[keycloak-user] Spring Boot and Keycloak

John Norris johnnorris-10 at outlook.com
Mon Nov 11 09:03:46 EST 2019


Hi Tony,
thanks for this.
So the spring code already contained the crsf code. Is that not working 
properly?

------ Original Message ------
From: "Tony Harris" <Tony.Harris at oneadvanced.com>
To: "John Norris" <johnnorris-10 at outlook.com>; 
"keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Sent: 11/11/2019 12:18:43
Subject: RE: Spring Boot and Keycloak

>I have seen 403 responses when the CSRF token is not sent with the request.
>
>
>The Spring security code is
>
>   protected void configure(HttpSecurity http) throws Exception
>    {
>       super.configure(http);
>       http
>          .authorizeRequests()
>          .antMatchers("/**").hasRole("user")
>          .antMatchers("/", "/login**", "/unpkg.com/**", "/cdn.jsdelivr.net","/error**","/*.js","/*.css")
>          .permitAll()
>          .anyRequest()
>          .authenticated()
>          .and()
>          .csrf()
>          .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
>    }
>



More information about the keycloak-user mailing list