diff --git a/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json b/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json index cef6f0057b..a5299bf523 100644 --- a/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json +++ b/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json @@ -115,6 +115,11 @@ { "name": "Pattern 11", "typedScopes": [] + }, + { + "name": "Pattern 12", + "uri": "/realm_uri", + "typedScopes": [] } ], "policies": [ @@ -256,6 +261,16 @@ "resources": "[\"Pattern 11\"]", "applyPolicies": "[\"Default Policy\"]" } + }, + { + "name": "Pattern 12 Permission", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"Pattern 12\"]", + "applyPolicies": "[\"Default Policy\"]" + } } ], "scopes": [] diff --git a/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/src/main/webapp/WEB-INF/keycloak.json b/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/src/main/webapp/WEB-INF/keycloak.json index d8742d3c4b..1dfcd7beb6 100644 --- a/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/src/main/webapp/WEB-INF/keycloak.json +++ b/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/src/main/webapp/WEB-INF/keycloak.json @@ -56,6 +56,10 @@ { "name": "Pattern 11", "path": "/api/{version}/{resource}" + }, + { + "name": "Pattern 12", + "path": "/keycloak_json_uri" } ] } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletPolicyEnforcerTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletPolicyEnforcerTest.java index aaeee4f566..2661185fa3 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletPolicyEnforcerTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletPolicyEnforcerTest.java @@ -290,12 +290,14 @@ public abstract class AbstractServletPolicyEnforcerTest extends AbstractExampleA login("alice", "alice"); navigateTo("/resource/a/i/b/c/d/e"); + assertFalse(wasDenied()); navigateTo("/resource/a/i/b/c/"); assertFalse(wasDenied()); updatePermissionPolicies("Pattern 10 Permission", "Deny Policy"); login("alice", "alice"); navigateTo("/resource/a/i/b/c/d/e"); + assertTrue(wasDenied()); navigateTo("/resource/a/i/b/c/d"); assertTrue(wasDenied()); @@ -350,6 +352,34 @@ public abstract class AbstractServletPolicyEnforcerTest extends AbstractExampleA }); } + @Test + public void testPriorityOfURIForResource() { + performTests(() -> { + login("alice", "alice"); + navigateTo("/realm_uri"); + assertTrue(wasDenied()); + navigateTo("/keycloak_json_uri"); + assertFalse(wasDenied()); + + updatePermissionPolicies("Pattern 12 Permission", "Deny Policy"); + + login("alice", "alice"); + navigateTo("/realm_uri"); + assertTrue(wasDenied()); + navigateTo("/keycloak_json_uri"); + assertTrue(wasDenied()); + + updatePermissionPolicies("Pattern 12 Permission", "Default Policy"); + + login("alice", "alice"); + navigateTo("/realm_uri"); + assertTrue(wasDenied()); + navigateTo("/keycloak_json_uri"); + assertFalse(wasDenied()); + }); + } + + private void navigateTo(String path) { this.driver.navigate().to(getResourceServerUrl() + path); }