Hi guys,
I am trying to deploy a spring boot service secured with Keycloak (v 9.0) as a war on Tomcat (v 9). My frontend is angular based where keycloak authentication(login) is done and then rest api calls are made to the spring service from the logged in user sending valid JWT tokens in the request header.
I have implemented role based security on the service where
I followed the instructions exactly as they are from the official docs of keycloak -> https://www.keycloak.org/docs/9.0/securing_apps/#_tomcat_adapter.
However, it isn’t working for me as the service calls from the frontend are getting processed even from users who are not assigned any roles in keycloak hence giving access to every user.
I tried to diagnose the problem and it seems like the roles mentioned in the security constraints inside web.xml file of java service are not getting recognised because when i changed them to random role names, the flow was the same. Also, the keycloak.json i provided was of NO use because when i made changes to it or rather removed it, the flow was still as before.
I tried to remote debug the service deployed on local tomcat from eclipse ide. But no request seems to get intercepted and all users with or without valid roles are able to access all the endpoints.
Haven been trying to solve since a lot of weeks.
ANY HELP would be greatly appreciated.