Ignoring policy enforcement for url patterns not specified in Spring Boot configuration

Securing applications
,
1

I having some trouble understanding the policy enforcement configuration needed in Keycloak and my Spring Boot application in order to have endpoints that are not specified in the application.properties file not be evaluated by the policy enforcer.

Basic case for this is that there are certain resources that are protected and others that are not and could be accessed by anyone.

application.properties
keycloak.enabled=true

keycloak.ssl-required=external
keycloak.use-resource-role-mappings=false
keycloak.bearer-only=true
keycloak.cors=true

keycloak.security-constraints[0].auth-roles[0]=*
keycloak.security-constraints[0].security-collections[0].patterns[0]=/resource/a/*
keycloak.security-constraints[0].security-collections[0].patterns[1]=/resource/b/*
keycloak.policy-enforcer-config.paths[0].name=a-resources
keycloak.policy-enforcer-config.paths[0].methods[0].method=*
keycloak.policy-enforcer-config.paths[1].name=b-resources
keycloak.policy-enforcer-config.paths[1].methods[0].method=*
keycloak.policy-enforcer-config.enforcement-mode=ENFORCING
keycloak.policy-enforcer-config.lazy-load-paths=true

keycloak config
{
“allowRemoteResourceManagement”: true,
“policyEnforcementMode”: “ENFORCING”,
“resources”: [
{
“name”: “a-resources”,
“ownerManagedAccess”: false,
“displayName”: “A Resources”,
“attributes”: {},
“_id”: “60bd3b7e-bd1f-4fb5-b996-ee6e58760411”,
“uris”: [
“/resource/a/"
]
},
{
“name”: “default-resource”,
“ownerManagedAccess”: false,
“displayName”: “Default Resource”,
“attributes”: {},
“_id”: “1fba832e-a601-4b04-9d98-294627cfb154”,
“uris”: [
"/
]
},
{
“name”: “b-resources”,
“ownerManagedAccess”: false,
“displayName”: “B Resources”,
“attributes”: {},
“_id”: “7fc421fb-8e33-4222-9841-0546a606d57e”,
“uris”: [
“/vsa/b/*”
]
}
],
“policies”: [
{
“id”: “9aff6e2c-1750-4636-b232-9a142cdf3324”,
“name”: “Must be in User group”,
“type”: “group”,
“logic”: “POSITIVE”,
“decisionStrategy”: “UNANIMOUS”,
“config”: {
“groups”: “[{“path”:”/User",“extendChildren”:true}]"
}
},
{
“id”: “fea3d7a5-4024-43d5-aea1-5eec1bc24a33”,
“name”: “A Permissions”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “UNANIMOUS”,
“config”: {
“resources”: “[“a-resources”]”,
“applyPolicies”: “[“Must be in User group”]”
}
},
{
“id”: “1202d14d-1ba1-4554-a9af-1a05cc0a8d4a”,
“name”: “B Permissions”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “UNANIMOUS”,
“config”: {
“resources”: “[“b-resources”]”,
“applyPolicies”: “[“Must be in User group”]”
}
}
],
“scopes”: [],
“decisionStrategy”: “UNANIMOUS”
}

2

Bumping, I still need a solution or understanding to this.

3

Bumping this too as we do have the same needs and can’t figure out how to do it

4

Frankly I am surprised to still not have found a solution to this. Does anyone have any input on this?

5

You basically need to ignore those paths in spring filter using below code.

@Override
    public void configure(WebSecurity web) {
        String[] paths = ["/insecure/api"];
        web.ignoring().antMatchers(paths);
    }

Or you can add below properties in application.properties for the urls that you dont want to be evaluated

keycloak.policy-enforcer-config.paths[1].path=/actuator
keycloak.policy-enforcer-config.paths[1].enforcementMode=DISABLED