I'm just a beginner in Spring Security, but I would like to know is it possible to configure keycloak in a way that I can use @PreAuthorize, @PostAuthorize, @Secured and other annotations.
For example, I've configured the keycloak-spring-security-adapter and Spring Security in my simple Spring Rest webapp so that I have access to Principal object in my controller, like this:
@RestController
public class TMSRestController {
@RequestMapping("/greeting")
public Greeting greeting(Principal principal, @RequestParam(value="name") String name) {
return new Greeting(String.format(template, name));
}
...
}
But when I try this (just an example, actually I want to execute custom EL expression before authorization):
@RestController
public class TMSRestController {
@RequestMapping("/greeting")
@PreAuthorize("hasRole('ADMIN')")
public Greeting greeting(Principal principal, @RequestParam(value="name") String name) {
return new Greeting(String.format(template, name));
}
...
}
I get exception:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
In my spring security config I enabled global method security:
What do I need to make this spring security annotations work? Is it possible to use this annotation in this context at all?
You still have to configure Spring Security using Keycloak. Take a look at the adapter documentation for an annotation based configuration. Once that's set up your Spring Security annotations will work on authorized calls.