问题
I have secured my rest api with Keycloak. After authentication, when I try to access rest API , I get:
403 error. Unable to access rest api. Reason !role.
In configuration I have specified role as *:
ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
context.setSecurityHandler(securityHandler);
securityHandler.addRole("*");
ConstraintMapping constraintMapping = new ConstraintMapping();
constraintMapping.setPathSpec("/*");
Constraint constraint = new Constraint();
constraint.setAuthenticate(true);
constraint.setRoles(new String[]{"*"});
Was my assumption of specifying any role by using '*' wrong or does the error mean something different?
I see following logs in JettyKeycloakAuthentciator logs:
2018-05-24 12:55:52,253 [DEBUG] [ers.PreAuthActionsHandler(handleRequest )] - adminRequest http://localhost:7100/api/v1/design/test 2018-05-24 12:55:52,254 [DEBUG] [TokenRequestAuthenticator(thenticateToken)] - Verifying access_token 2018-05-24 12:55:52,255 [DEBUG] [TokenRequestAuthenticator(thenticateToken)] - successful authorized 2018-05-24 12:55:52,255 [DEBUG] [JettyRequestAuthenticator(rAuthentication)] - Completing bearer authentication. Bearer roles: [uma_authorization] 2018-05-24 12:55:52,255 [DEBUG] [ters.RequestAuthenticator(eAuthentication)] - User '8f9381df-2f7e-4ff8-9ef5-2123b03db3c9' invoking 'http://localhost:7100/api/v1/design/test' on client 'my_server' 2018-05-24 12:55:52,255 [DEBUG] [ters.RequestAuthenticator(authenticate )] - Bearer AUTHENTICATED 2018-05-24 12:55:52,255 [DEBUG] [thenticatedActionsHandler(handledRequest )] - AuthenticatedActionsValve.invoke http://localhost:7100/api/v1/design/test
回答1:
Turns out the correct way to set any role is:
constraint.setRoles(new String[]{"**"});
i.e. double * and not single *
Also, I removed this line:
securityHandler.addRole("*");
来源:https://stackoverflow.com/questions/50503284/role-error-in-keycloak-while-accessing-a-resource