Yes, disabling csrf does allow the non GET requests to work.
Thank you so much - at least I now know what I have to look at.
------ Original Message ------
From: "Tony Harris" <Tony.Harris(a)oneadvanced.com>
To: "John Norris" <johnnorris-10(a)outlook.com>;
"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Sent: 11/11/2019 14:08:09
Subject: RE: Re[2]: Spring Boot and Keycloak
John
You have CSRF turned on in your Spring config so it will expect the correct CSRF code to
be returned in all PUT, POST and DELETE requests. Without it Spring, for me anyway,
returns 403. It's not Keycloak that is doing that, well not at this stage anyway.
Your original GET request response should include the CSRF token value you need to send
back to your Spring app.
Turn off csrf in your below config and test it again, at least with it off temporarily you
can test your Keycloak implementation.
Tony
-----Original Message-----
From: John Norris [mailto:johnnorris-10@outlook.com]
Sent: 11 November 2019 14:04
To: Tony Harris <Tony.Harris(a)oneadvanced.com>; keycloak-user(a)lists.jboss.org
Subject: Re[2]: Spring Boot and Keycloak
Hi Tony,
thanks for this.
So the spring code already contained the crsf code. Is that not working properly?
------ Original Message ------
From: "Tony Harris" <Tony.Harris(a)oneadvanced.com>
To: "John Norris" <johnnorris-10(a)outlook.com>;
"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Sent: 11/11/2019 12:18:43
Subject: RE: Spring Boot and Keycloak
>I have seen 403 responses when the CSRF token is not sent with the request.
>
>
>The Spring security code is
>
> protected void configure(HttpSecurity http) throws Exception
> {
> super.configure(http);
> http
> .authorizeRequests()
> .antMatchers("/**").hasRole("user")
> .antMatchers("/", "/login**",
"/unpkg.com/**",
"/cdn.jsdelivr.net","/error**","/*.js","/*.css")
> .permitAll()
> .anyRequest()
> .authenticated()
> .and()
> .csrf()
> .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
> }
>
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense.
www.websense.com