5:23 a.m.
Hello,
I have used keycloak to handle authorisation and authentication for a Spring Boot app
which uses REST.
I can get a token and use it for successful GET requests but for POST, PUT, DELETE, I get
a 403 Forbidden error.
I have set up a single realm role - "user" and associated that role with the
users.
The keycloak enteries in application properties are
# keycloak
keycloak.auth-server-url=http://mint191:8080/auth
keycloak.realm=SpringBootKeycloak
keycloak.resource=bikes-app
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
The Spring security code is
protected void configure(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/**").hasRole("user")
.antMatchers("/", "/login**", "/unpkg.com/**",
"/cdn.jsdelivr.net","/error**","/*.js","/*.css")
.permitAll()
.anyRequest()
.authenticated()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
When I use curl and a token for POST
curl -H "Authorization: Bearer $TOKEN" -k -w "\n" -X POST -d
'{"fields": "values"}' -H "Content-Type:
application/json" https://mint191:8453/api/v1/bicycles
I get a response of
{"timestamp":"2019-11-11T10:39:38.027+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/api/v1/bicycles"}
Is there more configuration that I have to do with keycloak? Have I got the security code
wrong in Spring?
Regards,
John
6:18 a.m.
I have seen 403 responses when the CSRF token is not sent with the request.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of John Norris
Sent: 11 November 2019 11:24
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Spring Boot and Keycloak
Hello,
I have used keycloak to handle authorisation and authentication for a Spring Boot app
which uses REST.
I can get a token and use it for successful GET requests but for POST, PUT, DELETE, I get
a 403 Forbidden error.
I have set up a single realm role - "user" and associated that role with the
users.
The keycloak enteries in application properties are
# keycloak
keycloak.auth-server-url=http://mint191:8080/auth
keycloak.realm=SpringBootKeycloak
keycloak.resource=bikes-app
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
The Spring security code is
protected void configure(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/**").hasRole("user")
.antMatchers("/", "/login**", "/unpkg.com/**",
"/cdn.jsdelivr.net","/error**","/*.js","/*.css")
.permitAll()
.anyRequest()
.authenticated()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
When I use curl and a token for POST
curl -H "Authorization: Bearer $TOKEN" -k -w "\n" -X POST -d
'{"fields": "values"}' -H "Content-Type:
application/json" https://mint191:8453/api/v1/bicycles
I get a response of
{"timestamp":"2019-11-11T10:39:38.027+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/api/v1/bicycles"}
Is there more configuration that I have to do with keycloak? Have I got the security code
wrong in Spring?
Regards,
John
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com
1873
days inactive
1873
days old
1 comments
2 participants
participants (2)
-
John Norris -
Tony Harris