[keycloak-user] Forbidden on Post Method

[Fabio Ebner]

I trying to use spring boot with keycloak, so I create 2 clients in keycloak

1 - "central-front" is public where my user will get a token
2 - "central-api" is "bearer-only" where my api will validate the token


in my "centra-api" I create 2 roles CLIENTE and CARTORIO, then I create one
user with CLIENTE ROLE and other with CARTORIO.

in my back I configure just like this:

    package br.com.lumera.centralback.config;

    import org.keycloak.adapters.KeycloakConfigResolver;
    import
org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
    import
org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
    import
org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
    import
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
    import
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
    import
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
    import
org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
    import org.springframework.boot.web.servlet.FilterRegistrationBean;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.http.HttpMethod;
    import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import
org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import
org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import
org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
    import
org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
    import
org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
    import
org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

    @Configuration
    @EnableWebSecurity
    public class KeycloakSecurityConfigurer extends
KeycloakWebSecurityConfigurerAdapter {

        @Bean
        public GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
            //o Springboot espera que toda role comeca com "ROLE_" essa
configuracao coloca o ROLE_ nas roles que estao cehgando
            SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
            mapper.setConvertToUpperCase(true);
            return mapper;
        }

        @Override
        protected KeycloakAuthenticationProvider
keycloakAuthenticationProvider() {
            final KeycloakAuthenticationProvider provider =
super.keycloakAuthenticationProvider();

provider.setGrantedAuthoritiesMapper(grantedAuthoritiesMapper());
            return provider;
        }

        @Override
        protected void configure(final AuthenticationManagerBuilder auth)
throws Exception {
            auth.authenticationProvider(keycloakAuthenticationProvider());
        }

        @Override
        protected SessionAuthenticationStrategy
sessionAuthenticationStrategy() {
            return new NullAuthenticatedSessionStrategy();
        }

        @Override
        protected void configure(final HttpSecurity http) throws Exception {
            super.configure(http);
            http
              .authorizeRequests()
                    .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                    .antMatchers("/estado/*").hasRole("CLIENTE")
                    .antMatchers("/natureza/*").hasRole("CLIENTE")
                    .antMatchers("/cartorio/*").hasRole("CLIENTE")
                    .antMatchers("/mensagem/*").hasRole("CLIENTE")
                    .anyRequest().permitAll();
        }

        @Bean
        public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(
                final KeycloakAuthenticationProcessingFilter filter) {
            final FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
            registrationBean.setEnabled(false);
            return registrationBean;
        }

        @Bean
        public FilterRegistrationBean
keycloakPreAuthActionsFilterRegistrationBean(
                final KeycloakPreAuthActionsFilter filter) {
            final FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
            registrationBean.setEnabled(false);
            return registrationBean;
        }

    }

and my keycloak.json

    {
      "realm" :  "Lumera",
      "bearer-only" :  true,
      "auth-server-url" :  "http://localhost:9090/auth",
      "ssl-required" :  "external",
      "resource" :  "central-api",
      "use-resource-role-mappings" :  true,
      "principal-attribute" :  "preferred_username"
    }

So when I try to accessa GET URI the roles works fine, If I log an CARTORIO
I can't access any of that url listed above, and if I log an CLIENTE I
access normally. but in my url /mensagem/ I have one POST in /mensagem/ and
when I try to POST something I always get ant Forbidden, I already try to
put

    .antMatchers(HttpMethod.POST, "/mensagem/**")


I alredy try to remove the

    .antMatchers("/mensagem/*").hasRole("CLIENTE")


with no success too