[keycloak-user] Spring Boot and Keycloak

Tony Harris Tony.Harris at oneadvanced.com
Mon Nov 11 07:18:43 EST 2019 

I have seen 403 responses when the CSRF token is not sent with the request.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of John Norris
Sent: 11 November 2019 11:24
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Spring Boot and Keycloak

Hello,
I have used keycloak to handle authorisation and authentication for a Spring Boot app which uses REST.
I can get a token and use it for successful GET requests but for POST, PUT, DELETE, I get a 403 Forbidden error.

I have set up a single realm role - "user" and associated that role with the users.

The keycloak enteries in application properties are

# keycloak
keycloak.auth-server-url=http://mint191:8080/auth
keycloak.realm=SpringBootKeycloak
keycloak.resource=bikes-app
keycloak.public-client=true

keycloak.principal-attribute=preferred_username

The Spring security code is

  protected void configure(HttpSecurity http) throws Exception
   {
      super.configure(http);
      http
         .authorizeRequests()
         .antMatchers("/**").hasRole("user")
         .antMatchers("/", "/login**", "/unpkg.com/**", "/cdn.jsdelivr.net","/error**","/*.js","/*.css")
         .permitAll()
         .anyRequest()
         .authenticated()
         .and()
         .csrf()
         .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
   }

When I use curl and a token for POST
curl -H "Authorization: Bearer $TOKEN" -k -w "\n" -X POST -d '{"fields": "values"}' -H "Content-Type: application/json" https://mint191:8453/api/v1/bicycles

I get a response of
{"timestamp":"2019-11-11T10:39:38.027+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/api/v1/bicycles"}


Is there more configuration that I have to do with keycloak? Have I got the security code wrong in Spring?

Regards,
John

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com

More information about the keycloak-user mailing list