diff --git a/adapters/oidc/spring-boot-adapter-core/src/main/java/org/keycloak/adapters/springboot/KeycloakBaseSpringBootConfiguration.java b/adapters/oidc/spring-boot-adapter-core/src/main/java/org/keycloak/adapters/springboot/KeycloakBaseSpringBootConfiguration.java index 358a6321d8..e0b2e70273 100755 --- a/adapters/oidc/spring-boot-adapter-core/src/main/java/org/keycloak/adapters/springboot/KeycloakBaseSpringBootConfiguration.java +++ b/adapters/oidc/spring-boot-adapter-core/src/main/java/org/keycloak/adapters/springboot/KeycloakBaseSpringBootConfiguration.java @@ -18,8 +18,10 @@ package org.keycloak.adapters.springboot; import io.undertow.servlet.api.DeploymentInfo; +import io.undertow.servlet.api.SecurityInfo.EmptyRoleSemantic; import io.undertow.servlet.api.WebResourceCollection; import org.apache.catalina.Context; +import org.apache.log4j.Logger; import org.apache.tomcat.util.descriptor.web.LoginConfig; import org.apache.tomcat.util.descriptor.web.SecurityCollection; import org.apache.tomcat.util.descriptor.web.SecurityConstraint; @@ -32,6 +34,7 @@ import org.eclipse.jetty.server.handler.HandlerList; import org.eclipse.jetty.server.handler.HandlerWrapper; import org.eclipse.jetty.util.security.Constraint; import org.eclipse.jetty.webapp.WebAppContext; +import org.keycloak.adapters.KeycloakDeploymentBuilder; import org.keycloak.adapters.jetty.KeycloakJettyAuthenticator; import org.keycloak.adapters.undertow.KeycloakServletExtension; import org.springframework.beans.factory.annotation.Autowired; @@ -39,6 +42,7 @@ import org.springframework.context.ApplicationContext; import java.util.ArrayList; import java.util.HashSet; +import java.util.Iterator; import java.util.List; import java.util.Set; @@ -46,7 +50,7 @@ import java.util.Set; * Keycloak authentication base integration for Spring Boot - base to be extended for particular boot versions. */ public class KeycloakBaseSpringBootConfiguration { - + protected KeycloakSpringBootProperties keycloakProperties; @Autowired @@ -76,8 +80,31 @@ public class KeycloakBaseSpringBootConfiguration { deploymentInfo.setLoginConfig(loginConfig); deploymentInfo.addInitParameter("keycloak.config.resolver", KeycloakSpringBootConfigResolverWrapper.class.getName()); - deploymentInfo.addSecurityConstraints(getSecurityConstraints()); - + + + /* Support for '*' as all roles allowed + * We clear out the role in the SecurityConstraints + * and set the EmptyRoleSemantic to Authenticate + * But we will set EmptyRoleSemantic to DENY (default) + * if roles are non existing or left empty + */ + Iterator it = this.getSecurityConstraints().iterator(); + while (it.hasNext()) { + io.undertow.servlet.api.SecurityConstraint securityConstraint = it.next(); + Set rolesAllowed = securityConstraint.getRolesAllowed(); + + if (rolesAllowed.contains("*") || rolesAllowed.contains("**") ) { + io.undertow.servlet.api.SecurityConstraint allRolesAllowed = new io.undertow.servlet.api.SecurityConstraint(); + allRolesAllowed.setEmptyRoleSemantic(EmptyRoleSemantic.AUTHENTICATE); + allRolesAllowed.setTransportGuaranteeType(securityConstraint.getTransportGuaranteeType()); + for (WebResourceCollection wr : securityConstraint.getWebResourceCollections()) { + allRolesAllowed.addWebResourceCollection(wr); + } + deploymentInfo.addSecurityConstraint(allRolesAllowed); + } else // left empty will fall back on default EmptyRoleSemantic.DENY + deploymentInfo.addSecurityConstraint(securityConstraint); + + } deploymentInfo.addServletExtension(new KeycloakServletExtension()); }