JAVA-45845: Changes made for POM Properties Cleanup

Bipinkumar27 · Bipinkumar27 · commit f2d8c1382ae4 · 2025-05-24T17:43:24.000+05:30
diff --git a/spring-boot-modules/spring-boot-keycloak-2/src/main/java/com/baeldung/keycloak/keycloaksoap/KeycloakRoleConverter.java b/spring-boot-modules/spring-boot-keycloak-2/src/main/java/com/baeldung/keycloak/keycloaksoap/KeycloakRoleConverter.java
@@ -0,0 +1,45 @@
+package com.baeldung.keycloak.keycloaksoap;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.jwt.Jwt;
+
+import java.util.*;
+import java.util.stream.Collectors;
+
+public class KeycloakRoleConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
+
+    @Override
+    public Collection<GrantedAuthority> convert(Jwt jwt) {
+        Collection<GrantedAuthority> authorities = new ArrayList<>();
+        // Extract client roles with ROLE_ prefix
+        authorities.addAll(extractClientRoles(jwt));
+
+        return authorities;
+    }
+
+
+
+    private Collection<GrantedAuthority> extractClientRoles(Jwt jwt) {
+        Map<String, Object> resourceAccess = jwt.getClaim("resource_access");
+        if (resourceAccess == null || resourceAccess.isEmpty()) {
+            return Collections.emptyList();
+        }
+        // Replace this with your actual client ID from Keycloak
+        String clientId = "baeldung-soap-services";
+
+        Map<String, Object> client = (Map<String, Object>) resourceAccess.get(clientId);
+        if (client == null || client.isEmpty()) {
+            return Collections.emptyList();
+        }
+        @SuppressWarnings("unchecked")
+        List<String> roles = (List<String>) client.get("roles");
+        if (roles == null) {
+            return Collections.emptyList();
+        }
+        return roles.stream()
+            .map(role -> new SimpleGrantedAuthority("ROLE_" + role)) // Add ROLE_ prefix here
+            .collect(Collectors.toList());
+    }
+}
diff --git a/spring-boot-modules/spring-boot-keycloak-2/src/main/java/com/baeldung/keycloak/keycloaksoap/KeycloakSecurityConfig.java b/spring-boot-modules/spring-boot-keycloak-2/src/main/java/com/baeldung/keycloak/keycloaksoap/KeycloakSecurityConfig.java
@@ -8,21 +8,31 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
 @EnableWebSecurity
 @ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true")
 @EnableMethodSecurity(jsr250Enabled = true)
 public class KeycloakSecurityConfig {
-
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.csrf(AbstractHttpConfigurer::disable)
             .authorizeHttpRequests(auth -> auth.anyRequest()
                 .authenticated())
             .oauth2ResourceServer(oauth2 -> oauth2
-                .jwt(Customizer.withDefaults()));
+                .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverter()))
+            );
         return http.build();
     }
+
+    @Bean
+    public JwtAuthenticationConverter jwtAuthenticationConverter() {
+        JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
+        converter.setJwtGrantedAuthoritiesConverter(new KeycloakRoleConverter());
+        return converter;
+    }
 }
