[Geoserver-devel] Keycloak-plugin: wrong role mapping

Hi all,

I was trying to setup GeoServer using the Keycloak-authentication-plugin following this documentation: https://docs.geoserver.org/latest/en/user/community/keycloak/index.html

I was able to connect to my Keycloak and to set it up for the ADMINISTRATOR- and AUTHENTICATED-role, as described in the example.

But when I tried to use own Keycloak-roles it wasn’t working and I was facing the same problems as the user in this GeoServer-User-mailinglist-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html

Running the GeoServer in debug-mode I found the problem, which is caused by the used authority-mapper-class, that is trying to map the rolenames from Keycloak against the rolenames in GeoServer:

org.springframework.security.core.authority.mapping.SimpleAuthorityMapper

This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in front of every rolename coming from Keycloak:

public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper,

InitializingBean {

private GrantedAuthority defaultAuthority;

private String prefix = “ROLE_”;

This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles which which are system-roles in GeoServer (ROLE_ADMINISTRATOR and ROLE_AUTHENTICATED: https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html).

To get it working I had to add the prefix „ROLE_“ to the GeoServer-Roles.

Example:

Keycloak-role: „KC_GEOSERVER“

the role in GeoServer had to be named like this: „ROLE_KC_GEOSERVER“

In my opinion this is not the expected behaviour, at least for our use-case. We want to use exactly the same rolenames in GeoServer and Keycloak.

I have found the place in the GeoServer-Keycloak-plugin-code to fix this:

https://github.com/geoserver/geoserver/blob/master/src/community/security/keycloak/src/main/java/org/geoserver/security/keycloak/GeoServerKeycloakFilter.java#L63

old code:

public GeoServerKeycloakFilter() {

this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory();

this.authenticationMapper = new KeycloakAuthenticationProvider();

authenticationMapper.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());

}

new code:

public GeoServerKeycloakFilter() {

this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory();

this.authenticationMapper = new KeycloakAuthenticationProvider();

SimpleAuthorityMapper simpleAuthMapper = new SimpleAuthorityMapper();

simpleAuthMapper.setPrefix(“”);

authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper);

}

Maybe you can add this fix to the master-branch.

Best regards,

Paul

Dear Paul,
many thanks for your investigation. That actually makes sense to me.

Can I ask to prepare a JIRA ticket and possibly a Pull Request to GeoServer for that? We should include some tests also on the Pull Request.

If you don’t have time or resources to do that, I can try to find some (not sure when though).

Thanks,
Alessio.

···

==

GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.

Ing. Alessio Fabiani

@alfa7691
Founder/Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A - 55054 Massarosa (LU) - Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 331 6233686

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Hi Alessio,

thank you for your answer!

I have create a JIRA ticket for this issue:

https://osgeo-org.atlassian.net/browse/GEOS-9788

But unfortunately I have currently no time to create the pull request including tests. So it would be great if you could take care of this part.

I think that additionally also the Keycloak-documentation should be updated:

https://docs.geoserver.org/latest/en/user/community/keycloak/index.html

Best regards,
Paul

···

Dear Paul,

many thanks for your investigation. That actually makes sense to me.

Can I ask to prepare a JIRA ticket and possibly a Pull Request to GeoServer for that? We should include some tests also on the Pull Request.

If you don’t have time or resources to do that, I can try to find some (not sure when though).

Thanks,

Alessio.

Il giorno mer 4 nov 2020 alle ore 14:40 Biskup, Paul <Paul.Biskup@…3654…> ha scritto:

Hi all,

I was trying to setup GeoServer using the Keycloak-authentication-plugin following this documentation: https://docs.geoserver.org/latest/en/user/community/keycloak/index.html

I was able to connect to my Keycloak and to set it up for the ADMINISTRATOR- and AUTHENTICATED-role, as described in the example.

But when I tried to use own Keycloak-roles it wasn’t working and I was facing the same problems as the user in this GeoServer-User-mailinglist-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html

Running the GeoServer in debug-mode I found the problem, which is caused by the used authority-mapper-class, that is trying to map the rolenames from Keycloak against the rolenames in GeoServer:

org.springframework.security.core.authority.mapping.SimpleAuthorityMapper

This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in front of every rolename coming from Keycloak:

public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper,

InitializingBean {

private GrantedAuthority defaultAuthority;

private String prefix = “ROLE_”;

This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles which which are system-roles in GeoServer (ROLE_ADMINISTRATOR and ROLE_AUTHENTICATED: https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html).

To get it working I had to add the prefix „ROLE_“ to the GeoServer-Roles.

Example:

Keycloak-role: „KC_GEOSERVER“

the role in GeoServer had to be named like this: „ROLE_KC_GEOSERVER“

In my opinion this is not the expected behaviour, at least for our use-case. We want to use exactly the same rolenames in GeoServer and Keycloak.

I have found the place in the GeoServer-Keycloak-plugin-code to fix this:

https://github.com/geoserver/geoserver/blob/master/src/community/security/keycloak/src/main/java/org/geoserver/security/keycloak/GeoServerKeycloakFilter.java#L63

old code:

public GeoServerKeycloakFilter() {

this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory();

this.authenticationMapper = new KeycloakAuthenticationProvider();

authenticationMapper.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());

}

new code:

public GeoServerKeycloakFilter() {

this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory();

this.authenticationMapper = new KeycloakAuthenticationProvider();

SimpleAuthorityMapper simpleAuthMapper = new SimpleAuthorityMapper();

simpleAuthMapper.setPrefix(“”);

authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper);

}

Maybe you can add this fix to the master-branch.

Best regards,

Paul


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

==

GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.

Ing. Alessio Fabiani

@alfa7691
Founder/Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A - 55054 Massarosa (LU) - Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 331 6233686

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

PR created here

https://github.com/geoserver/geoserver/pull/4563

···

==

GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.

Ing. Alessio Fabiani

@alfa7691
Founder/Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A - 55054 Massarosa (LU) - Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 331 6233686

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.