Configure policy-enforcer to avoid intercepting public urls in keycloak and spring boot

torx · August 7, 2024, 9:41pm

We created a client resource server in keycloak and policies, permissions, scopes for resources, which works well, policy enforcer is used but the only problem that intercepts all requests (endpoint) backend including the public url which restricts and prevents access, wWe created a client resource server in keycloak and policies, permissions, scopes for resources, which works well, policy enforcer is used but the only problem that intercepts all requests (endpoint) backend including the public url which restricts and prevents access, we are new to this issue if anyone can help in indicating how to solve the problem thank you in advance.

this is the file policy-enforcer.json:e are new to this issue if anyone can help in indicating how to solve the problem thank you in advance.

this is the file policy-enforcer.json:

{
  "realm": "online",
  "auth-server-url": "http://localhost:8182",
  "resource": "client-b",
  "credentials": {
    "secret": "secret"
  }
}

this is the following code:

@Configuration @EnableWebSecurity public class OAuth2ResourceServerSecurityConfiguration {
@Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
String jwkSetUri;

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
            .authorizeHttpRequests((authorize) -> authorize
                             .requestMatchers("/public/*").permitAll()
                    .anyRequest().authenticated()
            )
            .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
            .addFilterAfter(createPolicyEnforcerFilter(), BearerTokenAuthenticationFilter.class);
    return http.build();
}

private ServletPolicyEnforcerFilter createPolicyEnforcerFilter() {
    PolicyEnforcerConfig config;

    try {
        config = JsonSerialization.readValue(getClass().getResourceAsStream("/policy-enforcer.json"), PolicyEnforcerConfig.class);
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
    return new ServletPolicyEnforcerFilter(new ConfigurationResolver() {
        @Override
        public PolicyEnforcerConfig resolve(HttpRequest request) {
            return config;
        }
    });
}

@Bean
JwtDecoder jwtDecoder() {
    return NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).build();
}
}

The routes were added manually in the file policy-enforcer.json following the keycloak documentation, it was done so that the keycloak resource server only uses the determined urls excluding the public url but it did not work, it still restricts the public url.

{
  "realm": "online",
  "auth-server-url": "http://localhost:8182",
  "resource": "client-b",
  "credentials": {
    "secret": "secret"
  }
  "enforcement-mode" : "ENFORCING",
  "paths": [
    {
      "path" : "/archive/*",
      "methods" : [
        {
          "method": "GET",
          "scopes" : ["urn:client-b:access"]
        }
      ]
    }
    {
      "path" : "/send/create",
      "methods" : [
        {
          "method": "POST",
          "scopes" : ["urn:client-b:send:create"]
        }
      ]
    }
  ]
}

thomasavio · October 2, 2024, 1:19pm

@torx

You can disable enforcer for paths in PolicyEnforcerConfig
exmaple:

    private ServletPolicyEnforcerFilter createPolicyEnforcerFilter() {
        PolicyEnforcerConfig config;

        try {
            config = JsonSerialization.readValue(getClass().getResourceAsStream("/policy-enforcer.json"), PolicyEnforcerConfig.class);
            addExcludedPaths(config);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        return new ServletPolicyEnforcerFilter(new ConfigurationResolver() {
            @Override
            public PolicyEnforcerConfig resolve(HttpRequest request) {
                return config;
            }
        });
    }

        private void addExcludedPaths(PolicyEnforcerConfig config) {
        List<String> excludeUrls = List.of("/api/public/*","/api/some-other-path/*");
        List<PolicyEnforcerConfig.PathConfig> paths = new ArrayList<>();
        for (String url : excludeUrls) {
            PolicyEnforcerConfig.PathConfig excludedPath = new PolicyEnforcerConfig.PathConfig();
            excludedPath.setPath(url);
            excludedPath.setEnforcementMode(PolicyEnforcerConfig.EnforcementMode.DISABLED);
            paths.add(excludedPath);
        }
        config.setPaths(paths);
    }

veeramanins · November 5, 2024, 2:58pm

We have tried this exclude urls it won’t work for us.Still it is checking for the authentication call over the console to get the response for the path.

Topic		Replies	Views
Ignoring policy enforcement for url patterns not specified in Spring Boot configuration Securing applications adapter-java , authentication	4	3993	June 24, 2021
Ignoring policy enforcement for public url patterns in Spring Boot configuration or keycloak console Securing applications authentication	0	350	May 22, 2023
Ignoring the application of policy to public url patterns that are part of default resources in the Spring Boot setup or the Keycloak console Configuring the server admin-console , authentication , identity-brokering , oidc	0	480	June 8, 2023
Setting Up Policy-Enforcer in Keycloak Securing applications	0	1609	May 26, 2020
Is it possible to create policy enforcer resources with same url? Securing applications	0	409	April 4, 2022

Configure policy-enforcer to avoid intercepting public urls in keycloak and spring boot

Related Topics