sul*_*man 0 java spring spring-boot keycloak
我正在使用 Keycloak 来验证我的 Spring Boot 应用程序,
我已经与客户端(聊天系统)创建了一个新领域(CommonServices)
我有这个配置
keycloak:
auth-server-url: http://localhost:8083/auth
realm: CommonServices
resource: chatting-system
public-client: true
principal-attribute: preferred_username
use-resource-role-mappings: true
security-constraints[0].authRoles[0]: user
ssl-required: external
spring:
data:
mongodb:
host: localhost
port: 27017
database: Chat
username: saga
password: password
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: http://localhost:8083/auth/realms/CommonServices/protocol/openid-connect/certs
issuer-uri: http://localhost:8083/auth/realms/CommonServices
我已经配置了安全性:
@KeycloakConfiguration
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.antMatchers("/**")
.hasRole("user")
.anyRequest()
.authenticated();
}
}
@Configuration
public class KeycloakConfig {
@Bean
public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
}
问题
当我访问 GET api 时一切正常但是
如果我访问 POST REST API,我会收到403 禁止
我猜这是默认启用的CSRF保护的问题。Spring Security尝试在您的系统中禁用它SecurityConfig以确保情况确实如此。
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.csrf().disable() // <- THIS LINE
.authorizeRequests()
.antMatchers("/**")
.hasRole("user")
.anyRequest()
.authenticated();
}
如果这是原因,我建议设置适当的 CSRF 保护,因为禁用它可以节省开发时间,但总体而言对于部署到生产来说不是一个好主意。
| 归档时间: |
|
| 查看次数: |
4459 次 |
| 最近记录: |