spring boot actuator endpoints with Keycloak security

spring-boot keycloak spring-security spring-boot-actuator actuator

Solution 1:

When you extend KeycloakWebSecurityConfigurerAdapter, the adapter register a Bean of type KeycloakAuthenticationProcessingFilter. This filter is registered in the Spring Security's SecurityFilterChain, and because it's a Bean, it is also automatically registered by Spring Boot in the original chain, therefore even if Spring Security doesn't apply it, it will be applied later on in original the filter chain.

Try disabling this filter from being registered by Spring Boot, like so:

@Bean
public FilterRegistrationBean registration(KeycloakAuthenticationProcessingFilter filter) {
    FilterRegistrationBean registration = new FilterRegistrationBean(filter);
    registration.setEnabled(false);
    return registration;
}

In addition, if you are using OAuth 2, you may consider using spring-security-oauth2-resource-server and simplifying your Resource Server's configuration. Take a look at the documentation. This way you don't need to extend the custom adapter, just rely on the out-of-the-box configuration from Spring Security.

Related

SonarQube Regex vulnerability issue in JavaScript
Less unhealthy vs. healthier
Difference between "rule" and "law" in scientific context
Term for the depressions left by a pen tip on an underlying paper sheet
"Once in a while" OR "Once in awhile"? [duplicate]
Name for this pattern in woven fabric
Ending a sentence with "however" [closed]
Is there a hypernym for or construct for "get current or next"
Is it "en route to" or just "en route"?
Difference between facetious, frivolous and flippant?
"no younger than I am" or "no more young than I am"?
Macbeth or MacBeth (and other Scottish surnames)? [closed]