I have a spring boot / thymeleaf app using the keycloak and spring security starters, if I navigate to my app at a non root url e.g. http://localhost:8080/events
then I’m redirected to the keycloak server and can register / login / logout etc all works fine. If I navigate in a new private browser window to http://localhost:8080
it doesn’t seem to see that as a protected URL and my app throws a 500 error. However if I’m already logged in then going to http://localhost:8080
works fine. My spring security config is as follows (extra keycloak beans aside):
@Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http .csrf().and() .authorizeRequests() .antMatchers(HttpMethod.GET, "/css/**", "/js/**", "/favicon.ico", "/matcss", "/bulmacss").permitAll() .anyRequest().authenticated(); }
Can’t believe this is a bug must be some misconfiguration on my part. I’ve setup up all the URLs as Valid redirect URLs in the keycloak client but the root one isn’t being redirected to the keycloak server.
Any ideas?