Comments (8)
No, it shouldn't. Prefixing authorities with ROLE_
is an implementation choice inside authorities mappers and authorities
in test annotations are designed to hold already mapped authorities (mappers can make any kind of transformation).
At some point, both authorities
and roles
where exposed in my test annotations, the second adding the ROLE_
prefix. This was leading to more confusion than help and I removed the less generic one (couldn't make authorities with other prefix or no prefix at all with roles
)
from spring-addons.
Hmm, I agree that this is an implementation choice inside the mappers, but this choice only needs to be made because Spring Boot made the choice to have ROLE_
as the default prefix (if not configured otherwise), as can be seen here ExpressionUrlAuthorizationConfigurer.java#L116.
Maybe it's just my opinion but as this is a library that enhances SPRING, it'd be absolutely sane to apply the spring boot defaults (like ROLE_
) and let people override them if they want.
Of course one can override the default prefix in Spring Boot using something like below, but again: it does not feel natural to alter working production code in order to make test working more seamlessly.
@Bean
fun grantedAuthorityDefaults(): GrantedAuthorityDefaults {
return GrantedAuthorityDefaults("YOUR_PREFIX")
}
from spring-addons.
Maybe should I remove completely realm and resource access roles adding to authorities to avoid confusion.
You need certain authorities with prefix, suffix, case tweeking or wahtever in a test? Put it like it needs to be in authorities
property. It's made for that.
Any spring-boot application explicitely providing a GrantedAuthoritiesMapper
bean can do about anything with authorities and test annotation can hardly figure out what. Most production spring-boot apps I know configure such a bean.
If you take a look into spring-security-core org.springframework.security.core.authority.mapping
package you'll see that:
SimpleAuthorityMapper
does addROLE_
prefixNullAuthoritiesMapper
doesn't
Maybe are you using hasRole
or hasAnyRole
rather than hasAuthority
or hasAnyAuthority
to think that "ROLE_" prefix is a convention?
from spring-addons.
Anyhow, I'll try to see if I can detect a GrantedAuthoritiesMapper
@Bean
in test configuration and use it when extracting Keycloak roles, but not today.
from spring-addons.
Okay, I do get your point and I also agree (though not wholeheartedly 😄 )
Thanks for looking into it and thank you for the productive discussion and blazingly fast response - this is open source spirit!!
from spring-addons.
Maybe are you using hasRole or hasAnyRole rather than hasAuthority or hasAnyAuthority to think that "ROLE_" prefix is a convention?
Yes, I do. My security configuration relies on hasRole
instead of hasAuthority
and the hasRole
convenience method adds the ROLE_
prefix. But I understand that there are other "authorities" than roles.
But I can also live with the "configure authorities as Spring Boot would" and you are happy in tests. 👍
from spring-addons.
So looking a little further, configured GrantedAuthoritiesMapper
is already injected and if something else than NullAuthorityMapper is configured, it should process authorities.
Can you provide me with your Keycloak configuration?
By the way, my very simple Keycloak spring-boot conf does not alter roles
from spring-addons.
Okay, I got it now:
- As I am using the
hasRole(...)
function Spring Boot appendsROLE_
in the SpEL while assessing the roles - Therefore I needed to configure the
SimpleAuthorityMapper
in my Keycloak configuration - Your library expects a
GrantedAuthoritiesMapper
to be injected, however imho it's normally not injected, but rather instantiated in place like so:
@KeycloakConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
class KeycloakSecurityConfiguration : KeycloakWebSecurityConfigurerAdapter() {
// .. other config
@Autowired
fun configureGlobal(auth: AuthenticationManagerBuilder) {
val keycloakAuthenticationProvider = keycloakAuthenticationProvider()
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(SimpleAuthorityMapper())
auth.authenticationProvider(keycloakAuthenticationProvider)
}
}
- This leads to your library not finding the bean and thus, not injecting it
There are two possible solutions now:
- I don't use
hasRole(..)
but ratherhasAuthority(...)
and can rely on the default implementationNullAuthoritiesMapper
- I keep on using
hasRole(...)
, but instead of creating theSimpleAuthorityMapper
in place I expose it as a@Bean
and your framework picks it up automatically (one drawback: it needs to be registered outside theKeycloakSecurityConfiguration
since otherwise it'd be a cyclic dependency)
This can be closed then as your library offers everything it should from my perspective.
Thanks for your amazing work and support!
from spring-addons.
Related Issues (20)
- `authorization-request-params` ignored HOT 1
- POST /logout response Forbidden 403 HOT 9
- Support several JWT authentication converters (or converters with a `@Qualifier` which is not `jwtAuthenticationConverter`)
- Doubled path-prefix by `SpringAddonsServerOAuth2AuthorizationRequestResolver` HOT 1
- Allow anonymous CORS preflight requests (`OPTIONS` requests to a path configured with CORS) HOT 1
- Configuration properties to add parameters to token requests HOT 1
- Spring Starter OICD, Resource Server: Option to disable the default behavior for authorized/protected routes HOT 1
- BFF configuration token is not refreshed HOT 3
- Getting response 401 (Unauthorized) for permit-all requests after update HOT 2
- (Not a bug)Why the custom JwtDecoder bean is useless HOT 2
- `spring-security-oauth2-resource-server`, `spring-security-oauth2-client` and `spring-webflux` should be `optional` dependencies HOT 1
- Support for resource owner password credential flow (ROPC) HOT 1
- Handle CORS Requests with Keycloak's "allowed-origins" claim like the keycloak adapter (now deprecated) HOT 2
- Downstream services times out reading request body when csrf is set to cookie-accessible-from-js HOT 2
- Expand servlet-client tutorial to show calling servlet-resource-server with user that has NICE privileges. HOT 2
- Logout Issue (Invalid CSRF Token) HOT 3
- Import keycloak realms with spring-addons-starters-rest HOT 1
- `@WithOidcLogin` using json file similarly as `@WithJwt` HOT 8
- Need support in resolving 401 Unauthorized Error for Multi Tenant JWT Auth with Resource Server HOT 1
- Invalid SpringAddonsOidcProperties breaks native image HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-addons.