I have a basic RBAC endpoint and a filter for incoming requests
@RolesAllowed(USER)
@GetMapping("/test")
public String void test() {
return ok;
}
public class AuthFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
// adds a valid `Authorization` header to the request with a Bearer token
AuthRequestWrapper authRequest = new AuthenticationRequestWrapper(request);
AuthResponseWrapper authResponse = new AuthenticationResponseWrapper(response);
chain.doFilter(authRequest, authResponse);
}
}
My request wrapper builds an Authorization header based on a custom cookie value with a Bearer token. I’m able to hit the protected endpoint, but the problem is when I remove the Authorization header I’m still able to hit the protected endpoint and don’t know why.
What’s going on? Does it have to do with the JSESSIONID and Oauth2_token_request_state cookies? I’m not sure what’s going on behind the scenes to authenticate but I can’t seem to get rid of these cookies either to verify.
I’m using a Backend for Frontend pattern and ideally I’d be able to control the authentication flow on my own. I have standard flow enabled and a confidential access type. Using postman with just the Authorization header is sufficient, so I’d like to disable whatever Keycloak is doing here and use my own Authorization header.