I trying to use spring boot with keycloak, so I create 2 clients in keycloak
1 - "central-front" is public where my user will get a token
2 - "central-api" is "bearer-only" where my api will validate the
token
in my "centra-api" I create 2 roles CLIENTE and CARTORIO, then I create one
user with CLIENTE ROLE and other with CARTORIO.
in my back I configure just like this:
package br.com.lumera.centralback.config;
import org.keycloak.adapters.KeycloakConfigResolver;
import
org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import
org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import
org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import
org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import
org.springframework.security.config.annotation.web.builders.HttpSecurity;
import
org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import
org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import
org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import
org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import
org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
@Configuration
@EnableWebSecurity
public class KeycloakSecurityConfigurer extends
KeycloakWebSecurityConfigurerAdapter {
@Bean
public GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
//o Springboot espera que toda role comeca com "ROLE_" essa
configuracao coloca o ROLE_ nas roles que estao cehgando
SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
mapper.setConvertToUpperCase(true);
return mapper;
}
@Override
protected KeycloakAuthenticationProvider
keycloakAuthenticationProvider() {
final KeycloakAuthenticationProvider provider =
super.keycloakAuthenticationProvider();
provider.setGrantedAuthoritiesMapper(grantedAuthoritiesMapper());
return provider;
}
@Override
protected void configure(final AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(keycloakAuthenticationProvider());
}
@Override
protected SessionAuthenticationStrategy
sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
super.configure(http);
http
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/estado/*").hasRole("CLIENTE")
.antMatchers("/natureza/*").hasRole("CLIENTE")
.antMatchers("/cartorio/*").hasRole("CLIENTE")
.antMatchers("/mensagem/*").hasRole("CLIENTE")
.anyRequest().permitAll();
}
@Bean
public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(
final KeycloakAuthenticationProcessingFilter filter) {
final FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean
keycloakPreAuthActionsFilterRegistrationBean(
final KeycloakPreAuthActionsFilter filter) {
final FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
}
and my keycloak.json
{
"realm" : "Lumera",
"bearer-only" : true,
"auth-server-url" : "http://localhost:9090/auth",
"ssl-required" : "external",
"resource" : "central-api",
"use-resource-role-mappings" : true,
"principal-attribute" : "preferred_username"
}
So when I try to accessa GET URI the roles works fine, If I log an CARTORIO
I can't access any of that url listed above, and if I log an CLIENTE I
access normally. but in my url /mensagem/ I have one POST in /mensagem/ and
when I try to POST something I always get ant Forbidden, I already try to
put
.antMatchers(HttpMethod.POST, "/mensagem/**")
I alredy try to remove the
.antMatchers("/mensagem/*").hasRole("CLIENTE")
with no success too
Show replies by date