I try to secure my application with the springboot adapter. After digging inside the source code, i have see something that seems to be a bug inside the implementation.
Inside the KeycloakAdapterPolicyEnforcer class, the method getPermissionTicket that retrieve permissions for a user contains this :
private String getPermissionTicket(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AuthzClient authzClient, OIDCHttpFacade httpFacade) {
if (getEnforcerConfig().getUserManagedAccess() != null) {
ProtectionResource protection = authzClient.protection();
PermissionResource permission = protection.permission();
PermissionRequest permissionRequest = new PermissionRequest();
permissionRequest.setResourceId(pathConfig.getId());
permissionRequest.setScopes(new HashSet<>(methodConfig.getScopes()));
Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);
if (!claims.isEmpty()) {
permissionRequest.setClaims(claims);
}
return permission.create(permissionRequest).getTicket();
}
return null;
}
getEnforcerConfig().getUserManagedAccess() != null
is always null if you have not defined the keycloak.policy-enforcer-config.user-managed-access property inside the application.properties.
But i can't define it because of the PolicyEnforcerConfig
class that defines the field userManagedAccess as a UserManagedAccessConfig object
@JsonProperty("user-managed-access")
@JsonInclude(JsonInclude.Include.NON_NULL)
private UserManagedAccessConfig userManagedAccess;
but not provides any jackson convertor to passe from String to UserManagedAccessConfig
Without this config property set, the adapter just reject every requests. Any workaround for this issue?
Yeah, I just use a bean instead of property file. Something like this :
@SpringBootApplication(exclude = SecurityAutoConfiguration.class)
@EnableTransactionManagement
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
@Bean
@Primary
public KeycloakSpringBootProperties properties() {
final KeycloakSpringBootProperties props = new KeycloakSpringBootProperties();
final PolicyEnforcerConfig policyEnforcerConfig = new PolicyEnforcerConfig();
policyEnforcerConfig.setEnforcementMode(EnforcementMode.ENFORCING);
policyEnforcerConfig.setUserManagedAccess(new UserManagedAccessConfig());
props.setPolicyEnforcerConfig(policyEnforcerConfig);
return props;
}
}