I have been been playing with spring boot and been successful in using Keycloak and Vaadin separately in different projects. Now, I wanted to combine both to avoid having to implement my own security using Vaadin. The result I have so far can be found here: github project.
I started from the shared security example given by vaadin4spring. I then added the Keycloak configuration as given by the keycloak-spring-security-adapter and the keycloak-spring-boot-adapter.
I have now hit a wall in getting both to work together. When everything is up and running and I navigate to localhost:8080, I get the following error:
{"timestamp":...,"status":401,"error":"Unauthorized","message":"Unauthorized","path":"/"}
No redirect is triggered to authenticate with Keycloak. However, if I navigate to any other url not managed by Vaadin, e.g. localhost:8080/login, the redirect is triggered.
After logging in successfully, I can navigate to localhost:8080 without an error. However, any operation remains restricted and the secured views remain hidden.
Any ideas how to fix my configuration? I am thinking it is due to Vaadin handling CORS.
Apparently, in my setup, upon startup the system would register the user as being anonymous instead of trying to actually authenticate.
http.anonymous().disable();
Adding the above snippet to the security configuration prevents this from happening and the system correctly redirects the user to KC login.
Once I got this working, I noticed my views were also broken. This was due to method security proxy settings affecting all beans. Vaadin requires actual run-time classes instead of proxies to e.g. find views.
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
Changing proxyTargetClass to true ensures subclass proxies are created avoiding any conflict with Vaadin.
I pushed all changes to the github project.