Using spring security annotations with keycloak
Solution 1
You still have to configure Spring Security using Keycloak. Take a look at the adapter documentation for an annotation based configuration. Once that's set up your Spring Security annotations will work on authorized calls.
Solution 2
here is example code:
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true,
securedEnabled = true,
jsr250Enabled = true)
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
}
and
@PreAuthorize("hasRole('ROLE_ADMIN')")
Apart from this code. you need to do the role mapping for realm roles and client(application roles). the application roles will be put in @PreAuthorize
Andrey Sarul
Devoted Java Developer. My current target is developing banking systems. Especially interested in R&D activity.
Updated on October 09, 2022Comments
-
Andrey Sarul about 1 year
I'm just a beginner in Spring Security, but I would like to know is it possible to configure keycloak in a way that I can use
@PreAuthorize
,@PostAuthorize
,@Secured
and other annotations. For example, I've configured thekeycloak-spring-security-adapter
and Spring Security in my simple Spring Rest webapp so that I have access to Principal object in my controller, like this:@RestController public class TMSRestController { @RequestMapping("/greeting") public Greeting greeting(Principal principal, @RequestParam(value="name") String name) { return new Greeting(String.format(template, name)); } ... }
But when I try this (just an example, actually I want to execute custom EL expression before authorization):
@RestController public class TMSRestController { @RequestMapping("/greeting") @PreAuthorize("hasRole('ADMIN')") public Greeting greeting(Principal principal, @RequestParam(value="name") String name) { return new Greeting(String.format(template, name)); } ... }
I get exception:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
In my spring security config I enabled global method security:
What do I need to make this spring security annotations work? Is it possible to use this annotation in this context at all?
-
hesch over 6 yearsThe answer was a time ago, but I got some similar problem with Spring Security and Keycloak. In my Spring Boot application I configured the adapter but couldn't use
@PreAuthorize("hasAuthority('user')")
. If a request was send, the annotation had no effect. I fixed it now by adding@EnableGlobalMethodSecurity(prePostEnabled = true)
to my security configuration. -
Dmitri Algazin over 4 yearsThanks about prePostEnabled=true !
-
Spark Fountain almost 4 yearsAs of today (12/18/19), the link to the adapter documentation you provided does not exist anymore (404).