Examples with AuthorizationDeniedException org.keycloak.authorization.client.AuthorizationDeniedException used on opensource projects

Search in sources :

Example 1 with AuthorizationDeniedException

use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.

the class RolePolicyTest method testUserWithoutExpectedRole.

@Test
public void testUserWithoutExpectedRole() {
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    try {
        authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected role");
    } catch (AuthorizationDeniedException ignore) {
    }
    request.setResourceId("Resource B");
    ticket = authzClient.protection().permission().create(request).getTicket();
    assertNotNull(authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket)));
    UserRepresentation user = getRealm().users().search("kolo").get(0);
    RoleRepresentation roleA = getRealm().roles().get("Role A").toRepresentation();
    getRealm().users().get(user.getId()).roles().realmLevel().add(Arrays.asList(roleA));
    request.setResourceId("Resource A");
    ticket = authzClient.protection().permission().create(request).getTicket();
    assertNotNull(authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket)));
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 2 with AuthorizationDeniedException

use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.

the class RolePolicyTest method testUserWithGroupRole.

@Test
public void testUserWithGroupRole() throws InterruptedException {
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest();
    request.setResourceId("Resource C");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    assertNotNull(authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket)));
    UserRepresentation user = getRealm().users().search("alice").get(0);
    GroupRepresentation groupB = getRealm().groups().groups().stream().filter(representation -> "Group B".equals(representation.getName())).findFirst().get();
    getRealm().users().get(user.getId()).leaveGroup(groupB.getId());
    try {
        authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected role");
    } catch (AuthorizationDeniedException ignore) {
    }
    request.setResourceId("Resource A");
    ticket = authzClient.protection().permission().create(request).getTicket();
    try {
        authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected role");
    } catch (AuthorizationDeniedException ignore) {
    }
    GroupRepresentation groupA = getRealm().groups().groups().stream().filter(representation -> "Group A".equals(representation.getName())).findFirst().get();
    getRealm().users().get(user.getId()).joinGroup(groupA.getId());
    assertNotNull(authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket)));
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) GroupRepresentation(org.keycloak.representations.idm.GroupRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 3 with AuthorizationDeniedException

use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.

the class UmaGrantTypeTest method testObtainRptWithUpgradeWithUnauthorizedResource.

@Test
public void testObtainRptWithUpgradeWithUnauthorizedResource() throws Exception {
    AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] { "ScopeA", "ScopeB" });
    String rpt = response.getToken();
    AccessToken.Authorization authorization = toAccessToken(rpt).getAuthorization();
    Collection<Permission> permissions = authorization.getPermissions();
    assertFalse(response.isUpgraded());
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    ResourceRepresentation resourceB = addResource("Resource B", "ScopeA", "ScopeB", "ScopeC");
    permission.setName(resourceB.getName() + " Permission");
    permission.addResource(resourceB.getName());
    permission.addPolicy("Deny Policy");
    getClient(getRealm()).authorization().permissions().resource().create(permission).close();
    try {
        authorize("marta", "password", "Resource B", new String[] { "ScopeC" }, rpt);
        fail("Should be denied, resource b not granted");
    } catch (AuthorizationDeniedException ignore) {
    }
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 4 with AuthorizationDeniedException

use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.

the class UserManagedAccessTest method testOnlyOwnerCanAccessPermissionsToScope.

@Test
public void testOnlyOwnerCanAccessPermissionsToScope() throws Exception {
    resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
    ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
    permission.setName(resource.getName() + " Scope A Permission");
    permission.addScope("ScopeA");
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().scope().create(permission).close();
    permission = new ScopePermissionRepresentation();
    permission.setName(resource.getName() + " Scope B Permission");
    permission.addScope("ScopeB");
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().scope().create(permission).close();
    AuthorizationResponse response = authorize("marta", "password", resource.getName(), new String[] { "ScopeA", "ScopeB" });
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
        fail("User should not have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
    List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
    for (PermissionTicketRepresentation ticket : tickets) {
        ticket.setGranted(true);
        getAuthzClient().protection().permission().update(ticket);
    }
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
    } catch (AuthorizationDeniedException ade) {
        fail("User should have access to resource from another user");
    }
    rpt = response.getToken();
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    permissions = authorization.getPermissions();
    assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("marta", "password", resource.getId(), new String[] { "ScopeB" });
    } catch (AuthorizationDeniedException ade) {
        fail("User should have access to his own resources");
    }
    rpt = response.getToken();
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    permissions = authorization.getPermissions();
    assertPermissions(permissions, resource.getName(), "ScopeB");
    assertTrue(permissions.isEmpty());
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 5 with AuthorizationDeniedException

use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.

the class UserManagedAccessTest method testOnlyOwnerCanAccess.

@Test
public void testOnlyOwnerCanAccess() throws Exception {
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getId());
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().resource().create(permission).close();
    AuthorizationResponse response = authorize("marta", "password", resource.getName(), new String[] { "ScopeA", "ScopeB" });
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
        fail("User should have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Aggregations

AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)17 Test (org.junit.Test)16 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)13 AccessToken (org.keycloak.representations.AccessToken)9 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)9 Permission (org.keycloak.representations.idm.authorization.Permission)9 AuthzClient (org.keycloak.authorization.client.AuthzClient)7 PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)7 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)7 PermissionTicketRepresentation (org.keycloak.representations.idm.authorization.PermissionTicketRepresentation)6 PermissionResource (org.keycloak.authorization.client.resource.PermissionResource)4 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)3 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)3 RealmResource (org.keycloak.admin.client.resource.RealmResource)2 GroupRepresentation (org.keycloak.representations.idm.GroupRepresentation)2 ArrayList (java.util.ArrayList)1 KeycloakSecurityContext (org.keycloak.KeycloakSecurityContext)1 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)1 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)1 ClientResource (org.keycloak.admin.client.resource.ClientResource)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial