How to authenticate Jquery ajax requests with Keycloack,

Question

I have a spring boot application (mvc) which is securing with keycloack. (using with spring-boot-starter-security and keycloak-spring-boot-starter)

I configured KeycloakWebSecurityConfigurerAdapter like that;

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    protected KeycloakAuthenticationProvider keycloakAuthenticationProvider() {
        return this.tybsKimlikSaglayici;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);

        http.cors().and().authorizeRequests().antMatchers("/", 
                "/home").permitAll().antMatchers("/admin").permitAll()
                .anyRequest().authenticated().and()
                .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/sso/logout")).permitAll();

        http.exceptionHandling().accessDeniedPage("accessDeniedPage");
    }

  @Bean 
        public CorsConfigurationSource corsConfigurationSource() {
            final CorsConfiguration configuration = new CorsConfiguration();
            configuration.setAllowedOrigins(ImmutableList.of("*"));
            configuration.setAllowedMethods(ImmutableList.of("HEAD",
                    "GET", "POST", "PUT", "DELETE", "PATCH"));

            configuration.setAllowCredentials(true);

            configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
            final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
            source.registerCorsConfiguration("/**", configuration);
            return source;
        }

Request to controller method which response html view works fine (keycloack authenticates request)

but, Form action to controller method Ajax request to rest controller method are not working (post, put, delete.. requests)

I added @CrossOrigin(origins = "*") to my controller.

Here is my ajax reqeust,

$.ajax({
    type : "method_here",
    contentType : "application/json; charset=utf-8;",
    url : "url_here",
    data : JSON.stringify(data),
    timeout : 30000, 
    success : function(response) {

    },
    error : function(error) {

    }
});

here is keycloack client

enter image description here

here is the kecloack json (i tryed application.properties file)

{
  "realm": "demo-realm",
  "auth-server-url": "url_of_sso_app",
  "ssl-required": "external",
  "resource": "kie-remote",
  "principal-attribute": "preferred_username",
  #"enable-cors": true,     **tryed to add**
  #"cors-max-age" : 10000,   
  #"cors-allowed-methods": "GET, POST, PUT, HEAD, OPTIONS", 
  #"cors-allowed-headers": "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headersl", 
  "credentials": {
     "secret": "secret_of_realm_client"
  }
}

how can I fix this issue. How can i authenticate ajax request help with keycloack.

Answer 1

i found my missing.

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
                  .antMatchers(HttpMethod.POST, "/**")
                  .antMatchers(HttpMethod.PUT, "/**")
                  .antMatchers(HttpMethod.DELETE, "/**");
}

this method must be override in web security config. And it must be change like .antMatchers(HttpMethod.POST, "/allowed_method_path")

Edit:

This code ignoring authentication process for these http method types. Right solution does not use web.ignoring() method. Issue is related with csrf, (default spring security setting of csrf is enable) spring prevents put, delete, post http methods for to protect server from csrf attacks. If service does not consumes on browser, csrf can be disable, but service is producing a browser page, solution is that to configure csrf. Please check How to obtain csrf token in a velocity macro when using spring security

Thanks