51 lines
3.1 KiB
Text
Executable file
51 lines
3.1 KiB
Text
Executable file
[[_resource_server_default_config]]
|
|
=== Default Configuration
|
|
|
|
When you create a resource server, {{book.project.name}} creates a default configuration for your newly created resource server.
|
|
|
|
The default configuration consists of:
|
|
|
|
* A default protected resource representing all resources in your application.
|
|
* A policy that always grants access to the resources protected by this policy.
|
|
* A permission that governs access to all resources based on the default policy.
|
|
|
|
The default protected resource is referred to as the *default resource* and you can view it if you navigate to the *Resources* tab.
|
|
|
|
.Default Resource
|
|
image:../../{{book.images}}/resource-server/default-resource.png[alt="Default Resource"]
|
|
|
|
This resource defines a `Type`, namely `urn:my-resource-server:resources:default` and a `URI` `/*`. Here, the `URI` field defines a
|
|
wildcard pattern that indicates to {{book.project.name}} that this resource represents all the paths in your application. In other words,
|
|
when enabling <<fake/../../enforcer/overview.adoc#_enforcer_overview, policy enforcement>> for your application, all the permissions associated with the resource
|
|
will be examined before granting access.
|
|
|
|
The `Type` mentioned previously defines a value that can be used to create <<fake/../../permission/typed-resource-permission.adoc#_permission_typed_resource, typed resource permissions>> that must be applied
|
|
to the default resource or any other resource you create using the same type.
|
|
|
|
The default policy is referred to as the *only from realm policy* and you can view it if you navigate to the *Policies* tab.
|
|
|
|
.Default Policy
|
|
image:../../{{book.images}}/resource-server/default-policy.png[alt="Default Policy"]
|
|
|
|
This policy is a <<fake/../../policy/js-policy.adoc#_policy_js, JavaScript-based policy>> defining a condition that always grants access to the resources protected by this policy. If you click this policy you can see that it defines a rule as follows:
|
|
|
|
```js
|
|
// by default, grants any permission associated with this policy
|
|
$evaluation.grant();
|
|
```
|
|
|
|
Lastly, the default permission is referred to as the *default permission* and you can view it if you navigate to the *Permissions* tab.
|
|
|
|
.Default Permission
|
|
image:../../{{book.images}}/resource-server/default-permission.png[alt="Default Permission"]
|
|
|
|
This permission is a <<fake/../../permission/create-resource.adoc#_permission_create_resource, resource-based permission>>, defining a set of one or more policies that are applied to all resources with a given type.
|
|
|
|
==== Changing the Default Configuration
|
|
|
|
You can change the default configuration by removing the default resource, policy, or permission definitions and creating your own.
|
|
|
|
[NOTE]
|
|
The default configuration defines a resource that maps to all paths in your application. If you are about to write permissions to your own resources, be sure
|
|
to remove the *Default Resource* or change its ```URI``` field to a more specific path in your application. Otherwise, the policy associated with the default resource (which by default is always granting access)
|
|
will make Keycloak grant access to any protected resource.
|