Re: [keycloak-user] Using keycloak-spring-boot-starter throws NullPointerException when “keycloak.enabled = false” in spring boot application.properties

Hi, While using “keycloak-spring-boot-starter v3.4.0.Final” with “spring-boot-starter-security V1.5.8.RELEASE”, I’m getting NullPointerException as described below. Please let me know if anyone has suggestion on this, OR this is really defect in keycloak adapter. Precondition – · Application configured to use spring-security with KeycloakWebSecurityConfigurerAdapter. As shows below class SecurityConfig in Example section (A). · Disable keycloak in spring boot’s Application property as “keycloak.enabled = false” Expected Result – · When Keycloak is disabled, spring security should handle authentication OR should not perform authentication. Actual Result – java.lang.NullPointerException: null at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild( KeycloakDeploymentBuilder.java:55) ~[keycloak-adapter-core-3.4.0. Final.jar!/:3.4.0.Final] at org.keycloak.adapters.KeycloakDeploymentBuilder.build( KeycloakDeploymentBuilder.java:164) ~[keycloak-adapter-core-3.4.0. Final.jar!/:3.4.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolv er.resolve(KeycloakSpringBootConfigResolver.java:37) ~[keycloak-spring-boot-adapter-3.4.0.Final.jar!/:3.4.0.Final] at org.keycloak.adapters.AdapterDeploymentContext. resolveDeployment(AdapterDeploymentContext.java:88) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors( PreAuthActionsHandler.java:107) ~[keycloak-adapter-core-3.4.0. Final.jar!/:3.4.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final] at org.keycloak.adapters.springsecurity.filter. KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81) ~[keycloak-spring-security-adapter-3.4.0.Final.jar!/:3.4. at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE] at org.springframework.security.web.csrf.CsrfFilter. doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-4.2.3. RELEASE.jar!/:4.2.3.RELEASE] at org.springframework.web.filter.OncePerRequestFilter. doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.12.RELEASE. jar!/:4.3.12.RELEASE] What can be done here: · Ideal Option: Keycloak adapter classes like “ KeycloakWebSecurityConfigurerAdapter” should avoid registering it’s filters when “keycloak.enabled” property is false. · Temporary Option: we can handle this at application config level by defining on SecurityConfig class o @ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true") Example Section A: @KeycloakConfiguration public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { KeycloakAuthenticationProvider keyCloakAuthProvider = keycloakAuthenticationProvider(); keyCloakAuthProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); auth.authenticationProvider(keyCloakAuthProvider); } @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http .sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS) .sessionAuthenticationStrategy(sessionAuthenticationStrategy( )) .and() .authorizeRequests() .antMatchers("/test*").hasRole("ADMIN") .anyRequest().permitAll(); } @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new NullAuthenticatedSessionStrategy(); } @Bean public KeycloakConfigResolver KeyCloakConfigResolver(){ return new KeycloakSpringBootConfigResolver(); } } Thanks and Regards. Rahul Pharande _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user