Vaadin 8 (withouth Spring Boot/Security) and Keycloak not working

Question

I have a 'legacy' application build with Vaadin 8 that I need to secure with Keycloak. Unfortunately, the redirect to Keycloak is not even triggered.

As a test, I created a Spring Boot application and tried to secure it with Keycloak without any problems, but it fails to work with Vaadin 8.

My configuration files for the Spring Boot application are;

application.properties

keycloak.realm=myrealm
keycloak.resource=test-app
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.ssl-required=external
keycloak.public-client=true

keycloak.securityConstraints[0].authRoles[0]=Patient
keycloak.securityConstraints[0].authRoles[1]=Admin
keycloak.securityConstraints[0].securityCollections[0].name=boeken
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/books

keycloak.securityConstraints[1].authRoles[0]=Admin
keycloak.securityConstraints[1].securityCollections[0].name=backend
keycloak.securityConstraints[1].securityCollections[0].patterns[0]=/manager

server.port=8090

KeycloakConfig class

@Configuration
public class KeycloakConfig {

    @Bean
    public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }
}

Just by adding this, the Keycoal-redirect is triggered and I can log in. Easy.

What should I change/add when i'm trying to secure the Vaadin 8 application? It's not a Spring/Spring boot-application (not started by SpringApplication.run()), I don't think it's mandatory to have a Spring/Spring boot app in order to secure it with Keycloak (correct me if i'm wrong). The problem seems to be that the application.properties file is ignored (although it is on the class path), as I can navigate to the urls that should be secured.

Does anyone see what's missing/wrong?

Answer 1

In case you would consider using Spring boot, I created a working example of integration between Vaadin 8, Spring Boot and Keycloak.

It makes use of vaadin-spring-boot, keycloak-spring-boot-adapter and keycloak-spring-security-adapter plugins to get jump started and your application.properties will get picked up correctly. In essence, this setup tells Vaadin to let Spring Security handle all security, and in turn Keycloak is hooked up as the security handler.

The only configuration needed is to have a custom SecurityConfiguration to define your specific security needs.

But the bulk comes down to:

@Configuration
@EnableWebSecurity
@EnableVaadinSharedSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {
...
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.httpBasic().disable();
    http.formLogin().disable();
    // disable spring security csrf as Vaadin already provides this
    // also possible to disable this in Vaadin and leave this enabled
    http.csrf().disable();
    http
        .authorizeRequests()
        .antMatchers("/vaadinServlet/UIDL/**").permitAll()
        .antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
        .anyRequest().authenticated();
    http
        .logout()
        .addLogoutHandler(keycloakLogoutHandler())
        .logoutUrl("/sso/logout").permitAll()
        .logoutSuccessUrl("/");
    http
        .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
        .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class);
    http
        .exceptionHandling()
        .authenticationEntryPoint(authenticationEntryPoint());
    http
        .sessionManagement()
        .sessionAuthenticationStrategy(sessionAuthenticationStrategy());
  }
...
}