Плащ с ключом с пружинной загрузкой возвращает 403 только для запроса DELETE

Question

У меня есть REST API, который защищен экземпляром Keycloak. API REST очень хорошо работает для методов HTTP, таких как GET и POST, однако метод DELETE, похоже, заблокирован Keycloak.

Вот как это выглядит в моем application.properties.

keycloak.auth-server-url=https://domain.de/auth
keycloak.realm=kiwi
keycloak.resource=kiwi
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].name = protected
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*

И вот как я настраиваю безопасность сервера

package de.longnguyen.security;

import de.longnguyen.controller.KeycloakController;
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.KeycloakSecurityComponents;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.session.SessionManagementFilter;


@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
    private static final String[] ALLOWED = new String[]{
            "/",
            "/static/**",
            "/v2/api-docs",
            "/swagger*/**",
            "/webjars/**"
    };

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    @Bean
    public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        super.configure(web);
        web.ignoring()
                .antMatchers(ALLOWED)
                .antMatchers(KeycloakController.LOGIN_METHOD, KeycloakController.LOGIN_PATH);
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http
                .csrf().disable()
                .cors()
                .and()
                .formLogin().disable()
                .authorizeRequests()
                .antMatchers(ALLOWED).permitAll()
                .antMatchers(KeycloakController.LOGIN_METHOD, KeycloakController.LOGIN_PATH).permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .addFilterBefore(new CustomCorsFilter(), SessionManagementFilter.class)
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}

Rest API работает нормально но каждый раз, когда я хочу УДАЛИТЬ, я получаю 403, REST API даже не будет отменен. Так выглядит журнал на сервере (после нескольких попыток удаления)

2020-03-26 18:28:39.904 DEBUG 1 --- [nio-8080-exec-4] o.k.adapters.RequestAuthenticator        : Bearer AUTHENTICATED
2020-03-26 18:28:39.904 DEBUG 1 --- [nio-8080-exec-4] o.k.a.tomcat.AuthenticatedActionsValve   : AuthenticatedActionsValve.invoke /api/v1/bank/1
2020-03-26 18:28:39.904 DEBUG 1 --- [nio-8080-exec-4] o.k.a.AuthenticatedActionsHandler        : AuthenticatedActionsValve.invoke http://domain.de/api/v1/bank/1
2020-03-26 18:28:39.904 DEBUG 1 --- [nio-8080-exec-4] o.k.a.AuthenticatedActionsHandler        : Policy enforcement is disabled.
2020-03-26 18:28:40.446 DEBUG 1 --- [nio-8080-exec-5] o.k.adapters.PreAuthActionsHandler       : adminRequest http://domain.de/api/v1/bank/1
2020-03-26 18:28:40.454 DEBUG 1 --- [nio-8080-exec-5] o.k.adapters.RequestAuthenticator        : User 'long' invoking 'http://domain.de/api/v1/bank/1' on client 'kiwi'
2020-03-26 18:28:40.457 DEBUG 1 --- [nio-8080-exec-5] o.k.adapters.RequestAuthenticator        : Bearer AUTHENTICATED
2020-03-26 18:28:40.457 DEBUG 1 --- [nio-8080-exec-5] o.k.a.tomcat.AuthenticatedActionsValve   : AuthenticatedActionsValve.invoke /api/v1/bank/1
2020-03-26 18:28:40.458 DEBUG 1 --- [nio-8080-exec-5] o.k.a.AuthenticatedActionsHandler        : AuthenticatedActionsValve.invoke http://domain.de/api/v1/bank/1
2020-03-26 18:28:40.458 DEBUG 1 --- [nio-8080-exec-5] o.k.a.AuthenticatedActionsHandler        : Policy enforcement is disabled.