By Marone: April 2020

How to secure Spring boot with
keycloak and using roles

Goal

In the previous article we learn how to secure the api with keycloak. Only authenticated users can access the api.
Now we will go one step further, the user must belong to a specific role.

Used technologies

Keycloak 8.0.1
Java 11
curl 7.65
jq 1.5

Custom the configuration

@KeycloakConfiguration
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider  = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); // prefix = "ROLE_"
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/protected").hasRole("USER")
                .antMatchers("/admin").hasRole("ADMIN")
                .anyRequest().denyAll();
    }
}

In line 7 we add SimpleAuthorityMapper, by default in Spring Security roles are prefixed with ROLE_, so we do not need to adapt the role names on Keycloak side
The URL /protected will require the authenticated user to be an USER.
The URL /admin will require the authenticated user to be an ADMIN.

Add roles in Keycloak

keycloak add role
Press Add Role button
In the new window give name in field * Role Name: USER and Save
Repeat the same steps to add role ADMIN

keycloak roles

Assign role USER to johndoe

Click on Users in the left menu bar. in the new page click View all users and pick johndoe keycloak assign role to user Select USER and click Add selected.

keycloak assigned role Under Effective Roles you will see the USER role

Let's test

$ curl http://localhost:8080
Hello World
$ curl http://localhost:8080/protected -H "Authorization: bearer $ATOKEN" --insecure
Hello World, i was protected
marone@littleB ~
$ curl http://localhost:8080/admin -H "Authorization: bearer $ATOKEN" --insecure
{"timestamp":"2020-05-01T06:20:46.637+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/admin"}

The URL /protected is for user johndoe accessible while hiting /admin causes: "status":403,"error":"Forbidden","message":"Forbidden", because johndoe doesn't have the ADMIN role,

References


The complete code can be found in GitHub