Last active
July 27, 2020 09:12
-
-
Save metavige/4d387a7a0e6b6c13551a25b5c378040c to your computer and use it in GitHub Desktop.
keycloak-config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
keycloak.realm=spring-quickstart | |
keycloak.resource=spring-boot-app | |
keycloak.auth-server-url=http://keycloak.host/auth | |
keycloak.ssl-required=external | |
keycloak.public-client=true | |
# keycloak.token-store=cookie | |
keycloak.securityConstraints[0].authRoles[0]=user | |
keycloak.securityConstraints[0].securityCollections[0].name=resources | |
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; | |
import org.springframework.context.annotation.Bean; | |
import org.springframework.context.annotation.Configuration; | |
@Configuration | |
public class KeycloakConfig { | |
@Bean | |
public KeycloakSpringBootConfigResolver keycloakConfigResolver() { | |
return new KeycloakSpringBootConfigResolver(); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import org.keycloak.adapters.springsecurity.KeycloakConfiguration; | |
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider; | |
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter; | |
import org.keycloak.adapters.springsecurity.management.HttpSessionManager; | |
import org.springframework.beans.factory.annotation.Autowired; | |
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; | |
import org.springframework.context.annotation.Bean; | |
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; | |
import org.springframework.security.config.annotation.web.builders.HttpSecurity; | |
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; | |
import org.springframework.security.core.session.SessionRegistryImpl; | |
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; | |
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; | |
@KeycloakConfiguration | |
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { | |
/** | |
* Registers the KeycloakAuthenticationProvider with the authentication manager. | |
* | |
* Since Spring Security requires that role names start with "ROLE_", | |
* a SimpleAuthorityMapper is used to instruct the KeycloakAuthenticationProvider | |
* to insert the "ROLE_" prefix. | |
* | |
* e.g. Librarian -> ROLE_Librarian | |
* | |
* Should you prefer to have the role all in uppercase, you can instruct | |
* the SimpleAuthorityMapper to convert it by calling: | |
* {@code grantedAuthorityMapper.setConvertToUpperCase(true); }. | |
* The result will be: Librarian -> ROLE_LIBRARIAN. | |
*/ | |
@Autowired | |
public void configureGlobal(AuthenticationManagerBuilder auth) { | |
SimpleAuthorityMapper grantedAuthorityMapper = new SimpleAuthorityMapper(); | |
grantedAuthorityMapper.setPrefix("ROLE_"); | |
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider(); | |
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthorityMapper); | |
auth.authenticationProvider(keycloakAuthenticationProvider); | |
} | |
/** | |
* Defines the session authentication strategy. | |
* | |
* RegisterSessionAuthenticationStrategy is used because this is a public application | |
* from the Keycloak point of view. | |
*/ | |
@Bean | |
@Override | |
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { | |
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); | |
} | |
/** | |
* Define an HttpSessionManager bean only if missing. | |
* | |
* This is necessary because since Spring Boot 2.1.0, spring.main.allow-bean-definition-overriding | |
* is disabled by default. | |
*/ | |
@Bean | |
@Override | |
@ConditionalOnMissingBean(HttpSessionManager.class) | |
protected HttpSessionManager httpSessionManager() { | |
return new HttpSessionManager(); | |
} | |
/** | |
* Define security constraints for the application resources. | |
*/ | |
@Override | |
protected void configure(HttpSecurity http) throws Exception { | |
super.configure(http); | |
http | |
.authorizeRequests() | |
.antMatchers("/books").hasAnyRole("Member", "Librarian") | |
.antMatchers("/manager").hasRole("Librarian") | |
.anyRequest().permitAll(); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment