I am referring to the app-authz-spring-security quickstart to integrate spring application with Keycloak for authentication & authorisation. For authorisation, we prefer to completely maintain resources, policies & permissions in keycloak. However, we noticed that we are also forced to maintain the secured urls along with the desired role on the application side. Like below.
Is there a reason why we have to do this and cannot completely manage resources permissions in Keycloak? This puts some restrictions, like in keycloak, at runtime, I cannot allow admins to access account pages. For that, I will have to change this code.
protected void configure(HttpSecurity http) throws Exception { super.configure(http); http.logout().logoutSuccessUrl("/home") .and() .authorizeRequests() .antMatchers("/account/**").hasAuthority("user") .antMatchers("/company/**").hasAuthority("admin"); }