Sunday, September 25, 2022

[FIXED] Keycloak- SpringBoot Adapter how to expose actuator endpoint with policy

September 25, 2022 authorization, java, keycloak, spring-boot

Issue

I am using spring boot 2.6.2、actuator and keycloak 16.1.0. the pom of springboot is

<dependencies>
  <dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-boot-starter</artifactId>
    <version>16.1.0</version>
  </dependency>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
  </dependency>
</dependencies>
<dependencyManagement>
  <dependencies>
    <dependency>
      <groupId>org.keycloak.bom</groupId>
      <artifactId>keycloak-adapter-bom</artifactId>
      <version>16.1.0</version>
      <type>pom</type>
      <scope>import</scope>
    </dependency>
  </dependencies>
</dependencyManagement>

the application.properties for keycloak config is

keycloak.realm=mt-developer
keycloak.resource=test
keycloak.auth-server-url=http://local.host:8080/auth/
keycloak.credentials.secret=ZMRQ0OPiXZFONCpdNO0G7zLnq5IDIcvM
keycloak.ssl-required=external
keycloak.use-resource-role-mappings=false
keycloak.bearer-only=false
keycloak.autodetect-bearer-only=true
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].name=all
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*
keycloak.security-constraints[1].securityCollections[0].patterns[0]=/actuator
keycloak.security-constraints[1].securityCollections[0].patterns[1]=/actuator/*
keycloak.enabled=true
keycloak.cors=true
management.endpoints.web.exposure.include=*
logging.level.root=DEBUG

this config can expose /actuator and /actuator/* , then i want to control the authorization on keycloak platform, so i add

keycloak.policy-enforcer-config.lazy-load-paths=true

into the properties to active the policy-enforcer, then i can config the authorization on the platform ,but this config will make the config of security-constraints not work .when i request the /actuator path , it will return 403 code . Can i expose the path by config the setting of the platform?

Solution

First, don't use keycloak adapters for spring, it is deprecated.

Read this tutorials for alternatives.

Second, why using policies which are far less efficient than role based access control with JWT access-tokens?

Just declare a "confidential" client in keycloak with a role named something like SYTEM_MONITOR or whatever you like and configure spring-security with http.authorizeExchange() .pathMatchers("/actuator/**").hasAuthority("SYTEM_MONITOR").

Answered By - ch4mp
Answer Checked By - Pedro (JavaFixing Volunteer)

This Answer collected from stackoverflow and tested by JavaFixing community admins, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Sunday, September 25, 2022

[FIXED] Keycloak- SpringBoot Adapter how to expose actuator endpoint with policy

Issue

Solution

Popular Posts

Labels