New version 0.4, which uses Keycloak 19 and updates some libraries

README.md

@@ -39,11 +39,17 @@ Just add it as maven dependency:
 <dependency>
   <groupId>it.maconsultingitalia.keycloak</groupId>
   <artifactId>keycloak-resource-autoconf</artifactId>
-  <version>0.3.0</version>
+  <version>0.4.0</version>
 </dependency>
 ```
 
 ## Features
+| Library Version | Keycloak version  |
+|-----------------|:-----------------:|
+| 0.3.0           |     <=16.0.0      |
+| 0.4.0           |     <=19.0.3      |
+
+
 From Version 0.3.0 this library adds 2 different features:
 
   * Runtime Configuration
@@ -203,9 +209,18 @@ By default, the controller is available under `/mac/configuration/export` but it
 ```
 kcautoconf.export-path=/my/custom/export/path
 ```
+
 This endpoint will be available to all the authenticated user. For security reasons, it's strongly recommended to disable
 the Json Configuration export in production. 
 
+From version 0.4.0 on, 2 new configuration parameters have been added:
+
+* kcautoconf.protect-export-path (`boolean`, default to `false`)
+* kcautoconf.export-path-access-scope (`String`, default to `configuration:expport`, only meaningful when `protect-export-path` is ste to `true`)
+
+By setting these values, the autoconfigurator assigns the `export-path-access-scope` to the configuration endpoint, and enables the policy enforcement.
+
+
 ## Known limitations
 At the moment, the endpoints are added only if the methods are mapped with `@GetMapping`, `@PostMapping`, `@PutMapping` etc.
 If the method is annotated via `@RequestMapping`, then the http verb is not inferred thus the endpoint is not added. 

pom.xml

@@ -5,7 +5,7 @@
 
     <groupId>it.maconsultingitalia.keycloak</groupId>
     <artifactId>keycloak-resource-autoconf</artifactId>
-    <version>0.3.2</version>
+    <version>0.4.0</version>
 
     <name>Keycloak Resource Autoconfigurator</name>
     <description>Automatic configuration annotation to enable autodiscovery of Keycloak policy enforcement
@@ -38,23 +38,23 @@
     <properties>
         <maven.compiler.target>11</maven.compiler.target>
         <maven.compiler.source>11</maven.compiler.source>
-        <keycloak.version>16.1.1</keycloak.version>
-        <spring.version>5.3.25</spring.version>
-        <slf4j.version>1.7.32</slf4j.version>
-        <logback.version>1.2.10</logback.version>
-        <swagger-annotations.version>1.6.4</swagger-annotations.version>
-        <swagger3-annotations.version>2.1.12</swagger3-annotations.version>
+        <keycloak.version>19.0.3</keycloak.version>
+        <spring.version>5.3.30</spring.version>
+        <slf4j.version>1.7.36</slf4j.version>
+        <logback.version>1.2.12</logback.version>
+        <swagger-annotations.version>1.6.12</swagger-annotations.version>
+        <swagger3-annotations.version>2.2.18</swagger3-annotations.version>
         <junit.version>5.8.2</junit.version>
-        <spring-test.version>2.6.1</spring-test.version>
-        <spring-boot.version>2.6.1</spring-boot.version>
-        <thymeleaf.version>3.1.1.RELEASE</thymeleaf.version>
+        <spring-test.version>2.6.15</spring-test.version>
+        <spring-boot.version>2.6.15</spring-boot.version>
+        <thymeleaf.version>3.1.2.RELEASE</thymeleaf.version>
         <gson.version>2.10.1</gson.version>
         <lombok.version>1.18.26</lombok.version>
         <jackson-databind.version>2.14.2</jackson-databind.version>
-        <bcprov-jdk15on.version>1.70</bcprov-jdk15on.version>
+        <bcprov-jdk15on.version>1.76</bcprov-jdk15on.version>
         <mockito.version>4.2.0</mockito.version>
         <maven-compiler-plugin.version>3.11.0</maven-compiler-plugin.version>
-        <maven-gpg-plugin.version>3.0.1</maven-gpg-plugin.version>
+        <maven-gpg-plugin.version>3.1.0</maven-gpg-plugin.version>
