Merge pull request #22 from pedroigor/master

Minor fixes and updates
This commit is contained in:
Pedro Igor 2016-06-29 19:51:48 -03:00 committed by GitHub
commit 30f4db0bc4
8 changed files with 84 additions and 25 deletions

View file

@ -8,6 +8,7 @@
... link:topics/getting-started/hello-world/create-realm.adoc[Creating a Realm] ... link:topics/getting-started/hello-world/create-realm.adoc[Creating a Realm]
... link:topics/getting-started/hello-world/create-resource-server.adoc[Enabling Authorization Services] ... link:topics/getting-started/hello-world/create-resource-server.adoc[Enabling Authorization Services]
... link:topics/getting-started/hello-world/deploy.adoc[Build, Deploy and Test] ... link:topics/getting-started/hello-world/deploy.adoc[Build, Deploy and Test]
.. link:topics/example/overview.adoc[Examples]
. link:topics/resource-server/overview.adoc[Managing Resource Servers] . link:topics/resource-server/overview.adoc[Managing Resource Servers]
.. link:topics/resource-server/create-client.adoc[Creating a Client Application] .. link:topics/resource-server/create-client.adoc[Creating a Client Application]
.. link:topics/resource-server/enable-authorization.adoc[Enabling Authorization Services] .. link:topics/resource-server/enable-authorization.adoc[Enabling Authorization Services]
@ -47,4 +48,3 @@
... link:topics/enforcer/keycloak-enforcement-bearer.adoc[Protecting a Stateless Service Using a Bearer Token] ... link:topics/enforcer/keycloak-enforcement-bearer.adoc[Protecting a Stateless Service Using a Bearer Token]
... link:topics/enforcer/authorization-context.adoc[Obtaining the Authorization Context] ... link:topics/enforcer/authorization-context.adoc[Obtaining the Authorization Context]
... link:topics/enforcer/js-adapter.adoc[JavaScript Integration] ... link:topics/enforcer/js-adapter.adoc[JavaScript Integration]
. link:topics/example/overview.adoc[Examples]

Binary file not shown.

Before

Width:  |  Height:  |  Size: 113 KiB

After

Width:  |  Height:  |  Size: 101 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 90 KiB

After

Width:  |  Height:  |  Size: 80 KiB

View file

@ -1,5 +1,34 @@
== Examples == Examples
We provide a few examples about how to use the {{book.project.name}} {{book.project.module}}. These examples are very useful to understand the concepts here introduced. The {{book.project.name}} Authorization can also help you to quickly get started with the authorization services and understand how to apply the same concepts to your
own applications.
The examples are located at *examples/authz*. They contain a README.md file with more details about how to build and deploy them. If you are using the {{book.project.name}} Demo Distribution and you have it properly extracted in your filesystem:
* **keycloak-demo-{{book.project.version}}.[zip|tar.gz]**
You can check out the available examples from the following directory:
```bash
cd ${KEYCLOAK_DEMO_SERVER_DIR}/examples/authz
```
Or you can get them from https://github.com/keycloak/keycloak/tree/{{book.project.version}}/examples/authz[GitHub].
For each example is provided a `README` file with instructions about how to build, deploy and test the example.
Here is a brief description of each of them:
.Authorization Examples
|===
|Name |Description
| https://github.com/keycloak/keycloak/tree/{{book.project.version}}/examples/authz/servlet-authz[hello-world-authz-service]
| A single page application which is protected by a policy enforcer that decides whether an user can access that page or not based on the permissions obtained from a Keycloak Server.
| https://github.com/keycloak/keycloak/tree/{{book.project.version}}/examples/authz/servlet-authz[photoz]
| A simple application based on HTML5+AngularJS+JAX-RS that demonstrates how to enable fine-grained permissions to RESTFul based services and HTML5 clients.
| https://github.com/keycloak/keycloak/tree/{{book.project.version}}/examples/authz/servlet-authz[servlet-authz]
| A simple Servlet-based application that demonstrates how to enable fine-grained authorization to a JBoss Servlet Application.
|===

View file

@ -1,7 +1,7 @@
== Drools-Based Policy == Drools-Based Policy
This type of policy allows you to define conditions for your permissions using Drools. It is one of the _Rule-Based_ policy types This type of policy allows you to define conditions for your permissions using Drools. It is one of the _Rule-Based_ policy types
supported by {{book.project.name}}, providing a lot of flexibility to write any policy based on the link::/policy/evaluation-api.adoc[Evaluation API]. supported by {{book.project.name}}, providing a lot of flexibility to write any policy based on the link:evaluation-api.adoc[Evaluation API].
To create a new policy select the option *Drools* in the dropdown located in the right upper corner of the permission listing. To create a new policy select the option *Drools* in the dropdown located in the right upper corner of the permission listing.

