I have been been playing with spring boot and been successful in using Keycloak and Vaadin separately in different projects. Now, I wanted to combine both to avoid having to implement my own security using Vaadin. The result I have so far can be found here: github project.
I started from the shared security example given by vaadin4spring. I then added the Keycloak configuration as given by the keycloak-spring-security-adapter and the keycloak-spring-boot-adapter.
I have now hit a wall in getting both to work together. When everything is up and running and I navigate to localhost:8080, I get the following error:
{"timestamp":...,"status":401,"error":"Unauthorized","message":"Unauthorized","path":"/"}
No redirect is triggered to authenticate with Keycloak. However, if I navigate to any other url not managed by Vaadin, e.g. localhost:8080/login, the redirect is triggered.
After logging in successfully, I can navigate to localhost:8080 without an error. However, any operation remains restricted and the secured views remain hidden.
Any ideas how to fix my configuration? I am thinking it is due to Vaadin handling CORS.
Apparently, in my setup, upon startup the system would register the user as being anonymous instead of trying to actually authenticate.
Adding the above snippet to the security configuration prevents this from happening and the system correctly redirects the user to KC login.
Once I got this working, I noticed my views were also broken. This was due to method security proxy settings affecting all beans. Vaadin requires actual run-time classes instead of proxies to e.g. find views.
Changing
proxyTargetClasstotrueensures subclass proxies are created avoiding any conflict with Vaadin.I pushed all changes to the github project.