https://docs.google.com/presentation/d/1FxKu6pZAFMumdpagicyV0JQrscxA2dKqZelibO1Czhw/edit
- Red Hat Single Sign-On 7.2 (rh-sso-7.2.0.zip)
- Red Hat Single Sign-On 7.2.5 Server Patch (rh-sso-7.2.5-patch.zip)
- Red Hat Single Sign-On 7.2.5 Client Adapter for JBoss EAP 7 (rh-sso-7.2.5-eap7-adapter.zip)
- Red Hat JBoss Enterprise Application Platform 7.1.0 (jboss-eap-7.1.0.zip)
unzip rh-sso-7.2.0.zip
1 - Adding admin user:
./rh-sso-7.2/bin/add-user.sh
2 - Appling Patch 7.2.5
./rh-sso-7.2/bin/standalone.sh &
./rh-sso-7.2/bin/jboss-cli.sh --connect
patch apply rh-sso-7.2.5-patch.zip
3 - Installing JBoss EAP 7.1
unzip jboss-eap-7.1.0.zip
4 - Adding admin user:
./jboss-eap-7.1/bin/add-user.sh
5 - Installing RH-SSO Adapter for JBoss EAP 7.1
cd jboss-eap-7.1
unzip rh-sso-7.2.5-eap7-adapter.zip
./bin/standalone.sh &
./bin/jboss-cli.sh --connect --file=./bin/adapter-install.cli
git clone https://github.com/keycloak/keycloak
git checkout tags/3.4.3.Final
mvn clean package -f keycloak/testsuite/integration-arquillian/test-apps/photoz/pom.xml
cp keycloak/testsuite/integration-arquillian/test-apps/photoz/photoz-authz-policy/target/photoz-authz-policy-3.4.3.Final.jar rh-sso-7.2/standalone/deployments
cp keycloak/testsuite/integration-arquillian/test-apps/photoz/photoz-html5-client/target/photoz-html5-client.war jboss-eap-7.1/standalone/deployments
cp keycloak/testsuite/integration-arquillian/test-apps/photoz/photoz-restful-api/target/photoz-restful-api.war jboss-eap-7.1/standalone/deployments
./rh-sso-7.2/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 -bunsecure 0.0.0.0 -Djboss.socket.binding.port-offset=1 -Dkeycloak.profile=preview
1 - Open Red Hat Single Sign-On and enter the admin username and password (or create an admin user) on http://localhost:8180/auth/admin/.
2 - Click on Add-Realm and add a realm photoz
importing the file photoz-realm.json
3 - Open the tab Authorization of client photoz-restful-api
and import the file photoz-restful-api-authz-service.json
4 - Starting Red Hat JBoss EAP with deployed applications
./jboss-eap-7.1/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 -bunsecure 0.0.0.0
- photoz-html5-client
- photoz-restful-api
- alice/alice
- jdoe/jdoe
- admin/admin
1 - Access Red Hat Single Sign-On in http://localhost:8180/auth/admin
2 - Click on Clients
in photoz
realm. Open photoz-restful-api client configuration click on Authorization tab and show the Settings in Resources, Authorization Scopes, Policies and Permissions. Explain each one if possible.
3 - Access the photoz-html5-client
application in http://localhost:8080/photoz-html5-client
4 - Login with user alice
5 - Consent the use of your data from photoz-restful-api by photoz-html-client
6 - Click on Show Requesting Party Token
to see the authorization permissions on Token from Album URL that you just requested on main page
7 - Now click on My Profile
. Then click back on Show Requesting Party Token
to check you received a new profile:view
permission in RPT
8 - Click back on browser then create an album alices album
. This will be the album #1
9 - Click on Sign Out
and log-in with user jdoe
10 - Click on Yes to authorize photoz-html-client
on consent screen
11 - Create an album jdoes album
. This will be the album #2
12 - Log-in with admin in Red Hat Single Sign-On and go to Clients -> photoz-restful-api -> Authorization -> Permissions
and edit the permission Album Resource Permission
. Remove the Policy Any User Policy
13 - Refresh the page in photoz-html5-client
to check you don't have access anymore
14 - Update the URL in browser with photoz-html5-client/#/album/2
to guarantee you don't have access
15 - Now log-out and log-in again in photoz-html5-client
with user admin
and access the same URL photoz-html5-client/#/album/2
to confirm admin can see jdoes album.
16 - Log-out and log-in again with user jdoe
and access the same URL photoz-html5-client/#/album/2
to see you still cannot see the resource.
17 - Change the Album Resource Policy
again and add again Any User
policy and Refresh the jdoes album page.
18 - Now go to RH-SSO and create a Policy based on time. Create a negative time policy
that will deny access of jdoes album for 2 minutes.
As the example below from the minute 42 to 43 the access wil be denied.
19 - Then create a new permission based on jdoes album
and add the time policy you just created
20 - Refresh the page to confirm that you cannot access album resource in the specified minutes you have defined.
- Delete photoz Realm in RH-SSO and import it again
- Import permissions definitions again in Authorization tab of
photoz-restful-api
- Delete the content of folders
tmp
anddata
in JBoss EAP 7.1 and restart JBoss