11

I'm just a beginner in Spring Security, but I would like to know is it possible to configure keycloak in a way that I can use @PreAuthorize, @PostAuthorize, @Secured and other annotations. For example, I've configured the keycloak-spring-security-adapter and Spring Security in my simple Spring Rest webapp so that I have access to Principal object in my controller, like this:

@RestController
public class TMSRestController {

     @RequestMapping("/greeting")
     public Greeting greeting(Principal principal, @RequestParam(value="name") String name) {
        return new Greeting(String.format(template, name));
     }
...
}

But when I try this (just an example, actually I want to execute custom EL expression before authorization):

@RestController
public class TMSRestController {

    @RequestMapping("/greeting")
    @PreAuthorize("hasRole('ADMIN')")
    public Greeting greeting(Principal principal, @RequestParam(value="name") String name) {
        return new Greeting(String.format(template, name));
    }
...
}

I get exception:

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext

In my spring security config I enabled global method security:

What do I need to make this spring security annotations work? Is it possible to use this annotation in this context at all?

zero298
  • 25,467
  • 10
  • 75
  • 100
Andrey Sarul
  • 1,382
  • 2
  • 16
  • 20

2 Answers2

5

here is example code:

@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true,
                        securedEnabled = true,
                        jsr250Enabled = true)
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
 }

and 

@PreAuthorize("hasRole('ROLE_ADMIN')")

Apart from this code. you need to do the role mapping for realm roles and client(application roles). the application roles will be put in @PreAuthorize

Rahul Baghaniya
  • 291
  • 4
  • 5
4

You still have to configure Spring Security using Keycloak. Take a look at the adapter documentation for an annotation based configuration. Once that's set up your Spring Security annotations will work on authorized calls.

Scott
  • 1,518
  • 14
  • 14
  • 3
    The answer was a time ago, but I got some similar problem with Spring Security and Keycloak. In my Spring Boot application I configured the adapter but couldn't use `@PreAuthorize("hasAuthority('user')")`. If a request was send, the annotation had no effect. I fixed it now by adding `@EnableGlobalMethodSecurity(prePostEnabled = true)` to my security configuration. – hesch Jul 21 '17 at 21:03
  • Thanks about prePostEnabled=true ! – Dmitri Algazin Jun 11 '19 at 17:04
  • 7
    As of today (12/18/19), the link to the adapter documentation you provided does not exist anymore (404). – SparkFountain Dec 18 '19 at 15:00
  • This should be the latest version : https://www.keycloak.org/docs/latest/securing_apps/#_spring_security_adapter – Omar Feb 24 '23 at 20:21