Search code examples
javaspringjax-rscxfkeycloak

Spring4 + OAuth2 + CXF/JAXRS + Keycloak

I'm got stuck when trying to implement oauth2 usage in my java spring microservice. Almost EVERY article (regarding examples) I've found was about Spring Boot and oauth2. But I have a simple Java CXF/JAXRS microservice with a springSecurity.xml For a better understanding what I want to achieve: I have a Java microservice which might communicate with other microserices. It doesn't have any frontend, it's just a backend service. It includes openAPI/swagger for documentationen purposes and use swagger-ui (included via maven plugin) to test the endpoints. I know that configuring swagger-ui is another step I have to take later on. First of all I would like to secure my microservice with oauth2.

All I found which at least looked a little bit like what I'm looking for was this: https://github.com/tfeng/play-oauth2/blob/master/conf/spring/security-context.xml My previous security-context.xml looked like this:

    <sec:http pattern="/rest/**">
        <sec:csrf disabled="true" />
        <sec:intercept-url access="isAuthenticated()"
                           pattern="/**" />
        <sec:http-basic />
    </sec:http>

    <sec:http>
        <sec:csrf disabled="true" />
        <sec:intercept-url access="isAuthenticated()"
                           pattern="/**" />
        <sec:http-basic />
        <sec:logout />
    </sec:http>

    <sec:authentication-manager>
        <sec:authentication-provider>
            <sec:user-service>
                <sec:user authorities="" name="myApiUser" password="my4p1Secr3t" />
            </sec:user-service>
        </sec:authentication-provider>
    </sec:authentication-manager>

In best case i can configure my microservice and swagger-ui to use Keycloak for authentication/authorization.

I would be glad if someone could help me out and point me into the right direction. Maybe with some steps or explanation for more clarification.

Solution

  • Since you are using spring xml configurations, and as I understood you want to manually define the configs that springboot's auto-configs and scans does. First of all, you'll need to component-scan the keycloak package org.keycloak.adapters.springsecurity assuming you have the dependency defined in your pom.xml

    <dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-security-adapter</artifactId>
    <version>14.0.0</version>
</dependency>

    To secure an application with Spring Security you have to provide some extra beans in your Spring Security configuration file and add the Keycloak security filter to your pipeline:

    • In order for Single Sign Out work properly you have to define a session listener, ether as a spring bean wraped in a ServletListenerRegistrationBean<HttpSessionEventPublisher> object Or in your web.xml file for pure spring security environment.
    <listener>
     <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
    • Now that you have your listener inplace and the keycloak beans scanned you can start defining your authentication manager and provider.
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="keycloakAuthenticationProvider" />
    </security:authentication-manager>

    <bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" />
    • Your json configs for your client application are loaded via the adapterDeploymentContext bean, it specifies how the client should comunicate with the auth-server.
    <bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean">
        <constructor-arg value="/WEB-INF/keycloak.json" />
    </bean>

    Here is an example for that json file, for a project called plantarium,

    {
  "realm" : "plantarium",
  "resource" : "plantarium-plants",
  "use-resource-role-mappings" : true,
  "auth-server-url" : "${env.AUTH_SERVER_URL:http://0.0.0.0:8080/auth}",
  "ssl-required" : "external",
  "enable-cors" : true,
  "cors-max-age" : 1000,
  "cors-allowed-methods" : "POST, PUT, DELETE, GET",
  "cors-exposed-headers" : "WWW-Authenticate, My-custom-exposed-Header",
  "bearer-only" : false,
  "expose-token" : true,
  "principal-attribute": "preferred_username",
  "verify-token-audience" : false,
  "connection-pool-size" : 20,
  "disable-trust-manager": true,
  "allow-any-hostname" : false,
  "token-minimum-time-to-live" : 10,
  "min-time-between-jwks-requests" : 10,
  "public-key-cache-ttl": 86400,
  "confidential-port": 0
}

    This is what I'm able to give you to replace springboot annotation configs for now, this and the following should help you use keycloack with plain old spring xml based client,

    The rest of the xml can be found here: https://www.keycloak.org/docs/latest/securing_apps/#_spring_secUrity_adapter. which is basically defining filters and endpoints which I believe its going to be specific to your needs. After this you should be able to run your client without any auto-config annotations or springboot starters.