Keycloak Security

Spring Boot and Keycloak

Setting up a Keycloak server

./standalone.sh(bat)

http://localhost:8080/auth

  1. Creating a new Realm: Security
    • Themes:
      • Internationalization Enabled
      • Default Locale: zh-CN
  2. Creating the client:
    • Client ID: spring-boot2-keycloak
    • Valid Redirect URIs: http://localhost:18095/*
    • Base URL: http://localhost:18095/
  3. Creating the role: user
  4. Creating the user:
    • Username: tester
    • Locale: zh-CN
    • Credentials -> choose a password -> turn off the “Temporary”
    • Role Mappings -> assign the role “user”

Defining Keycloak’s configuration

keycloak.realm=Security
keycloak.auth-server-url=http://127.0.0.1:8080/auth
keycloak.resource=spring-boot2
keycloak.public-client=true
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/keycloak/*

Spring Security support

implementation("org.springframework.boot:spring-boot-starter-security")

Creating a SecurityConfig class

@Configuration
@EnableWebSecurity
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
    /**
     * Registers the KeycloakAuthenticationProvider with the authentication
     * manager.
     */
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider
                .setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    /**
     * Defines the session authentication strategy.
     */
    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(
                new SessionRegistryImpl());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.authorizeRequests().antMatchers("/keycloak/**").hasRole("user")
                .anyRequest().permitAll();
    }
}
  • configureGlobal: Here we change the Granted Authority Mapper, by default in Spring Security, roles are prefixed with ROLE_, we could change that in our Realm configuration but it could be confusing for other applications that do not know this convention, so here we assign a SimpleAuthorityMapper that will make sure no prefix is added.
  • keycloakConfigResolver: By default, the Keycloak Spring Security Adapter will look up for a file named keycloak.json present on your classpath. But here we want to leverage the Spring Boot properties file support.

map the Principal name with our Keycloak username:

keycloak.principal-attribute=preferred_username