Can you guide in your code how to allow only certain API URLs based on a specific roles. Something like allow getDetails API only if it has Admin role. How to add this in security config ?
Sure, you can add this with @hasAuthority at your Controller-Method (if @EnableMethodSecurity is set) or with .hasRole("ADMIN") in the requestMatchers in SecurityFilterChain. Then you need to add the Role in Keycloak to the user and map the role to ROLE_ADMIN in the KeycloakRoleConverter
well made, not easy to do. How would you add a url that does not need authentication, say for instance you have a contact page, how would you add this? And disabling csrf is also a security concern, how would you tackle this?
Hello Wulf, Thank you :) Allowing specific endpoints for everyone is just a line of code using Spring Security. Either add an request and set it to permitAll() or use the @EnableGlobalMethodSecurity in your configuration and add @PermitAll to the endpoint. r -> r.requestMathers("/public/**", "/api/greeting" ).permitAll().anyRequest().authenticated() this permits the named routes for everyone, so no token is needed. Any other requests needs a valid authentication token. Also as in this example it is only using JWT and the backend is stateless, disabling csrf is not a security concern. If you would have still state and jsession in your application, then you would not to enable csrf and ignore the api routes. For SPA with JWT cors is important.
Hello, as far as it looks it hasn't changed much. Here is a short official example: github.com/keycloak/keycloak-quickstarts/tree/latest/spring/rest-authz-resource-server
Hi , I am receiving org.springframework.security.oauth2.jwt.JwtDecoderInitializationException: Failed to lazily resolve the supplied JwtDecoder instance with Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer.Can you please help?
Hey, maybe you are on a newer Spring Boot Version and they changed something. When I have time I will try to reproduce the error and post the solution here. Have you tried to work with a lesser version yet?
