keycloak-uncached
Changes
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PathMatcher.java 4(+3 -1)
testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json 28(+28 -0)
Details
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PathMatcher.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PathMatcher.java
index 8e83de1..8bec840 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PathMatcher.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PathMatcher.java
@@ -95,7 +95,9 @@ class PathMatcher {
}
if (WILDCARD == expectedUri.charAt(expectedUri.length() - 1)) {
- matchingAnyPath = entry;
+ if (matchingAnyPath == null || matchingAnyPath.getPath().length() < matchingUri.length()) {
+ matchingAnyPath = entry;
+ }
} else {
int suffixIndex = expectedUri.indexOf(WILDCARD + ".");
diff --git a/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json b/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json
index 073dd80..bad1b25 100644
--- a/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json
+++ b/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json
@@ -107,6 +107,14 @@
{
"name": "Pattern 12",
"uri": "/realm_uri"
+ },
+ {
+ "name": "Pattern 13",
+ "uri": "/keycloak-6623/*"
+ },
+ {
+ "name": "Pattern 14",
+ "uri": "/keycloak-6623/sub-resource/*"
}
],
"policies": [
@@ -258,6 +266,26 @@
"resources": "[\"Pattern 12\"]",
"applyPolicies": "[\"Default Policy\"]"
}
+ },
+ {
+ "name": "Pattern 13 Permission",
+ "type": "resource",
+ "logic": "POSITIVE",
+ "decisionStrategy": "UNANIMOUS",
+ "config": {
+ "resources": "[\"Pattern 13\"]",
+ "applyPolicies": "[\"Default Policy\"]"
+ }
+ },
+ {
+ "name": "Pattern 14 Permission",
+ "type": "resource",
+ "logic": "POSITIVE",
+ "decisionStrategy": "UNANIMOUS",
+ "config": {
+ "resources": "[\"Pattern 14\"]",
+ "applyPolicies": "[\"Default Policy\"]"
+ }
}
],
"scopes": []
diff --git a/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/src/main/webapp/WEB-INF/keycloak.json b/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/src/main/webapp/WEB-INF/keycloak.json
index 1dfcd7b..0dd6a14 100644
--- a/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/src/main/webapp/WEB-INF/keycloak.json
+++ b/testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/src/main/webapp/WEB-INF/keycloak.json
@@ -60,6 +60,14 @@
{
"name": "Pattern 12",
"path": "/keycloak_json_uri"
+ },
+ {
+ "name": "Pattern 14",
+ "path": "/keycloak-6623/sub-resource/*"
+ },
+ {
+ "name": "Pattern 13",
+ "path": "/keycloak-6623/*"
}
]
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletPolicyEnforcerTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletPolicyEnforcerTest.java
index 2661185..5c6b0eb 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletPolicyEnforcerTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletPolicyEnforcerTest.java
@@ -379,6 +379,32 @@ public abstract class AbstractServletPolicyEnforcerTest extends AbstractExampleA
});
}
+ @Test
+ public void testPathOrderWithAllPaths() {
+ performTests(() -> {
+ login("alice", "alice");
+ navigateTo("/keycloak-6623");
+ assertFalse(wasDenied());
+ navigateTo("/keycloak-6623/sub-resource");
+ assertFalse(wasDenied());
+
+ updatePermissionPolicies("Pattern 13 Permission", "Deny Policy");
+
+ login("alice", "alice");
+ navigateTo("/keycloak-6623");
+ assertTrue(wasDenied());
+ navigateTo("/keycloak-6623/sub-resource");
+ assertFalse(wasDenied());
+
+ updatePermissionPolicies("Pattern 14 Permission", "Deny Policy");
+
+ login("alice", "alice");
+ navigateTo("/keycloak-6623");
+ assertTrue(wasDenied());
+ navigateTo("/keycloak-6623/sub-resource/resource");
+ assertTrue(wasDenied());
+ });
+ }
private void navigateTo(String path) {
this.driver.navigate().to(getResourceServerUrl() + path);