[keycloak-user] HttpStatus 200 returned for unauthorized users

Ali Ahmadzadeh Asl ahmadzadehasl at outlook.com
Tue May 14 06:26:34 EDT 2019


Hi Dears

I'm using Keycloak 6.0.0 with SpringBoot. My java application serves both a web application and web services. The config is like this:

keycloak.realm=my-realm
keycloak.resource=my-app
keycloak.ssl-required=external
keycloak.enable-basic-auth=true
keycloak.autodetect-bearer-only=true
keycloak.use-resource-role-mappings=true
keycloak.principal-attribute=preferred_username
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.credentials.secret=f3776b88-26c7-44fa-83ec-67cb72fa3111
keycloak.policy-enforcer-config.on-deny-redirect-to=/access-denied

keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].name = default
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*

Assume that '/rest/get-time' is a REST service served by my server for getting current date and time. When I get this address with 'Accept: application/json' header using tools like Postman, the server returns HttpStatus 200 with empty body. When I send same request without any header, the server returns HttpStatus 200 and HTML body of Keycloak login page.

How can I config Keycloak for returning HttpStatus 401 in the response of unauthorized REST or SOAP requests?

Best Regards
Ali Ahmadzdeh Asl




More information about the keycloak-user mailing list