Dear Paul, many thanks for your investigation. That actually makes sense to me.
Can I ask to prepare a JIRA ticket and possibly a Pull Request to GeoServer for that? We should include some tests also on the Pull Request. If you don't have time or resources to do that, I can try to find some (not sure when though). Thanks, Alessio. Il giorno mer 4 nov 2020 alle ore 14:40 Biskup, Paul < [email protected]> ha scritto: > Hi all, > > > > I was trying to setup GeoServer using the Keycloak-authentication-plugin > following this documentation: > https://docs.geoserver.org/latest/en/user/community/keycloak/index.html > > I was able to connect to my Keycloak and to set it up for the > ADMINISTRATOR- and AUTHENTICATED-role, as described in the example. > > > > But when I tried to use own Keycloak-roles it wasn’t working and I was > facing the same problems as the user in this > GeoServer-User-mailinglist-post: > http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html > > Running the GeoServer in debug-mode I found the problem, which is caused > by the used authority-mapper-class, that is trying to map the rolenames > from Keycloak against the rolenames in GeoServer: > > > org.springframework.security.core.authority.mapping.SimpleAuthorityMapper > > > > This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in > front of every rolename coming from Keycloak: > > *public* *final* *class* SimpleAuthorityMapper *implements* > GrantedAuthoritiesMapper, > > InitializingBean { > > *private* GrantedAuthority defaultAuthority; > > *private* String prefix = "ROLE_"; > > > > This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles > which which are system-roles in GeoServer (ROLE_ADMINISTRATOR and > ROLE_AUTHENTICATED: > https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html > ). > > > > To get it working I had to add the prefix „ROLE_“ to the GeoServer-Roles. > > Example: > > Keycloak-role: „KC_GEOSERVER“ > > the role in GeoServer had to be named like this: > „ROLE_KC_GEOSERVER“ > > > > In my opinion this is not the expected behaviour, at least for our > use-case. We want to use exactly the same rolenames in GeoServer and > Keycloak. > > > > I have found the place in the GeoServer-Keycloak-plugin-code to fix this: > > > https://github.com/geoserver/geoserver/blob/master/src/community/security/keycloak/src/main/java/org/geoserver/security/keycloak/GeoServerKeycloakFilter.java#L63 > > > > old code: > > public GeoServerKeycloakFilter() { > > this.adapterTokenStoreFactory = new > SpringSecurityAdapterTokenStoreFactory(); > > this.authenticationMapper = new KeycloakAuthenticationProvider(); > > authenticationMapper.setGrantedAuthoritiesMapper(new > SimpleAuthorityMapper()); > > } > > > > new code: > > public GeoServerKeycloakFilter() { > > this.adapterTokenStoreFactory = new > SpringSecurityAdapterTokenStoreFactory(); > > this.authenticationMapper = new KeycloakAuthenticationProvider(); > > SimpleAuthorityMapper simpleAuthMapper = new > SimpleAuthorityMapper(); > > simpleAuthMapper.setPrefix(""); > > authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper > ); > > } > > > > Maybe you can add this fix to the master-branch. > > > > Best regards, > > Paul > _______________________________________________ > Geoserver-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Alessio Fabiani @alfa7691 Founder/Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A - 55054 Massarosa (LU) - Italy phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 331 6233686 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
_______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
