Paul Biskup ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A9bf17e12-ea76-46f0-ac1e-5adcaf96292a ) *created* an issue
GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9 ) / Bug ( https://osgeo-org.atlassian.net/browse/GEOS-9788?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9 ) GEOS-9788 ( https://osgeo-org.atlassian.net/browse/GEOS-9788?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9 ) Keycloak-plugin wrong role mapping ( https://osgeo-org.atlassian.net/browse/GEOS-9788?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9 ) Issue Type: Bug Affects Versions: 2.17.2 Assignee: Unassigned Components: Community modules, Security Created: 06/Nov/20 1:11 PM Priority: Low Reporter: Paul Biskup ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A9bf17e12-ea76-46f0-ac1e-5adcaf96292a ) This issue is referencing to this GeoServer-dev-mailing-list-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-plugin-wrong-role-mapping-td5449169.html I was trying to setup GeoServer using the Keycloak-authentication-plugin following this documentation: https://docs.geoserver.org/latest/en/user/community/keycloak/index.html I was able to connect to my Keycloak and to set it up for the ADMINISTRATOR- and AUTHENTICATED-role, as described in the example. But when I tried to use own Keycloak-roles it wasn’t working and I was facing the same problems as the user in this GeoServer-User-mailinglist-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html Running the GeoServer in debug-mode I found the problem, which is caused by the used authority-mapper-class, that is trying to map the rolenames from Keycloak against the rolenames in GeoServer: *org.springframework.security.core.authority.mapping.SimpleAuthorityMapper* This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in front of every rolename coming from Keycloak: _public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper, InitializingBean { private GrantedAuthority defaultAuthority; private String prefix = "ROLE_";_ This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles which which are system-roles in GeoServer (ROLE_ADMINISTRATOR and ROLE_AUTHENTICATED: https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html ). To get it working you had to add the prefix „ROLE_“ to the GeoServer-roles. Example: Keycloak-role: „KC_GEOSERVER“ the role in GeoServer had to be named like this: „ROLE_KC_GEOSERVER“ This is not the expected behaviour. Usually you want to use exactly the same rolenames in GeoServer and Keycloak. I have found the place in the GeoServer-Keycloak-plugin-code to fix this: https://github.com/geoserver/geoserver/blob/master/src/community/security/keycloak/src/main/java/org/geoserver/security/keycloak/GeoServerKeycloakFilter.java#L63 old code: public GeoServerKeycloakFilter() { this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); this.authenticationMapper = new KeycloakAuthenticationProvider(); authenticationMapper.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); } new code: public GeoServerKeycloakFilter() { this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); this.authenticationMapper = new KeycloakAuthenticationProvider(); SimpleAuthorityMapper simpleAuthMapper = new SimpleAuthorityMapper(); simpleAuthMapper.setPrefix(""); authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper); } Additionally also the Keycloak-documentation should be updated. ( https://osgeo-org.atlassian.net/browse/GEOS-9788#add-comment?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9 ) Add Comment ( https://osgeo-org.atlassian.net/browse/GEOS-9788#add-comment?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9 ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100149- sha1:a9f85c2 )
_______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
