Re: [keycloak-user] Spring checks Bearer token for permitted requests

Friday, 26 May 2017

I haven't tried it but you could try to override the configure(WebSecurity
web) method as well :

 @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
                .antMatchers("/mobile/api/login",

"/mobile/api/refresh");
    }

On Thu, May 25, 2017 at 9:50 PM, Hylton Peimer <
hylton.peimer(a)datos-health.com&gt; wrote:

...
 I have an instance of KeycloakWebSecurityConfigurerAdapter that
contains
 the following configuration:

     protected void configure(HttpSecurity httpSecurity) throws Exception {
         super.configure(httpSecurity);

         httpSecurity
                 .antMatcher("/mobile/**")
                 .authorizeRequests()
                 .antMatchers("/mobile/api/login",
 "/mobile/api/refresh").permitAll()
                 .antMatchers("/mobile/api/**").authenticated()

             ..........

 The Client is setup for bearer-only.

 It works fine, except when the access token expires.

 Some mobile clients send the expired token as a header in the call to
 "/mobile/api/refresh".

 The problem is that even though "/mobile/api/refresh" is marked as
 permitAll, the request is blocked.

 Its not possible to fix all the mobile clients. How could I configure
 Spring to ignore the bearer token for the "permitAll" calls, or remove the
 header?
 _______________________________________________
 keycloak-user mailing list
 keycloak-user(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] Spring checks Bearer token for permitted requests