I'd like to hide Keycloak behind spring cloud gateway but still use it as OIDC provider. I've managed to permit /auth (keycloak's) endpoint for that but now I'm fighting with http basic auth which IDK how to disable. Everytime I try to hit any other endpoint which should be protected by keycloak I get browser form login. With following config

@Bean
@Order(1)
SecurityWebFilterChain publicEndpoints(final ServerHttpSecurity http) {
    return http.authorizeExchange(auth ->
                    auth.pathMatchers("/auth", "/auth/**").permitAll())
            .csrf(ServerHttpSecurity.CsrfSpec::disable)
            .cors(ServerHttpSecurity.CorsSpec::disable)
            .formLogin(ServerHttpSecurity.FormLoginSpec::disable)
            .headers(c -> c.frameOptions(ServerHttpSecurity.HeaderSpec.FrameOptionsSpec::disable))
            .httpBasic(basic ->
                    basic.authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED)))
            .build();
}

@Bean
@Order(2)
SecurityWebFilterChain springSecurityFilterChain(final ServerHttpSecurity http) {
    return http.authorizeExchange(auth -> auth.anyExchange().authenticated())
            .oauth2Login(withDefaults())
            .oauth2ResourceServer((oauth2) -> oauth2.jwt(withDefaults()))
            .csrf(ServerHttpSecurity.CsrfSpec::disable)
            .cors(ServerHttpSecurity.CorsSpec::disable)
            .formLogin(ServerHttpSecurity.FormLoginSpec::disable)
            .headers(c -> c.frameOptions(ServerHttpSecurity.HeaderSpec.FrameOptionsSpec::disable))
            //.httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)
            .build();

}

I get error on application startup:

Caused by: .springframework.beans.BeanInstantiationException: Failed to instantiate [.springframework.security.web.server.SecurityWebFilterChain]: Factory method 'publicEndpoints' threw exception with message: authenticationManager cannot be null
2025-03-06T15:35:01.907890843Z  at .springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:199) ~[spring-beans-6.2.3.jar:6.2.3]
2025-03-06T15:35:01.907892426Z  at .springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:88) ~[spring-beans-6.2.3.jar:6.2.3]
2025-03-06T15:35:01.907893385Z  at .springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:168) ~[spring-beans-6.2.3.jar:6.2.3]
2025-03-06T15:35:01.907894343Z  at .springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-6.2.3.jar:6.2.3]
2025-03-06T15:35:01.907895260Z  ... 39 common frames omitted

since I don't want to use any auth manager for publicEndpoints I don't understand how to configure it to disable form login and use oauth

I'd like to hide Keycloak behind spring cloud gateway but still use it as OIDC provider. I've managed to permit /auth (keycloak's) endpoint for that but now I'm fighting with http basic auth which IDK how to disable. Everytime I try to hit any other endpoint which should be protected by keycloak I get browser form login. With following config

@Bean
@Order(1)
SecurityWebFilterChain publicEndpoints(final ServerHttpSecurity http) {
    return http.authorizeExchange(auth ->
                    auth.pathMatchers("/auth", "/auth/**").permitAll())
            .csrf(ServerHttpSecurity.CsrfSpec::disable)
            .cors(ServerHttpSecurity.CorsSpec::disable)
            .formLogin(ServerHttpSecurity.FormLoginSpec::disable)
            .headers(c -> c.frameOptions(ServerHttpSecurity.HeaderSpec.FrameOptionsSpec::disable))
            .httpBasic(basic ->
                    basic.authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED)))
            .build();
}

@Bean
@Order(2)
SecurityWebFilterChain springSecurityFilterChain(final ServerHttpSecurity http) {
    return http.authorizeExchange(auth -> auth.anyExchange().authenticated())
            .oauth2Login(withDefaults())
            .oauth2ResourceServer((oauth2) -> oauth2.jwt(withDefaults()))
            .csrf(ServerHttpSecurity.CsrfSpec::disable)
            .cors(ServerHttpSecurity.CorsSpec::disable)
            .formLogin(ServerHttpSecurity.FormLoginSpec::disable)
            .headers(c -> c.frameOptions(ServerHttpSecurity.HeaderSpec.FrameOptionsSpec::disable))
            //.httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)
            .build();

}

I get error on application startup:

Caused by: .springframework.beans.BeanInstantiationException: Failed to instantiate [.springframework.security.web.server.SecurityWebFilterChain]: Factory method 'publicEndpoints' threw exception with message: authenticationManager cannot be null
2025-03-06T15:35:01.907890843Z  at .springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:199) ~[spring-beans-6.2.3.jar:6.2.3]
2025-03-06T15:35:01.907892426Z  at .springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:88) ~[spring-beans-6.2.3.jar:6.2.3]
2025-03-06T15:35:01.907893385Z  at .springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:168) ~[spring-beans-6.2.3.jar:6.2.3]
2025-03-06T15:35:01.907894343Z  at .springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-6.2.3.jar:6.2.3]
2025-03-06T15:35:01.907895260Z  ... 39 common frames omitted

since I don't want to use any auth manager for publicEndpoints I don't understand how to configure it to disable form login and use oauth

• spring-boot
• spring-security
• keycloak

Share Improve this question Follow edited Mar 6 at 20:51 dur 17.1k2626 gold badges9090 silver badges144144 bronze badges asked Mar 6 at 15:45 bilakbilak 4,99655 gold badges4646 silver badges8686 bronze badges 1

• seems like adding this to publicEndpoints fixed the problem .securityMatcher(ServerWebExchangeMatchers.pathMatchers("/auth", "/auth/**")) – bilak Commented Mar 6 at 16:17

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

When using more than one filter chain, all but the last one in @Order must contain a securityMatcher definition to limit the requests it is applied to, or the next in @Order are never tried. So, in your case, add .securityMatcher(...) to your 1st filter chain.

As a side note, there are 2 issues with your second filter chain:

• you should not mix stateful (session-based like oauth2Login & formLogin are) and stateless (no session like oauth2ResourceServer & basic) request authorization in the same filter chain
• you should not disable CSRF protection in a stateful filter chain (your second filter chain is stateful because of oauth2Login)