[keycloak-user] Spring checks Bearer token for permitted requests

Thu May 25 15:50:47 EDT 2017

I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
the following configuration:

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        super.configure(httpSecurity);

        httpSecurity
                .antMatcher("/mobile/**")
                .authorizeRequests()
                .antMatchers("/mobile/api/login",
"/mobile/api/refresh").permitAll()
                .antMatchers("/mobile/api/**").authenticated()

            ..........

The Client is setup for bearer-only.

It works fine, except when the access token expires.

Some mobile clients send the expired token as a header in the call to
"/mobile/api/refresh".

The problem is that even though "/mobile/api/refresh" is marked as
permitAll, the request is blocked.

Its not possible to fix all the mobile clients. How could I configure
Spring to ignore the bearer token for the "permitAll" calls, or remove the
header?