Hi Alessio, thank you for your answer! I have create a JIRA ticket for this issue: https://osgeo-org.atlassian.net/browse/GEOS-9788
But unfortunately I have currently no time to create the pull request including tests. So it would be great if you could take care of this part. I think that additionally also the Keycloak-documentation should be updated: https://docs.geoserver.org/latest/en/user/community/keycloak/index.html Best regards, Paul Von: Alessio Fabiani <alessio.fabi...@geo-solutions.it> Gesendet: Freitag, 6. November 2020 11:59 An: Biskup, Paul <paul.bis...@fit.fichtner.de> Cc: geoserver-devel@lists.sourceforge.net Betreff: Re: [Geoserver-devel] Keycloak-plugin: wrong role mapping Dear Paul, many thanks for your investigation. That actually makes sense to me. Can I ask to prepare a JIRA ticket and possibly a Pull Request to GeoServer for that? We should include some tests also on the Pull Request. If you don't have time or resources to do that, I can try to find some (not sure when though). Thanks, Alessio. Il giorno mer 4 nov 2020 alle ore 14:40 Biskup, Paul <paul.bis...@fit.fichtner.de<mailto:paul.bis...@fit.fichtner.de>> ha scritto: Hi all, I was trying to setup GeoServer using the Keycloak-authentication-plugin following this documentation: https://docs.geoserver.org/latest/en/user/community/keycloak/index.html<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.geoserver.org%2Flatest%2Fen%2Fuser%2Fcommunity%2Fkeycloak%2Findex.html&data=04%7C01%7C%7C826b9f041a1e4a018ca708d8824301f3%7Cb43430ce7d754158ab7b1f39e6fe6b3f%7C0%7C0%7C637402571596677768%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=b%2FFcWy6JMarjuQO%2BksAtUwNODfiujK%2BZFyJU%2F75VUv4%3D&reserved=0> I was able to connect to my Keycloak and to set it up for the ADMINISTRATOR- and AUTHENTICATED-role, as described in the example. But when I tried to use own Keycloak-roles it wasn’t working and I was facing the same problems as the user in this GeoServer-User-mailinglist-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fosgeo-org.1560.x6.nabble.com%2FKeycloak-Roles-td5427804.html&data=04%7C01%7C%7C826b9f041a1e4a018ca708d8824301f3%7Cb43430ce7d754158ab7b1f39e6fe6b3f%7C0%7C0%7C637402571596687756%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eHSbDjlbQb0iq5ebKQ8zUvU62zbdU0Fm%2BgDycVbaNAc%3D&reserved=0> Running the GeoServer in debug-mode I found the problem, which is caused by the used authority-mapper-class, that is trying to map the rolenames from Keycloak against the rolenames in GeoServer: org.springframework.security.core.authority.mapping.SimpleAuthorityMapper This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in front of every rolename coming from Keycloak: public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper, InitializingBean { private GrantedAuthority defaultAuthority; private String prefix = "ROLE_"; This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles which which are system-roles in GeoServer (ROLE_ADMINISTRATOR and ROLE_AUTHENTICATED: https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.geoserver.org%2Fstable%2Fen%2Fuser%2Fsecurity%2Fusergrouprole%2Froles.html&data=04%7C01%7C%7C826b9f041a1e4a018ca708d8824301f3%7Cb43430ce7d754158ab7b1f39e6fe6b3f%7C0%7C0%7C637402571596697756%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6%2BbZXmYrDK7lWANV%2FLpmRZdWVimvhF6r6Mk9JcP27MY%3D&reserved=0>). To get it working I had to add the prefix „ROLE_“ to the GeoServer-Roles. Example: Keycloak-role: „KC_GEOSERVER“ the role in GeoServer had to be named like this: „ROLE_KC_GEOSERVER“ In my opinion this is not the expected behaviour, at least for our use-case. We want to use exactly the same rolenames in GeoServer and Keycloak. I have found the place in the GeoServer-Keycloak-plugin-code to fix this: https://github.com/geoserver/geoserver/blob/master/src/community/security/keycloak/src/main/java/org/geoserver/security/keycloak/GeoServerKeycloakFilter.java#L63<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgeoserver%2Fgeoserver%2Fblob%2Fmaster%2Fsrc%2Fcommunity%2Fsecurity%2Fkeycloak%2Fsrc%2Fmain%2Fjava%2Forg%2Fgeoserver%2Fsecurity%2Fkeycloak%2FGeoServerKeycloakFilter.java%23L63&data=04%7C01%7C%7C826b9f041a1e4a018ca708d8824301f3%7Cb43430ce7d754158ab7b1f39e6fe6b3f%7C0%7C0%7C637402571596707753%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xkYpOvl1OhhfmAhwbxXzh72imW3xwFmihNNzwL5Aryk%3D&reserved=0> old code: public GeoServerKeycloakFilter() { this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); this.authenticationMapper = new KeycloakAuthenticationProvider(); authenticationMapper.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); } new code: public GeoServerKeycloakFilter() { this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); this.authenticationMapper = new KeycloakAuthenticationProvider(); SimpleAuthorityMapper simpleAuthMapper = new SimpleAuthorityMapper(); simpleAuthMapper.setPrefix(""); authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper); } Maybe you can add this fix to the master-branch. Best regards, Paul _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net<mailto:Geoserver-devel@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-devel<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fgeoserver-devel&data=04%7C01%7C%7C826b9f041a1e4a018ca708d8824301f3%7Cb43430ce7d754158ab7b1f39e6fe6b3f%7C0%7C0%7C637402571596707753%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WHY01pwdE2HU3WynBjHx722ZE4INeJrjguag7%2FD6Jj8%3D&reserved=0> -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoo.gl%2Fit488V&data=04%7C01%7C%7C826b9f041a1e4a018ca708d8824301f3%7Cb43430ce7d754158ab7b1f39e6fe6b3f%7C0%7C0%7C637402571596717748%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=U9m80eTSXZZNTiHbbcenp7jCm8RchOsx4v%2BssNxf1mg%3D&reserved=0> for more information. == Ing. Alessio Fabiani @alfa7691 Founder/Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A - 55054 Massarosa (LU) - Italy phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 331 6233686 http://www.geo-solutions.it<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.geo-solutions.it%2F&data=04%7C01%7C%7C826b9f041a1e4a018ca708d8824301f3%7Cb43430ce7d754158ab7b1f39e6fe6b3f%7C0%7C0%7C637402571596727746%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=C3WmFINdi9MPwuioJFh%2FwEibepl5NjKHU7IMgsvE5ic%3D&reserved=0> http://twitter.com/geosolutions_it<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Fgeosolutions_it&data=04%7C01%7C%7C826b9f041a1e4a018ca708d8824301f3%7Cb43430ce7d754158ab7b1f39e6fe6b3f%7C0%7C0%7C637402571596737738%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DXeyrwuUatFbTpssN8JC%2F5eVojYzSr695vtgGMCmkNI%3D&reserved=0> ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
