From 65159d313a803b59d0ed5d9f661b34fb5ea9b0cc Mon Sep 17 00:00:00 2001
From: anuragkumawat <anuragkumawat7@gmail.com>
Date: Thu, 17 Aug 2023 17:58:22 +0530
Subject: [PATCH] JAVA-19354 Potential issue in A Quick Guide to Using Keycloak
 With Spring Boot article (#14537)

---
 .../com/baeldung/keycloak/SecurityConfig.java | 21 +++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/spring-boot-modules/spring-boot-keycloak/src/main/java/com/baeldung/keycloak/SecurityConfig.java b/spring-boot-modules/spring-boot-keycloak/src/main/java/com/baeldung/keycloak/SecurityConfig.java
index 1ad22d9397..3423f8eb2b 100644
--- a/spring-boot-modules/spring-boot-keycloak/src/main/java/com/baeldung/keycloak/SecurityConfig.java
+++ b/spring-boot-modules/spring-boot-keycloak/src/main/java/com/baeldung/keycloak/SecurityConfig.java
@@ -2,6 +2,7 @@ package com.baeldung.keycloak;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -27,18 +28,30 @@ class SecurityConfig {
         return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
     }
 
+    @Order(1)
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain clientFilterChain(HttpSecurity http) throws Exception {
         http.authorizeRequests()
-            .antMatchers("/customers*")
-            .hasRole("USER")
+            .antMatchers("/")
+            .permitAll()
             .anyRequest()
-            .permitAll();
+            .authenticated();
         http.oauth2Login()
             .and()
             .logout()
             .addLogoutHandler(keycloakLogoutHandler)
             .logoutSuccessUrl("/");
+        return http.build();
+    }
+    
+    @Order(2)
+    @Bean
+    public SecurityFilterChain resourceServerFilterChain(HttpSecurity http) throws Exception {
+        http.authorizeRequests()
+            .antMatchers("/customers*")
+            .hasRole("USER")
+            .anyRequest()
+            .authenticated();
         http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
         return http.build();
     }