Keycloak use of securityCollections

Somewhere I see peoples put this configuration to their Spring app:



You can see that securityCollections index is always zero. My questions are:

  1. What is securityCollections and what does it use for?
  2. When do we have securityCollections[1], securityCollections[2], …?


Keycloak’s securityCollections configuration is like the Java EE web-resource-collection configuration, see Easily secure your Spring Boot applications with Keycloak:

Defining Keycloak’s configuration

Then we need to define some Security constraints as you will do with a Java EE app in your web.xml:[0].authRoles[0]=user[0].securityCollections[0].patterns[0]=/products/*

Here, we simply define that every request to /products/* should be done with an authenticated user and that this user should have the role “user”.

and Securing Applications and Services Guide

2.1.6. Spring Boot Adapter

You also need to specify the Java EE security config that would normally go in the web.xml. The Spring Boot Adapter will set the login-method to KEYCLOAK and configure the security-constraints at startup time. Here’s an example configuration:

keycloak.securityConstraints[0].authRoles[0] = admin
keycloak.securityConstraints[0].authRoles[1] = user
keycloak.securityConstraints[0].securityCollections[0].name = insecure stuff
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /insecure

keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].name = admin stuff
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin

For more informations about web-resource-collection, see Java Platform, Enterprise Edition: The Java EE Tutorial.