[keycloak-user] Spring Boot and Keycloak

Hello, I have used keycloak to handle authorisation and authentication for a Spring Boot app which uses REST. I can get a token and use it for successful GET requests but for POST, PUT, DELETE, I get a 403 Forbidden error. I have set up a single realm role - "user" and associated that role with the users. The keycloak enteries in application properties are # keycloak keycloak.auth-server-url=http://mint191:8080/auth keycloak.realm=SpringBootKeycloak keycloak.resource=bikes-app keycloak.public-client=true keycloak.principal-attribute=preferred_username The Spring security code is protected void configure(HttpSecurity http) throws Exception { super.configure(http); http .authorizeRequests() .antMatchers("/**").hasRole("user") .antMatchers("/", "/login**", "/unpkg.com/**", "/cdn.jsdelivr.net","/error**","/*.js","/*.css") .permitAll() .anyRequest() .authenticated() .and() .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); } When I use curl and a token for POST curl -H "Authorization: Bearer $TOKEN" -k -w "\n" -X POST -d '{"fields": "values"}' -H "Content-Type: application/json" https://mint191:8453/api/v1/bicycles I get a response of {"timestamp":"2019-11-11T10:39:38.027+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/api/v1/bicycles"} Is there more configuration that I have to do with keycloak? Have I got the security code wrong in Spring? Regards, John