REST end point of Spring Boot application as WAR on tomcat with keycloak is no more secure

Question

I have a spring - boot application with tomcat embedded and I configures my application with keycloak-spring-boot-adapter according to the below link

Spring boot adapter

I packaged my application as Jar and every thing works perfectly. My context root was

localhost:8080/service/api/*

and there was no problem, All end points was secure. Without authentication no one can access the API. Here is the Properties

server.contextPath=/service

keycloak.realm = demo
keycloak.resource = client-apps
keycloak.auth-server-url = http://localhost:8180/auth
keycloak.ssl-required = external
keycloak-bearer-only = true
keycloak.credentials.secret = client-apps
keycloak.public-client = true
keycloak.enabled = true
keycloak.use-resource-role-mappings = true
keycloak.securityConstraints[0].authRoles[0] = admin
keycloak.securityConstraints[0].securityCollections[0].name = Secure Mappings
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api/*
keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /service/api/*
keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /*/api/*

Now Requirement Changes and we need to deploy the Jar as War on Tomcat. Here is the POM

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>group</groupId>
    <artifactId>service</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <packaging>${packaging.type}</packaging>
    <name>Loan Service</name>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <java.version>1.8</java.version>
        <junit.version>4.12</junit.version>
    </properties>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.5.10.RELEASE</version>
    </parent>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-tomcat</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-spring-boot-starter</artifactId>
        </dependency>

        <!-- <dependency> <groupId>io.github.benas</groupId> <artifactId>random-beans</artifactId> 
            <version>3.7.0</version> </dependency> -->
        <dependency>
            <groupId>org.jsondoc</groupId>
            <artifactId>jsondoc-core</artifactId>
            <version>1.2.19</version>
        </dependency>
    </dependencies>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.keycloak.bom</groupId>
                <artifactId>keycloak-adapter-bom</artifactId>
                <version>3.4.3.Final</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>



    <profiles>
        <profile>
            <id>jar</id>
            <properties>
                <packaging.type>jar</packaging.type>
            </properties>
            <dependencies>
                <dependency>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-tomcat</artifactId>
                </dependency>
            </dependencies>
            <build>
                <plugins>
                    <plugin>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-maven-plugin</artifactId>
                    </plugin>
                </plugins>
            </build>
        </profile>
        <profile>
            <id>war</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <packaging.type>war</packaging.type>
            </properties>
            <dependencies>
                <dependency>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-tomcat</artifactId>
                    <scope>provided</scope>
                </dependency>
            </dependencies>
            <build>
                <plugins>
                    <plugin>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-maven-plugin</artifactId>

                        <!-- <configuration>
                            <webResources>
                                <resource>
                                    <directory>src/main/resources</directory>
                                    <includes>
                                        <include>**/*</include>
                                    </includes>
                                    <targetPath>WEB-INF/classes</targetPath>
                                </resource>
                            </webResources>
                        </configuration> -->
                    </plugin>
                </plugins>
            </build>
        </profile>
    </profiles>
</project>

War is successfully made and After deploying on the tomcat webapps directory , my REST end points are no longer secure. Now the Root context path is same as before

localhost:8080/service/api/*

AS you can see in properties file that which paths needs to be secure. Now I have tried but can't figure out what is the root cause of this?

Can anybody expert in keycloak and spring boot help me that what i ma missing or where i am doing wrong.

Project Structure:

Spring Boot Config:

@SpringBootApplication
public class Application extends SpringBootServletInitializer{

    @Autowired
    private MessageSource messageSource;

    public static void main(String[] args) {
        new SpringApplicationBuilder(Application.class)
        .properties("spring.config.name=application,master-data")
        .run(args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(Application.class).properties("spring.config.name=application,master-data");
    }

    @Bean
    @Scope(scopeName = WebApplicationContext.SCOPE_REQUEST, proxyMode = ScopedProxyMode.TARGET_CLASS)
    public AccessToken getAccessToken() {
        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes())
                .getRequest();
        return ((KeycloakPrincipal<?>) request.getUserPrincipal()).getKeycloakSecurityContext().getToken();
    }

    @Bean
    public LocalValidatorFactoryBean validator() {
        LocalValidatorFactoryBean bean = new LocalValidatorFactoryBean();
        bean.setValidationMessageSource(messageSource);
        return bean;
    }

}

Answer 1

the problem is that your new Root context: host:port/service/api/* doesn't match up with your Rest Endpoints being in /api/ . Does that make sense? You have that extra path [port] in your context. that's what's throwing it off.

Answer 2

My suggestion is to switch to the Spring Security Adapter instead. With this adapter, you can do everything the Spring Boot Adapter does (and much more), in a more flexible way. You only need to write some configuration code.

Related to your question, here you've got one thread that discusses a problem similar to the one of yours, which was brought to a JIRA issue (I can't find the link, though). It is couple of years old, but the KC team member states they haven't even tried that scenario (Spring Boot Adapter + War deployment).