|I have created a spring boot + thymeleaf application with spring security for securing the requests. The application should also be providing a rest api to communicate with other applications(other front-end framework, mobile app). For this I chose to go with OAuth2 for securing the rest api and I stumbled across keycloak which I think suits my interest.
As of now the security configuration class extends WebSecurityConfigurerAdapter and not KeycloakWebSecurityConfigurerAdapter and hence I am using the following security constraints in my application.properties :
I am thinking of using spring security to secure the normal requests and use keycloak for the rest api. I want each of them to work independent of the other. That is, even if I do not have the keycloak server running I need my web app to serve the web pages(secured by spring security) and the rest API will only work when keycloak is running(secured by keycloak). Currently, the keycloak client is setup with access type : public and a redirect will be made to keycloak authentication page when I try to access any request with pattern /hello/*(these are not rest api's as of now). I will be changing the access type to bearer-only for the rest api's. I have permitted the request to /hello/ without any authentication in the configure method in spring security settings :
Is this the right way to deal with my requirement? Should I use microservices to accomplish the same?. I am more concerned about whether it is the right way to do things regardless of whether the way I am doing would work or not. Any suggestions and/or improvements are welcome. Thanks.