metavige/KeyCloakConfig.java

## application.properties
keycloak.realm=spring-quickstart
keycloak.resource=spring-boot-app
keycloak.auth-server-url=http://keycloak.host/auth
keycloak.ssl-required=external
keycloak.public-client=true
# keycloak.token-store=cookie

keycloak.securityConstraints[0].authRoles[0]=user
keycloak.securityConstraints[0].securityCollections[0].name=resources
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/*

## KeyCloakConfig.java

import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class KeycloakConfig {

    @Bean
    public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }
}

## SpringSecurityConfig.java

import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.keycloak.adapters.springsecurity.management.HttpSessionManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

@KeycloakConfiguration
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    /**
     * Registers the KeycloakAuthenticationProvider with the authentication manager.
     *
     * Since Spring Security requires that role names start with "ROLE_",
     * a SimpleAuthorityMapper is used to instruct the KeycloakAuthenticationProvider
     * to insert the "ROLE_" prefix.
     *
     * e.g. Librarian -> ROLE_Librarian
     *
     * Should you prefer to have the role all in uppercase, you can instruct
     * the SimpleAuthorityMapper to convert it by calling:
     * {@code grantedAuthorityMapper.setConvertToUpperCase(true); }.
     * The result will be: Librarian -> ROLE_LIBRARIAN.
     */
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        SimpleAuthorityMapper grantedAuthorityMapper = new SimpleAuthorityMapper();
        grantedAuthorityMapper.setPrefix("ROLE_");

        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthorityMapper);
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    /**
     * Defines the session authentication strategy.
     *
     * RegisterSessionAuthenticationStrategy is used because this is a public application
     * from the Keycloak point of view.
     */
    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    /**
     * Define an HttpSessionManager bean only if missing.
     *
     * This is necessary because since Spring Boot 2.1.0, spring.main.allow-bean-definition-overriding
     * is disabled by default.
     */
    @Bean
    @Override
    @ConditionalOnMissingBean(HttpSessionManager.class)
    protected HttpSessionManager httpSessionManager() {
        return new HttpSessionManager();
    }

    /**
     * Define security constraints for the application resources.
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http
            .authorizeRequests()
            .antMatchers("/books").hasAnyRole("Member", "Librarian")
            .antMatchers("/manager").hasRole("Librarian")
            .anyRequest().permitAll();
    }
}
	keycloak.realm=spring-quickstart
	keycloak.resource=spring-boot-app
	keycloak.auth-server-url=http://keycloak.host/auth
	keycloak.ssl-required=external
	keycloak.public-client=true
	# keycloak.token-store=cookie

	keycloak.securityConstraints[0].authRoles[0]=user
	keycloak.securityConstraints[0].securityCollections[0].name=resources
	keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/*

	import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
	import org.springframework.context.annotation.Bean;
	import org.springframework.context.annotation.Configuration;

	@Configuration
	public class KeycloakConfig {

	@Bean
	public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
	return new KeycloakSpringBootConfigResolver();
	}
	}

	import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
	import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
	import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
	import org.keycloak.adapters.springsecurity.management.HttpSessionManager;
	import org.springframework.beans.factory.annotation.Autowired;
	import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
	import org.springframework.context.annotation.Bean;
	import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
	import org.springframework.security.config.annotation.web.builders.HttpSecurity;
	import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
	import org.springframework.security.core.session.SessionRegistryImpl;
	import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
	import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

	@KeycloakConfiguration
	public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

	/**
	* Registers the KeycloakAuthenticationProvider with the authentication manager.
	*
	* Since Spring Security requires that role names start with "ROLE_",
	* a SimpleAuthorityMapper is used to instruct the KeycloakAuthenticationProvider
	* to insert the "ROLE_" prefix.
	*
	* e.g. Librarian -> ROLE_Librarian
	*
	* Should you prefer to have the role all in uppercase, you can instruct
	* the SimpleAuthorityMapper to convert it by calling:
	* {@code grantedAuthorityMapper.setConvertToUpperCase(true); }.
	* The result will be: Librarian -> ROLE_LIBRARIAN.
	*/
	@Autowired
	public void configureGlobal(AuthenticationManagerBuilder auth) {
	SimpleAuthorityMapper grantedAuthorityMapper = new SimpleAuthorityMapper();
	grantedAuthorityMapper.setPrefix("ROLE_");

	KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
	keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthorityMapper);
	auth.authenticationProvider(keycloakAuthenticationProvider);
	}

	/**
	* Defines the session authentication strategy.
	*
	* RegisterSessionAuthenticationStrategy is used because this is a public application
	* from the Keycloak point of view.
	*/
	@Bean
	@Override
	protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
	return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
	}

	/**
	* Define an HttpSessionManager bean only if missing.
	*
	* This is necessary because since Spring Boot 2.1.0, spring.main.allow-bean-definition-overriding
	* is disabled by default.
	*/
	@Bean
	@Override
	@ConditionalOnMissingBean(HttpSessionManager.class)
	protected HttpSessionManager httpSessionManager() {
	return new HttpSessionManager();
	}

	/**
	* Define security constraints for the application resources.
	*/
	@Override
	protected void configure(HttpSecurity http) throws Exception {
	super.configure(http);
	http
	.authorizeRequests()
	.antMatchers("/books").hasAnyRole("Member", "Librarian")
	.antMatchers("/manager").hasRole("Librarian")
	.anyRequest().permitAll();
	}
	}