I have a spring cloud gateway which is protected using keycloak. Behind the gateway are a few microservices and an angular frontend which is served by an NGINX container. The gateway acts as a keycloak client. The security configuration of the gateway looks like this:
@Bean
SecurityWebFilterChain springSecurityFilterChain(
ServerHttpSecurity http,
ReactiveClientRegistrationRepository clientRegistrationRepository
) {
return http
.authorizeExchange(exchange -> exchange
.pathMatchers("/", "/*.css", "/*.js", "/favicon.ico").permitAll()
.anyExchange().authenticated())
.exceptionHandling(exceptionHandling ->
exceptionHandling.authenticationEntryPoint(
new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED)))
.oauth2Login(Customizer.withDefaults())
.logout(logout -> logout.logoutSuccessHandler(
oidcLogoutSuccessHandler(clientRegistrationRepository)))
.csrf().disable()
.build();
}
The problem occurs when I make a request to the gateway on localhost:9000/, I get redirected to the keycloak login page. When I log in, keycloak redirects me to the angular application. This should not happen because the "/" route shouldn't be protected. What am I doing wrong?
Solved the problem by annotating my config class with @configuration instead of @enablewebflux since I am using spring boot 3.