Using spring security annotations with keycloak

10,125

Solution 1

You still have to configure Spring Security using Keycloak. Take a look at the adapter documentation for an annotation based configuration. Once that's set up your Spring Security annotations will work on authorized calls.

Solution 2

here is example code:

@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true,
                        securedEnabled = true,
                        jsr250Enabled = true)
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
 }

and

@PreAuthorize("hasRole('ROLE_ADMIN')")

Apart from this code. you need to do the role mapping for realm roles and client(application roles). the application roles will be put in @PreAuthorize

Share:
10,125
Andrey Sarul
Author by

Andrey Sarul

Devoted Java Developer. My current target is developing banking systems. Especially interested in R&D activity.

Updated on October 09, 2022

Comments

  • Andrey Sarul
    Andrey Sarul about 1 year

    I'm just a beginner in Spring Security, but I would like to know is it possible to configure keycloak in a way that I can use @PreAuthorize, @PostAuthorize, @Secured and other annotations. For example, I've configured the keycloak-spring-security-adapter and Spring Security in my simple Spring Rest webapp so that I have access to Principal object in my controller, like this:

    @RestController
    public class TMSRestController {
    
         @RequestMapping("/greeting")
         public Greeting greeting(Principal principal, @RequestParam(value="name") String name) {
            return new Greeting(String.format(template, name));
         }
    ...
    }
    

    But when I try this (just an example, actually I want to execute custom EL expression before authorization):

    @RestController
    public class TMSRestController {
    
        @RequestMapping("/greeting")
        @PreAuthorize("hasRole('ADMIN')")
        public Greeting greeting(Principal principal, @RequestParam(value="name") String name) {
            return new Greeting(String.format(template, name));
        }
    ...
    }
    

    I get exception:

    org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext

    In my spring security config I enabled global method security:

    What do I need to make this spring security annotations work? Is it possible to use this annotation in this context at all?

  • hesch
    hesch over 6 years
    The answer was a time ago, but I got some similar problem with Spring Security and Keycloak. In my Spring Boot application I configured the adapter but couldn't use @PreAuthorize("hasAuthority('user')"). If a request was send, the annotation had no effect. I fixed it now by adding @EnableGlobalMethodSecurity(prePostEnabled = true) to my security configuration.
  • Dmitri Algazin
    Dmitri Algazin over 4 years
    Thanks about prePostEnabled=true !
  • Spark Fountain
    Spark Fountain almost 4 years
    As of today (12/18/19), the link to the adapter documentation you provided does not exist anymore (404).