top of page

Secure Spring Rest API using OpenId Connect And KeyCloak - Part 2


In Part 1 of this tutorial, we covered KeyCloak and registering our StudentService REST API as an OAuth 2 client. We now delve into the source code of StudentService. We'll use Spring Security 5 OAuth 2 functionality to secure the service. Any calls to the service will be intercepted by Spring, sent to KeyCloak for token verification before being allowed access to the API. We'll test this using a popular API client called Postman. Since the API is secure, every call to the API using Postman will return back a 401 Unauthorized error

Download the source code

All the source code for this tutorial can be cloned from the GitHub repository available here

The StudentService Overview

The StudentService Spring Reference Implementation is a simple CRUD API for creating and deleting students. An H2 database is used for persistence for the sake of simplicity. We'll not be discussing how the service creates and deletes students. We'll instead focus on how we can secure the create/update and delete operations using KeyCloak and OpenId Connect.

The Oauth2WebSecurityConfigurerAdapter class

The Oauth2WebSecurityConfigurerAdapter class configures Spring Security at the web request level.

In lines 21-27, we first allow public access to all Swagger UI endpoints. This allows interested users to view the API documentation without the need to authenticate with the service

Next, in lines 35-42, we add Oauth2 server support to the API endpoints

The StudentController class

In the StudentController class we specify the access rights to each of the operations in our service. This is security at the method level. A user might be authorized to use only certain operations in the service depending on their role. We use the @PreAuthorize annotation to specify the scope (or role) each method requires

For the read operations, we have specified that users with read and write scopes have access. We can do this by using the @PreAuthorize annotation.

For the create, modify and delete operations, we specify that only authenticated users with the scope of StudentService-write are authorized. We do this using the @PreAuthorize("hasAuthority('SCOPE_StudentService-write')").

If you remember, in Part 1 of this tutorial, the ClientScope of StudentService-write was created in KeyCloak. This scope is assigned to an authorized user when they authenticate themselves in KeyCloak. We'll cover this in Part 3 of this tutorial.

The file

The file contains our KeyCloak server details. See lines 16 and 17 below.Spring Security uses this information to connect to KeyCloak and verify the credentials of each user attempting to access the StudentService API. The uri(s) have standard formats http://localhost:$port/auth/realms/$realm http://localhost:$port/auth/realms/$realm/protocol/openid-connect/certs

where :

  1. realm = the name of the realm configured in Part 1 of this tutorial. We had named it MicroServices

  2. port : the port the Keycloak server is running on. If you used the docker-compose.yml from Part 1 of this tutorial, the value should be 9080.

Build and run the application

We'll be using Apache Maven 3.x to build the application. Maven is available as a free download from Apache here

The application can be built by running the command :

mvn clean package -DskipTests=true

This command needs to be run in a command prompt and in the same folder that contains pom.xml file. Once the application has been built successfully, we can run the application using the command

mvn spring-boot:run

We should now have the StudentService REST API application running at port 8080

The Swagger UI should be accessible at http://localhost:8080/swagger-ui/#/

Download and install Postman

Postman is a collaboration platform for API development and testing. It is used extensively for testing APIs to confirm that they work as per REST API standards. Postman can be downloaded and installed from here

Once installed, We'll import the StudentService's OpenAPI 3.0 specification file. Click on the "Import" button in the upper dark menu bar.

Select OpenAPI. This should open a file chooser dialog. Navigate to the source code's folder. Under the sub-folder named reference, choose the Student-API.v1.yml file

Postman will now import the StudentService API specification file. This file has sample requests for each of the API's operations. This makes it easier to test the API in Postman. You should now be able to invoke the Student API operations from Postman

Select the Get All Students operation and click on Send. You should see a 401 Unauthorized error

Now select the Add New Student and click on Send. You should now a get 403 forbidden error.

This is the anticipated behavior since we should only allow authenticated users with the correct roles to access our API. In the next post, we'll configure Keycloak to grant Postman and any other authorized OAuth 2 client access to our API.

Stay tuned for Part 3 of this tutorial


  1. Secure Spring Rest API using OpenId Connect And KeyCloak - Part 1

  2. Spring Method Security with PreAuthorize

  3. Getting Started with Postman

  4. Open API Specification For REST APIs

3,398 views0 comments

Recent Posts

See All
Post: Blog2_Post
bottom of page