[keycloak-user] Spring Boot Multi-tenancy

Jeff Victor jeff at sweetjacket.com
Wed Oct 17 19:36:32 EDT 2018 

I'm trying to get multi-tenancy working in a spring boot project. I've
built the latest 4.6.0 snapshot and as a result am able to register my own
MultiTenantConfigResolver - as per
https://issues.jboss.org/browse/KEYCLOAK-8444. I have also verified that my
custom resolver is being called.

My application requires security to kick in at /admin/** and /customer/**
which correspond to two realms - admin and customer.

However, anything else should be open. Here is the configuration:

		http.authorizeRequests()

			.antMatchers("/admin*").authenticated()

			.antMatchers("/customer*").authenticated()

			.anyRequest().permitAll();

The issue I'm having is that I don't know what KeycloakDeployment to return
if someone accesses an unprotected resource like / or even /sso/login.

In both of those cases my config resolver gets invoked and I return null
which then results in the following exception:

java.lang.NullPointerException: null

	at org.keycloak.adapters.NodesRegistrationManagement.tryRegister(NodesRegistrationManagement.java:43)

	at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81)

	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)

	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

I've seen in other examples of a multi-tenant config resolver that always
return a KeycloakDeployment or if it one can't be determined then it throws
an exception such as here
https://github.com/keycloak/keycloak/blob/master/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/control/PathBasedKeycloakConfigResolver.java
.

As an example, when debugging it seems that if I return the appropriate
KeycloakDeployment for /admin everything goes well but straight away the
resolver gets invoked again as there has been a redirect to /sso/login. In
this case how am I to determine which KeycloakDeployment / realm to use?

Thanks,
Jeff

More information about the keycloak-user mailing list