0

I have problem with my keycloak and Spring Boot configuration. When I try to execute a request for resource which does not exist I receive 401 Http status. Is it a default keycloak configuration? Is it possible to override it to have 404 not found status when url does not exist (some filter order?) or it is proper behavior? Thanks for any clue. Below my keycloak configuration:

@KeycloakConfiguration
public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(keycloakAuthenticationProvider());
    }

    @Bean
    public KeycloakSpringBootConfigResolver keycloakSpringBootConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.authorizeRequests()
                .antMatchers("/api/users")
                .permitAll()
                .anyRequest()
                .fullyAuthenticated();
    }
}
ketrab321
  • 541
  • 2
  • 12
  • 22
  • You should return 404 when the resource isn't found. https://stackoverflow.com/questions/4038981/is-it-ok-to-return-a-http-401-for-a-non-existent-resource-instead-of-404-to-prev – Katy Jul 11 '20 at 20:25

1 Answers1

1

You can define your "deny list" urls and use .antMatchers(${Your_Deny_List}).fullyAuthenticated() instead of

.anyRequest()
            .fullyAuthenticated();

When you do this spring security only secures your "deny List" and if a url does not exist you receive 404.

Armin Ghavidel
  • 74
  • 4