在Spring引导应用程序中使用@RolesAllowed使用keycloak保护

Question

我想使用Spring Boot 2创建一个微服务，并用keycloak保护它。我使用了新的keycloak-spring-boot-2-starter:4.0.0.Beta3依赖项。

我的KeycloakConfig：

@KeycloakConfiguration
@EnableGlobalMethodSecurity(jsr250Enabled = true, securedEnabled = true)
public class KeycloakConfig extends KeycloakWebSecurityConfigurerAdapter {

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
    KeycloakAuthenticationProvider keyCloakAuthProvider = keycloakAuthenticationProvider();
    keyCloakAuthProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());

    auth.authenticationProvider(keyCloakAuthProvider);
}

@Bean
public KeycloakConfigResolver KeyCloakConfigResolver() {
    return new KeycloakSpringBootConfigResolver();
}

@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
    return new NullAuthenticatedSessionStrategy();
}

@Bean
public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(KeycloakAuthenticationProcessingFilter filter) {
    //noinspection unchecked
    FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
    registrationBean.setEnabled(false);
    return registrationBean;
}

@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(KeycloakPreAuthActionsFilter filter) {
    //noinspection unchecked
    FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
    registrationBean.setEnabled(false);
    return registrationBean;
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    super.configure(http);
    http
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
            .and()
            .authorizeRequests()
            .anyRequest().denyAll();

}

如果我用我的bearer-only-client替换了我的configure-method所有工作正常：

super.configure(http);
    http
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
            .and()
            .authorizeRequests().antMatchers("/service/example/ping*").hasRole("user")
            .anyRequest().denyAll();

但我想要做的是用@RolesAllowed("myRole")注释我的Web服务来控制访问。默认情况下，应拒绝所有其他服务。如果我试图做，它不工作。有谁知道我为什么以及如何做到这一点？

来自德国的问候！