         <maven-surefire-plugin.version>3.0.0</maven-surefire-plugin.version>
         <maven-source-plugin.version>3.3.0</maven-source-plugin.version>
         <maven-resources-plugin.version>3.3.1</maven-resources-plugin.version>
@@ -86,17 +86,25 @@
             <scope>provided</scope>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on -->
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
+            <artifactId>bcprov-jdk18on</artifactId>
             <version>${bcprov-jdk15on.version}</version>
         </dependency>
 
+
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-spring-boot-adapter-core</artifactId>
             <version>${keycloak.version}</version>
             <scope>provided</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk15on</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <dependency>

src/main/java/it/maconsulting/kcautoconf/services/AutoconfigurationService.java

@@ -34,6 +34,12 @@ public class AutoconfigurationService {
     @Value("${kcautoconf.export-path:/mac/configuration/export}")
     private String exportPath;
 
+    @Value("${kcautoconf.protect-export-path:true}")
+    private boolean protectExportPath;
+
+    @Value("${kcautoconf.export-path-access-scope:configuration:export}")
+    private String exportPathAccessScope;
+
     @Autowired
     public AutoconfigurationService(ApplicationContext context, KeycloakSpringBootProperties keycloakSpringBootProperties, List<SwaggerOperationService> swaggerOperationServices) {
         this.context = context;
@@ -136,8 +142,15 @@ private String addLeadingSlash(String path) {
     public void enableConfigurationPage() {
         PolicyEnforcerConfig.PathConfig configurationPath = new PolicyEnforcerConfig.PathConfig();
         configurationPath.setPath(exportPath);
-        configurationPath.setEnforcementMode(PolicyEnforcerConfig.EnforcementMode.DISABLED);
+        if (protectExportPath) {
+            log.debug("ENFORCING protection over export path");
+            configurationPath.setEnforcementMode(PolicyEnforcerConfig.EnforcementMode.ENFORCING);
+            configurationPath.setScopes(List.of(exportPathAccessScope));
+        } else {
+            configurationPath.setEnforcementMode(PolicyEnforcerConfig.EnforcementMode.DISABLED);
+        }
         getKeycloakSpringBootProperties().getPolicyEnforcerConfig().getPaths().add(configurationPath);
+        log.info("Configuration page enabled and available @ {}", exportPath);
 
     }
 }

src/main/java/it/maconsulting/kcautoconf/services/JsonKeycloakConfigurationGenerator.java

@@ -18,11 +18,11 @@
 @Service
 public class JsonKeycloakConfigurationGenerator implements KeycloakConfigurationGeneratorService {
 
-    private final KeycloakSpringBootProperties kcProperties;
+    private final KeycloakSpringBootProperties keycloakSpringBootProperties;
 
     @Autowired
-    public JsonKeycloakConfigurationGenerator(KeycloakSpringBootProperties kcProperties) {
-        this.kcProperties = kcProperties;
+    public JsonKeycloakConfigurationGenerator(KeycloakSpringBootProperties keycloakSpringBootProperties) {
+        this.keycloakSpringBootProperties = keycloakSpringBootProperties;
     }
 
     @Override
@@ -32,7 +32,7 @@ public AuthorizationSettingsDTO generateConfigurationAsJson() {
         settings.setDecisionStrategy("AFFIRMATIVE");
         settings.setPolicyEnforcementMode("ENFORCING");
 
-        List<PolicyEnforcerConfig.PathConfig> paths = kcProperties.getPolicyEnforcerConfig().getPaths();
+        List<PolicyEnforcerConfig.PathConfig> paths = keycloakSpringBootProperties.getPolicyEnforcerConfig().getPaths();
         List<AuthorizedResourceDTO> resourceDTOS = new ArrayList<>();
         paths.forEach(pathConfig -> {
             if(!PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode()) &&