Paul Biskup created an issue |
Issue Type: |
Bug |
---|---|
Affects Versions: |
2.17.2 |
Assignee: |
Unassigned |
Components: |
Community modules, Security |
Created: |
06/Nov/20 1:11 PM |
Priority: |
Low |
Reporter: |
This issue is referencing to this GeoServer-dev-mailing-list-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-plugin-wrong-role-mapping-td5449169.html I was trying to setup GeoServer using the Keycloak-authentication-plugin following this documentation: https://docs.geoserver.org/latest/en/user/community/keycloak/index.html But when I tried to use own Keycloak-roles it wasn’t working and I was facing the same problems as the user in this GeoServer-User-mailinglist-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in front of every rolename coming from Keycloak: public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper, This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles which which are system-roles in GeoServer (ROLE_ADMINISTRATOR and ROLE_AUTHENTICATED: https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html). To get it working you had to add the prefix „ROLE_“ to the GeoServer-roles. This is not the expected behaviour. Usually you want to use exactly the same rolenames in GeoServer and Keycloak. I have found the place in the GeoServer-Keycloak-plugin-code to fix this: old code: { this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); this.authenticationMapper = new KeycloakAuthenticationProvider(); authenticationMapper.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); } new code: { this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); this.authenticationMapper = new KeycloakAuthenticationProvider(); SimpleAuthorityMapper simpleAuthMapper = new SimpleAuthorityMapper(); simpleAuthMapper.setPrefix(“”); authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper); } Additionally also the Keycloak-documentation should be updated. |
Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS |
|
This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100149-sha1:a9f85c2) |