View file

@ -1,12 +1,13 @@
== Evaluation API == Evaluation API
When writing rule-based policies such as when you are using Javascript or JBoss Drools, Keycloak provides an *Evaluation API* from where you When writing rule-based policies such as when you are using Javascript or JBoss Drools, {{book.project.name}} provides an *Evaluation API* from where you
can obtain useful information. can obtain useful information in order to decide whether a permission should be granted or not.
This API consists of a few interfaces that provides you access to information such as: This API consists of a few interfaces that provides you access to information such as:
* Information about the identity asking for a permission. Here you can obtain the identity identifier (eg.: username) or any other claim/attribute about it. * The permission being requested
* Information about the runtime environment and any other attribute associated with the execution context. * The identity asking for a permission, from where you can obtain claims/attributes
* Runtime environment and any other attribute associated with the execution context
The main interface is *org.keycloak.authorization.policy.evaluation.Evaluation*, which defines the following contract: The main interface is *org.keycloak.authorization.policy.evaluation.Evaluation*, which defines the following contract:
@ -38,8 +39,14 @@ public interface Evaluation {
void deny(); void deny();
} }
``` ```
[NOTE]
For more details about the Evaluation API refer to http://www.keycloak.org/docs/javadocs/index.html[JavaDocs].
For full instructions on using the Evaluation API refer to JavaDocs. When processing an authorization request, {{book.project.name}} creates an `Evaluation` instance before evaluating any policy. This instance is then passed to each policy in order to obtain
a decision, which would be a *GRANT* or a *DENY*.
Policies take their decisions by invoking the `grant()` or `deny()` methods on an `Evaluation` instance. By default, the state of the `Evaluation` instance is denied, which means that your policies
need to explicitly invoke the `grant()` method if they want to tell the policy evaluation engine that the permission should be granted.
=== The Evaluation Context === The Evaluation Context
@ -66,18 +73,41 @@ public interface EvaluationContext {
From this interface, policies can obtain: From this interface, policies can obtain:
* The authenticated *Identity* * The authenticated `Identity`
* Information about the execution context and runtime environment * Information about the execution context and runtime environment
Before evaluating policies, {{book.project.name}} builds an *EvaluationContext* based on: The `Identity` is built based on the OAuth2 Access Token that was sent along with the authorization request, from where you have access to all claims
extracted from the original token. For instance, if you are using a _Protocol Mapper_ to include a custom claim to a oAuth2 Access Token you can also access this claim
from a policy and use it to build your conditions
* All claims obtained from the OAuth2 Access Token that was sent along with the authorization request The `EvaluationContext` also gives you access to attributes related with both execution and runtime environment. For now, there only a few built-in attributes.
+
In this case, the *Identity* object provides the same claims as define by the access token. For instance, if you are using a _Protocol Mapper_ to include custom claim .Execution and Runtime Attributes
to a oAuth2 Access Token you can also access this claim from a policy and use it to build your conditions |===
+ |Name |Description | Type
* Some built-in environment attributes such as:
+ | kc.time.date_time
** kc.authz.context.time.date_time, holding the current time | Current date and time
** kc.authz.context.client.network.ip_address, holding the IP address of the client requesting permissions | String. Format `MM/dd/yyyy hh:mm:ss`
** kc.authz.context.client.network.host, holding the host name of the client requesting permissions
| kc.client.network.ip_address
| IPv4 address of the client
| String
| kc.client.network.host
| Client's host name
| String
| kc.client.id
| The client id
| String
| kc.client.user_agent
| The value of the 'User-Agent' HTTP header
| String[]
| kc.realm.name
| The name of the realm
| String
|===

View file

@ -1,7 +1,7 @@
== JavaScript-Based Policy == JavaScript-Based Policy
This type of policy allows you to define conditions for your permissions using JavaScript. It is one of the _Rule-Based_ policy types This type of policy allows you to define conditions for your permissions using JavaScript. It is one of the _Rule-Based_ policy types
supported by {{book.project.name}}, providing lot of flexibility to write any policy based on the link::/policy/evaluation-api.adoc[Evaluation API]. supported by {{book.project.name}}, providing lot of flexibility to write any policy based on the link:evaluation-api.adoc[Evaluation API].
To create a new policy select the option *JavaScript* in the dropdown located in the right upper corner of the permission listing. To create a new policy select the option *JavaScript* in the dropdown located in the right upper corner of the permission listing.
@ -36,7 +36,7 @@ obtained from the execution context:
var context = $evaluation.getContext(); var context = $evaluation.getContext();
var contextAttributes = context.getAttributes(); var contextAttributes = context.getAttributes();
if (contextAttributes.containsValue('kc.authz.context.client.network.ip_address', '127.0.0.1')) { if (contextAttributes.containsValue('kc.client.network.ip_address', '127.0.0.1')) {
$evaluation.grant(); $evaluation.grant();
} }
``` ```

View file

@ -31,7 +31,7 @@ var context = $evaluation.getContext();
// using attributes from the evaluation context to obtain the realm // using attributes from the evaluation context to obtain the realm
var contextAttributes = context.getAttributes(); var contextAttributes = context.getAttributes();
var realmName = contextAttributes.getValue('kc.authz.context.authc.realm').asString(0); var realmName = contextAttributes.getValue('kc.realm.name').asString(0);
// using attributes from the identity to obtain the issuer // using attributes from the identity to obtain the issuer
var identity = context.getIdentity(); var identity = context.getIdentity();