default resource /* still activated

[sebastienblanc]

I have a config file that should jsut check on uri /products* but for some reasons on master it is checking on /* for authneticated users , I can see it in the logs :

{"level":"info","ts":1528894303.8539765,"msg":"protecting resource","resource":"uri: /*, methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT,TRACE, required: authentication only"}

My complete config can be find here : https://gist.github.com/sebastienblanc/cc4d4a956a8128549df1843bb0cffed4

That config was working with a previous version of the proxy (can not tell exactly which one but somethins like 2 months ago)

[gambol99]

hi @sebastienblanc .. if i was to guess it was a change added in https://github.com/gambol99/keycloak-proxy/blob/master/CHANGELOG.md#220 (check the breaking changes) .. #368 .. It was added as someone was exposing a url having got the resources wrong and not realizing it .. I'd prefer to break the site than expose something they didn't mean to

[sebastienblanc]

Oh sorry ! You are totally right ! Sorry for the noise !

[narerkrit-dotography]

Hi @gambol99 I just need some clarification on this issue.

The config enable-default-deny: true will automatically protect the resource /* with requirement authentication only. Correct?

So, if I want to completely deny all undeclared resources even for authenticated user, I have to do declare it myself?

Is there any config for blacklisting a resource, regardless of token credentials? Thank you.