Spring Cloud Gateway — Resource Server with Keycloak RBAC

Introduction

Adding a custom keycloak role to the user.

Creating a Resource Server

  • OAuth2 resource server
  • Spring Web
@RestController
public class Controller {

@GetMapping("/product")
@RolesAllowed({"product_read"})
public String getProduct(Principal principal) {
return "Response from Product Service, User Id:" + principal.getName();
}
}
spring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: http://localhost:8080/auth/realms/My-Realm/protocol/openid-connect/certs

server:
port: 9191
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(jsr250Enabled = true)
public class ResourceServerConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt(jwt -> jwt.jwtAuthenticationConverter( jwtAuthenticationConverter()));
}

private Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter() {
JwtAuthenticationConverter jwtConverter = new JwtAuthenticationConverter();
jwtConverter.setJwtGrantedAuthoritiesConverter(new RealmRoleConverter());
return jwtConverter;
}
}
public class RealmRoleConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
@Override
public Collection<GrantedAuthority> convert(Jwt jwt) {
final Map<String, List<String>> realmAccess = (Map<String, List<String>>) jwt.getClaims().get("realm_access");
return realmAccess.get("roles").stream()
.map(roleName -> "ROLE_" + roleName)
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
}
}

Connecting Resource Server to API Gateway

spring:
cloud:
gateway:
default-filters:
- TokenRelay
routes:
- id: product-resource-service
uri: http://localhost:9191
predicates:
- Path=/product/**

Running the Applications

java -jar target/spring-cloud-gateway-keycloak-oauth2-0.0.1-SNAPSHOT.jarjava -jar target/product-service-0.0.1-SNAPSHOT.jar

Conclusion

--

--

--

Software Craftsman, Tech Enthusiast. I run https://refactorfirst.com to post all my articles

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

News Broadcast - PttStock, Upmedia and Cnyes

How to add confirmed user data from Cognito to DynamoDB table using serverless framework.

Android IoT Hub Case Study — Hatch | Smart Manufacturing for Android Tablets, Phones and Devices

Better Unit Testing with Hamcrest

How to choose the best Data Analytics Software

Direction and position rule verification.

How to install Mac Theme on Ubuntu

Lsi Scsi Controller Driver

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Amrut Prabhu

Amrut Prabhu

Software Craftsman, Tech Enthusiast. I run https://refactorfirst.com to post all my articles

More from Medium

Keycloak Configuration for Java Application Authentication

Prometheus Monitoring Using Spring Boot

Circuit Breaker And Retry with Spring Cloud Resiliance4j

Swagger 2 with the Spring Boot