KeyCloak 15.0.2 & Spring boot : after getting "Forbidden" Error access, the API persist sending the same error 403 even for authorized user

Question

I have a spring boot app, which delegate authentication and access management to KeyCLoak

: the linking parameters are defined in the application.proerties as follows:

## keycloak configuration:
keycloak.realm                      = Demo-Realm
keycloak.auth-server-url            = http://localhost:8080/auth
keycloak.ssl-required               = external
keycloak.resource                   = springboot-microservice
keycloak.credentials.secret         = xxxx-xxxx-xxxx-xxx-xxxxxxxxxxx
keycloak.use-resource-role-mappings = true
keycloak.bearer-only                = true

## Port
server.port=9090

When I started the app and try to access an API for using the access token for an authorized user provided by KeyCloak, a get the expected response with 200 code;

but when restart the app and ommit the Authorization header, the API send 403 error and keeps sending the same error even after providing a valid access token again! So I have the restart the app the get it works again.

Here is my Configuration Class :

@Configuration
@KeycloakConfiguration
@EnableGlobalMethodSecurity(jsr250Enabled = true)
public class ResourceServiceConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper( new SimpleAuthorityMapper() );
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().permitAll();
        http.csrf().disable();
    }
}

My Controller:

@RestController
@RequestMapping("/workout")
public class WorkoutController {
    @Autowired
    private WorkoutService workoutService;

    @PostMapping("/add")
    public void addNewRecord(@RequestBody Workout newWorkout){
        workoutService.saveWorkout(newWorkout);
    }

    @RolesAllowed("admin")
    @GetMapping("/find/all")
    public List<Workout> findAllUserRecords(){
        return workoutService.findWorkouts();
    }

    @DeleteMapping("/{id}")
    public void deleteRecordById(@PathVariable Long id){
        workoutService.deleteWorkout(id);
    }
}

I'm new to KeyCloak. could anyone help.

Where are you sending the requests from? Ensure that there is no state cached (for example a session cookie) when the request is sent. — Eleftheria Stein-Kousathana, Oct 28 '21 at 13:24
Postman does save the session cookie, try to get rid of it before sending the request again — Marcus Hert da Coregio, Oct 29 '21 at 12:17
Does this answer your question? [How to delete session cookie in Postman?](https://stackoverflow.com/questions/28305273/how-to-delete-session-cookie-in-postman) — dur, Nov 05 '21 at 09:32

KeyCloak 15.0.2 & Spring boot : after getting "Forbidden" Error access, the API persist sending the same error 403 even for authorized user

0 Answers0