Keycloak use of securityCollections

Somewhere I see peoples put this configuration to their Spring app:

keycloak.securityConstraints[0].authRoles[0]=user
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/testUser

keycloak.securityConstraints[1].authRoles[0]=offline_access
keycloak.securityConstraints[1].securityCollections[0].patterns[0]=/testAdmin

You can see that securityCollections index is always zero. My questions are:

  1. What is securityCollections and what does it use for?
  2. When do we have securityCollections[1], securityCollections[2], …?

Answer

Keycloak’s securityCollections configuration is like the Java EE web-resource-collection configuration, see Easily secure your Spring Boot applications with Keycloak:

Defining Keycloak’s configuration

[…]
Then we need to define some Security constraints as you will do with a Java EE app in your web.xml:

keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/products/*

Here, we simply define that every request to /products/* should be done with an authenticated user and that this user should have the role “user”.

and Securing Applications and Services Guide

2.1.6. Spring Boot Adapter

[…]
You also need to specify the Java EE security config that would normally go in the web.xml. The Spring Boot Adapter will set the login-method to KEYCLOAK and configure the security-constraints at startup time. Here’s an example configuration:

keycloak.securityConstraints[0].authRoles[0] = admin
keycloak.securityConstraints[0].authRoles[1] = user
keycloak.securityConstraints[0].securityCollections[0].name = insecure stuff
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /insecure

keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].name = admin stuff
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin

For more informations about web-resource-collection, see Java Platform, Enterprise Edition: The Java EE Tutorial.