Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.

[Mario-Eis]

Keycloak makes use of the WebSecurityConfigurerAdapter. Since the helper now provides a SecurityFilterChain, all my tests are failing with the message "Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.". How can this library be used together with the Keycloak Webmvc Adapter after https://github.com/ch4mpy/spring-addons/issues/47?

Last working version was 4.1.10

[ch4mpy]

Hi @Mario-Eis

Which sample did you follow to setup your test? Did you have a quick look at readme at all?

Would you share your unit-test code (and conf)?

Maybe did you @AutoConfigureSecurityAddons (which sets-up spring-boot 2.7+ seb-security) when the sample for KeycloakAuthenticationToken clearly doesn't.

If that's the case

• quick fix: remove @AutoConfigureSecurityAddons and be sure you pull spring-addons-keycloak only (and not any of spring-security-oauth2-...)
• future-proof solution: do not use Keycloak libs at all in your resource server. Use either this lib auto-configuration (and OAuthentication) or spring-security manual configuration (with JwtAuthenticationToken)

With second option, you'll be spring-boot 3 ready, can choose between webmvc or webflux app, and can switch your authorization-server from Keycloak to something else with minimum fuzz.

[Mario-Eis]

I used the configuration from the official Keycloak documentation in my web service: https://www.keycloak.org/docs/latest/securing_apps/#_spring_security_adapter And behind the KeycloakWebSecurityConfigurerAdapter there is a WebSecurityConfigurerAdapter.

For my tests I use the spring-addons-keycloak to mock the authentication. So when I run the tests, spring-addons-keycloak are in the classpath. And it seems, as if they register a SecurityFilterChain.

The security-oauth2-... are pulled automatically. Should they be ignored?

[ch4mpy]

@Mario-Eis I know Keycloak spring adapter is still depending on WebSecurityConfigurerAdapter (reason for me writing you should use something else to be spring-boot 3 ready). This does not prevent spring-addons-keycloak from working. If you don't believe me, follow first paragraph of main readme:

git clone https://github.com/ch4mpy/spring-addons.git
cd spring-addons
mvn test

You'll see a module named webmvc-keycloakauthenticationtoken with passing unit-test. If you open your IDE and browse to spring-addons/samples/webmvc-keycloakauthenticationtoken, you'll see that it's just an ordinary spring-boot app with Keycloak dependencies and properties (and various flavors of unit tests).

Also you answer to none of my questions. So unless you provide me with your pom (or gradle), web-security conf and unit-test, there is nothing I can do for you.

[ch4mpy]

The security-oauth2-... are pulled automatically. Should they be ignored?

Good catch, this transient dependency on spring-security-oauth2-webmvc-addons is useless and should be removed. You can exclude it untill next release (but I don't believe it will solve your problem by itself).

[Mario-Eis]

...but I don't believe it will solve your problem by itself

Well, actually it (4.4.8) did solve my problem 😀 All tests are green again!! Thank you very much for the support! Good job! Your library helps a lot with testing my Keycloak service.

Update: I use spring boot, but with a part webmvc manual configuration (its complicated ;) ). The keycloak addons are used for mocking the auth while doing integration tests. I guess what happened was: As soon as a test started, spring boot picked up the ServletSecurityBeans (in the classpath while testing) in addition to the KeycloakWebSecurityConfigurerAdapter from the Keycloak library manual config. And boom.

[ch4mpy]

Well, actually it (4.4.8) did solve my problem

Good to read.

You should really consider dropping Keycloak libs. Give a try to this instead

[Mario-Eis]

You should really consider dropping Keycloak libs. Give a try to this instead

I will consider it! Thanks!

[ch4mpy]

I use spring boot, but with a part webmvc manual configuration (its complicated ;) )

Then, you could have JwtAuthenticationToken instances in runtime security-context. If so, @WithMockJwtAuth from spring-security-oauth2-test-webmvc-addons might be a better fit than @WithMockKeycloakAuth.

Plus, you can already bump to spring-boot 2.7 (need to give an eye to spring-boot doc to stop extending WebSecurityConfigurerAdapter)

In any case, you should really have a look at that tutorial, it should greatly simplify your conf.