[keycloak-user] Spring Boot and Keycloak
Tony Harris
Tony.Harris at oneadvanced.com
Mon Nov 11 09:08:09 EST 2019
John
You have CSRF turned on in your Spring config so it will expect the correct CSRF code to be returned in all PUT, POST and DELETE requests. Without it Spring, for me anyway, returns 403. It's not Keycloak that is doing that, well not at this stage anyway.
Your original GET request response should include the CSRF token value you need to send back to your Spring app.
Turn off csrf in your below config and test it again, at least with it off temporarily you can test your Keycloak implementation.
Tony
-----Original Message-----
From: John Norris [mailto:johnnorris-10 at outlook.com]
Sent: 11 November 2019 14:04
To: Tony Harris <Tony.Harris at oneadvanced.com>; keycloak-user at lists.jboss.org
Subject: Re[2]: Spring Boot and Keycloak
Hi Tony,
thanks for this.
So the spring code already contained the crsf code. Is that not working properly?
------ Original Message ------
From: "Tony Harris" <Tony.Harris at oneadvanced.com>
To: "John Norris" <johnnorris-10 at outlook.com>; "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Sent: 11/11/2019 12:18:43
Subject: RE: Spring Boot and Keycloak
>I have seen 403 responses when the CSRF token is not sent with the request.
>
>
>The Spring security code is
>
> protected void configure(HttpSecurity http) throws Exception
> {
> super.configure(http);
> http
> .authorizeRequests()
> .antMatchers("/**").hasRole("user")
> .antMatchers("/", "/login**", "/unpkg.com/**", "/cdn.jsdelivr.net","/error**","/*.js","/*.css")
> .permitAll()
> .anyRequest()
> .authenticated()
> .and()
> .csrf()
> .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
> }
>
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com
More information about the keycloak-user
mailing list