[keycloak-user] Can I omit keycloak.securityConstraints and HttpSecurity configuration?

Gintautas Sulskus gintautas.sulskus at gmail.com
Wed Jun 13 18:37:53 EDT 2018 

Hi,

Is it necessary to manually map Spring app endpoints to Keycloak roles,
e.g. by configuring keycloak.securityConstraints in app.properties or
HttpSecurity in a Java class?

At the moment I configure Keycloak by extending
KeycloakWebSecurityConfigurerAdapter.
The app works only if I override the 'configure(HttpSecurity http)' method
and add endpoint-role mappings manually, e.g.:
http.authorizeRequests().antMatchers("/test").hasRole("someRole").

If I omit this step, the app fails to start and throws the following
expection:
>
> Caused by: org.springframework.beans.BeanInstantiationException: Failed to
instantiate [javax.servlet.Filter]: Factory method
'springSecurityFilterChain' threw exception; nested exception is
java.lang.IllegalStateException: permitAll only works with
HttpSecurity.authorizeRequests()

> at
org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)

> at
org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:579)

> ... 26 more

> Caused by: java.lang.IllegalStateException: permitAll only works with
HttpSecurity.authorizeRequests()

> at
org.springframework.security.config.annotation.web.configurers.PermitAllSupport.permitAll(PermitAllSupport.java:49)

> at
org.springframework.security.config.annotation.web.configurers.PermitAllSupport.permitAll(PermitAllSupport.java:36)

> at
org.springframework.security.config.annotation.web.configurers.LogoutConfigurer.init(LogoutConfigurer.java:275)
at
org.springframework.security.config.annotation.web.configurers.LogoutConfigurer.init(LogoutConfigurer.java:66)


Please find my Keycloak configuration below. Note, I did not set
keycloak.securityConstraints[] in my app.

keycloak:
  realm: master
  auth-server-url: http://localhost/auth
  ssl-required: external
  resource: some-service
  credentials:
    secret: 6f02848a-0fd1-40fc-96cf-50035110240b
  use-resource-role-mappings: true
  confidential-port: 0
  principal-attribute: preferred_username
  policy-enforcer-config:
    enforcement-mode: ENFORCING



Regards,
Gin

More information about the keycloak-user mailing list