so before each and every rest service you need to write its access policy, for example :

@Secured("ROLE_VIEWER")
public String getUsername() {
    SecurityContext securityContext = SecurityContextHolder.getContext();
    return securityContext.getAuthentication().getName();
}

So as you can see the getUsername() method will be only allowed by the viewer.

@Secured("ROLE_ADMIN")
public boolean isValidUsername(String username) {
     return userRoleRepository.isValidUsername(username);
}

So as you see the above method will only allow to be accessed by admin, the same annotation can be used for rest services as well. to use this facelity you need to integrate spring security with your spring boot application.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

For more detail you can check out this artical, but i do see this is the best way to control the data security and the service security in a spring boot application.

Reference : https://www.baeldung.com/spring-security-method-security