[keycloak-user] Spring checks Bearer token for permitted requests
Sebastien Blanc
sblanc at redhat.com
Fri May 26 02:15:05 EDT 2017
I haven't tried it but you could try to override the configure(WebSecurity
web) method as well :
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/mobile/api/login",
"/mobile/api/refresh");
}
On Thu, May 25, 2017 at 9:50 PM, Hylton Peimer <
hylton.peimer at datos-health.com> wrote:
> I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
> the following configuration:
>
> protected void configure(HttpSecurity httpSecurity) throws Exception {
> super.configure(httpSecurity);
>
> httpSecurity
> .antMatcher("/mobile/**")
> .authorizeRequests()
> .antMatchers("/mobile/api/login",
> "/mobile/api/refresh").permitAll()
> .antMatchers("/mobile/api/**").authenticated()
>
> ..........
>
> The Client is setup for bearer-only.
>
> It works fine, except when the access token expires.
>
> Some mobile clients send the expired token as a header in the call to
> "/mobile/api/refresh".
>
> The problem is that even though "/mobile/api/refresh" is marked as
> permitAll, the request is blocked.
>
> Its not possible to fix all the mobile clients. How could I configure
> Spring to ignore the bearer token for the "permitAll" calls, or remove the
> header?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list