keycloak-scim/authorization_services/topics/resource-server-default-config.adoc

53 lines
3.1 KiB
Text
Raw Normal View History

2016-11-29 15:30:53 +00:00
[[_resource_server_default_config]]
= Default Configuration
2016-06-16 17:08:04 +00:00
2017-08-28 12:50:14 +00:00
When you create a resource server, {project_name} creates a default configuration for your newly created resource server.
2016-06-16 17:08:04 +00:00
The default configuration consists of:
* A default protected resource representing all resources in your application.
* A policy that always grants access to the resources protected by this policy.
2016-06-16 17:08:04 +00:00
* A permission that governs access to all resources based on the default policy.
The default protected resource is referred to as the *default resource* and you can view it if you navigate to the *Resources* tab.
2016-06-16 17:08:04 +00:00
.Default resource
image:{project_images}/resource-server/default-resource.png[alt="Default resource"]
2016-06-16 17:08:04 +00:00
This resource defines a `Type`, namely `urn:my-resource-server:resources:default` and a `URI` `/*`. Here, the `URI` field defines a
2017-08-28 12:50:14 +00:00
wildcard pattern that indicates to {project_name} that this resource represents all the paths in your application. In other words,
when enabling <<_enforcer_overview, policy enforcement>> for your application, all the permissions associated with the resource
will be examined before granting access.
2016-06-16 17:08:04 +00:00
2017-08-28 12:50:14 +00:00
The `Type` mentioned previously defines a value that can be used to create <<_permission_typed_resource, typed resource permissions>> that must be applied
2016-07-26 21:34:49 +00:00
to the default resource or any other resource you create using the same type.
The default policy is referred to as the *only from realm policy* and you can view it if you navigate to the *Policies* tab.
2016-06-16 17:08:04 +00:00
.Default policy
image:{project_images}/resource-server/default-policy.png[alt="Default policy"]
2016-06-16 17:08:04 +00:00
2017-08-28 12:50:14 +00:00
This policy is a <<_policy_js, JavaScript-based policy>> defining a condition that always grants access to the resources protected by this policy. If you click this policy you can see that it defines a rule as follows:
2016-06-16 17:08:04 +00:00
```js
2016-07-26 21:34:49 +00:00
// by default, grants any permission associated with this policy
$evaluation.grant();
2016-06-16 17:08:04 +00:00
```
Lastly, the default permission is referred to as the *default permission* and you can view it if you navigate to the *Permissions* tab.
2016-06-16 17:08:04 +00:00
.Default Permission
2017-08-28 12:50:14 +00:00
image:{project_images}/resource-server/default-permission.png[alt="Default Permission"]
2016-06-16 17:08:04 +00:00
2017-08-28 12:50:14 +00:00
This permission is a <<_permission_create_resource, resource-based permission>>, defining a set of one or more policies that are applied to all resources with a given type.
2016-06-16 17:08:04 +00:00
== Changing the default configuration
2016-06-16 17:08:04 +00:00
2017-03-14 07:15:30 +00:00
You can change the default configuration by removing the default resource, policy, or permission definitions and creating your own.
The default resource is created with an **URI** that maps to any resource or path in your application using a **/*** pattern. Before creating your own resources, permissions and policies, make
sure the default configuration doesn't conflict with your own settings.
2017-03-14 07:15:30 +00:00
[NOTE]
The default configuration defines a resource that maps to all paths in your application. If you are about to write permissions to your own resources, be sure to remove the *Default Resource* or change its ```URIS``` fields to a more specific paths in your application. Otherwise, the policy associated with the default resource (which by default always grants access) will allow {project_name} to grant access to any protected resource.