HaV*_*nTe 5 spring-security keycloak
我设置了一个Keycloak服务器.配置领域和客户端等.我成功地编写了一个带有"org.keycloak:keycloak-spring-boot-starter"的Spring Boot服务并保护了我的RestController.奇迹般有效.
但是当我尝试使用Spring Security(没有keycloak特定的依赖项)时,我陷入困境.
这是我的傻瓜:
dependencies {
compile('org.springframework.boot:spring-boot-starter-security')
compile('org.springframework.security.oauth:spring-security-oauth2')
compile('org.springframework.boot:spring-boot-starter-web')
compileOnly('org.projectlombok:lombok')
testCompile('org.springframework.boot:spring-boot-starter-test')
testCompile('org.springframework.security:spring-security-test')
}
这是我的SecurityConfig:
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends
ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/person/**").hasRole("DEMO_SPRING_SECURITY")
.anyRequest().authenticated()
.and().formLogin().disable();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("demo-client");
RemoteTokenServices tokenServices = new RemoteTokenServices();
tokenServices.setCheckTokenEndpointUrl(
"http://localhost:8280/auth/realms/demo-realm/protocol/openid-connect/token/introspect");
tokenServices.setClientId("demo-client");
tokenServices.setClientSecret("80e19056-7770-4a4a-a3c4-06d8ac8792ef");
resources.tokenServices(tokenServices);
}
}
现在我尝试访问服务器:
Run Code Online (Sandbox Code Playgroud){ "jti": "78c00562-d80a-4f5a-ab08-61ed10cb575c", "exp": 1509603570, "nbf": 0, "iat": 1509603270, "iss": "http://localhost:8280/auth/realms/demo-realm", "aud": "demo-client", "sub": "6ee90ba4-2854-49c1-9776-9aa95b6ae598", "typ": "Bearer", "azp": "demo-client", "auth_time": 0, "session_state": "68ce12fb-3b3f-429d-9390-0662f0503bbb", "acr": "1", "client_session": "ec0113e1-022a-482a-a26b-e5701e5edec1", "allowed-origins": [], "realm_access": { "roles": [ "demo_user_role", "uma_authorization" ] }, "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "name": "Jim Panse", "preferred_username": "demo-user", "given_name": "Jim", "family_name": "Panse", "email": "user@dmoain.com" }
但我得到一个AccessDeniedException.
Run Code Online (Sandbox Code Playgroud)2017-11-02 07:18:05.344 DEBUG 17637 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated:org.springframework.security.oauth2.provider.OAuth2Authentication@1f3ee7e1:校长:demo-client; 证书:[保护]; 认证:真实; 详细信息:remoteAddress = 127.0.0.1,tokenType = BearertokenValue =; 未授予任何权限2017-11-02 07:18:05.348 DEBUG 17637 --- [nio-8080-exec-1] ossaccess.vote.AffirmativeBased:Voter:org.springframework.security.web.access.expression.WebExpressionVoter @ 14032696,返回:-1 2017-11-02 07:18:05.353 DEBUG 17637 --- [nio-8080-exec-1] osswaExceptionTranslationFilter:访问被拒绝(用户不是匿名的); 委托给AccessDeniedHandler
org.springframework.security.access.AccessDeniedException:访问被拒绝
我对RemoteTokenService进行了调试,发现Keycloak以完全相同的accessstoken响应.哪个好.但是DefaultAccessTokenConverter尝试authorities从不存在的字段中读取用户角色.并且OAuth2WebSecurityExpressionHandler评估用户doenst具有任何角色. - >访问被拒绝
所以我的问题:
什么是使Spring Security与Keycloak访问令牌一起工作的必要条件?
在这里提出这个问题后,我自己找到了一个解决方案。有时尝试表达问题会有所帮助。
解决办法是重写DefaultAccessTokenConverter,教他如何读取“realm_access”字段。它丑陋但有效:
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("demo-client");
RemoteTokenServices tokenServices = new RemoteTokenServices();
tokenServices.setCheckTokenEndpointUrl(
"http://localhost:8280/auth/realms/demo-realm/protocol/openid-connect/token/introspect");
tokenServices.setClientId("demo-client");
tokenServices.setClientSecret("80e19056-7770-4a4a-a3c4-06d8ac8792ef");
tokenServices.setAccessTokenConverter(new KeycloakAccessTokenConverter());
resources.tokenServices(tokenServices);
}
private class KeycloakAccessTokenConverter extends DefaultAccessTokenConverter {
@Override
public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
OAuth2Authentication oAuth2Authentication = super.extractAuthentication(map);
Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>) oAuth2Authentication.getOAuth2Request().getAuthorities();
if (map.containsKey("realm_access")) {
Map<String, Object> realm_access = (Map<String, Object>) map.get("realm_access");
if(realm_access.containsKey("roles")) {
((Collection<String>) realm_access.get("roles")).forEach(r -> authorities.add(new SimpleGrantedAuthority(r)));
}
}
return new OAuth2Authentication(oAuth2Authentication.getOAuth2Request(),oAuth2Authentication.getUserAuthentication());
}
}
通过keycloak管理控制台,您可以为客户“ demo-client” 创建具有用户名“ authorities”的User Realm Role类型的令牌映射器。然后,访问令牌在此属性中包含角色名称,并且不需要自定义DefaultAccessTokenConverter。
| 归档时间: |
|
| 查看次数: |
1911 次 |
| 最近记录: |