[keycloak-user] Spring Boot and Keycloak
Tony Harris
Tony.Harris at oneadvanced.com
Mon Nov 11 07:18:43 EST 2019
I have seen 403 responses when the CSRF token is not sent with the request.
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of John Norris
Sent: 11 November 2019 11:24
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Spring Boot and Keycloak
Hello,
I have used keycloak to handle authorisation and authentication for a Spring Boot app which uses REST.
I can get a token and use it for successful GET requests but for POST, PUT, DELETE, I get a 403 Forbidden error.
I have set up a single realm role - "user" and associated that role with the users.
The keycloak enteries in application properties are
# keycloak
keycloak.auth-server-url=http://mint191:8080/auth
keycloak.realm=SpringBootKeycloak
keycloak.resource=bikes-app
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
The Spring security code is
protected void configure(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/**").hasRole("user")
.antMatchers("/", "/login**", "/unpkg.com/**", "/cdn.jsdelivr.net","/error**","/*.js","/*.css")
.permitAll()
.anyRequest()
.authenticated()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
When I use curl and a token for POST
curl -H "Authorization: Bearer $TOKEN" -k -w "\n" -X POST -d '{"fields": "values"}' -H "Content-Type: application/json" https://mint191:8453/api/v1/bicycles
I get a response of
{"timestamp":"2019-11-11T10:39:38.027+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/api/v1/bicycles"}
Is there more configuration that I have to do with keycloak? Have I got the security code wrong in Spring?
Regards,
John
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com
More information about the keycloak-user
mailing list