Error 403 Forbidden when retreiving data from secured backend API

Securing applications
1

Hello,

I’ve got a JEE-Wildfly project configurated with Keycloak. The client has access type ‘confidential’,I’ve ceated two roles(user-admin) and created a user mapped with both roles.
So my goal is to protect my project endpoints(that retrieve data from a database).
I am able to get the access token through the endpoint:
http://localhost:8180/auth/realms/auth-proto-realm/protocol/openid-connect/token

I then use the access token for my GET in the endpoint, so I simply put the access token as a bearer token the authentication header, but what I get is a 403 Forbidden error.

I’ve got a frontend in Angular configurated with access type public, but for now I’m making these requests via Postman.

This is the error I get

image
image1376×379 20.6 KB

My rest endpoint:

@GET
    @Produces({MediaType.APPLICATION_JSON})
    @Consumes({MediaType.APPLICATION_JSON})
    public Response getAll() {

        List<UserDto> dtos = userController.getAll();
        if (dtos.size() != 0){
            return Response.status(Response.Status.OK)
                    .entity(dtos)
                    .build();
        }else if(dtos.size() == 0){
            return Response.status(Response.Status.NO_CONTENT).build();
        }else{
            return Response.status(Response.Status.BAD_REQUEST).build();
        }

My web.xml:

<security-constraint>
        <web-resource-collection>
            <web-resource-name>auth_prototype</web-resource-name>
            <url-pattern>/api/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>


    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>auth-proto-realm</realm-name>
    </login-config>
    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>

keycloak.json:


{
  "realm": "auth-proto-realm",
  "auth-server-url": "http://localhost:8180/auth/",
  "ssl-required": "none",
  "resource": "auth-proto-client",
  "verify-token-audience": true,
  "credentials": {
    "secret": "client-secret"
  },
  "confidential-port": 0,
  "policy-enforcer": {},
  "enable-cors": true,
  "cors-allowed-methods" : "POST, PUT, DELETE, GET",
  "use-resource-role-mappings": true
}

My client settings:

image
image1181×884 42.8 KB

Anyone could tell me what I’m doing wrong?

Thanks a lot