我已经从 Keycloak 的 OIDC 端点中提取了用户的组信息,但它们没有随我定义的组 ATTRIBUTES 一起提供(请参阅组表单中的“属性”选项卡,靠近“设置”)。是否有权利要求添加到我的请求中?
我正在使用 RESTeasy 客户端访问 Keycloak 的管理 API(结果比使用提供的管理客户端好得多):
@Path("/admin/realms/{realm}")
public interface KeycloakAdminService {
@GET
@Path("/users/{id}/groups")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
List<GroupRepresentation> getUserGroups(@PathParam("realm") String realm, @PathParam("id") String userId,
@HeaderParam(AUTHORIZATION) String accessToken);
//DEBUG the access token must always be prefixed by "Bearer "
}
所以我可以获取用户的组:
private void fetchUserGroups(UserInfoOIDC infos, String userId) {
log.info("Fetching user groups from {}...", getRealm());
try {
KeycloakAdminService proxy = kcTarget.proxy(KeycloakAdminService.class);
AccessTokenResponse response = authzClient.obtainAccessToken(getAdminUsername(), getAdminPassword());
List<GroupRepresentation> groups = proxy.getUserGroups(getRealm(), userId,
"Bearer " + response.getToken());
infos.importUserGroups(groups); //DEBUG …由于我从 1.x 迁移到 Spring Boot 2.0.5,无意禁用安全性,我无法让测试角色在模拟 MVC 测试中工作:
@RunWith(SpringRunner.class)
@SpringBootTest
@AutoConfigureMockMvc
public class ApplicationsControllerShould {
...
@Autowired
private MockMvc mockMvc;
private ObjectMapper mapper = new ObjectMapper();
@Test
@WithMockUser(roles = "ADMIN")
public void handle_CRUD_for_applications() throws Exception {
Application app = Application.builder()
.code(APP_CODE).name(APP_NAME)
.build();
mockMvc.perform(post("/applications")
.accept(MediaType.APPLICATION_JSON_UTF8)
.contentType(MediaType.APPLICATION_JSON_UTF8)
.content(mapper.writeValueAsString(app)))
.andExpect(authenticated())
.andExpect(status().isOk()); // failure 403!
...
我的控制器端点甚至没有受到保护!
@RestController
@RequestMapping("/applications")
public class ApplicationsController {
...
@PostMapping
public Application addApplication(@RequestBody Application application) {
Assert.isTrue(!applicationsDao.existsById(application.getCode()), "Application code already exists: " + application.getCode());
return applicationsDao.save(application);
}
}
所以我在测试中有一个会话(当@WithMockUser …
spring spring-mvc spring-security spring-mvc-test spring-boot
我刚刚安装了一个具有 Boot Actuator 启动器依赖项的 Spring Cloud Gateway 服务器 (Greenwich.SR2),但无法访问任何 /actuator/gateway 或 /gateway API
我尝试激活并发布端点,但没有成功: management.endpoint.gateway.enabled=true management.endpoints.web.exposure.include=health,gateway
http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 org.springframework.boot spring-boot-starter-parent 2.1.6.RELEASE com.example 网关 0.0.1-SNAPSHOT Spring Boot 的网关演示项目
<properties>
<java.version>11</java.version>
<spring-cloud.version>Greenwich.SR2</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-hystrix</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
我承认这是一个 WebFlux+Netty 服务器,但这与我阅读的内容没有任何区别。不过,我一定错过了一些东西。
有什么经验可以分享,有人吗?
我不明白从 JdbcLockRegistry 获取的分布式锁的行为。
@Bean
public LockRepository lockRepository(DataSource datasource) {
return new DefaultLockRepository(datasource);
}
@Bean
public LockRegistry lockRegistry(LockRepository repository) {
return new JdbcLockRegistry(repository);
}
我的项目在 PostgreSQL 上运行,Spring Boot 版本是 2.2.2 这是演示用例:
@GetMapping("/isolate")
public String isolate() throws InterruptedException {
Lock lock = registry.obtain("the-lock");
if (lock.tryLock(10, TimeUnit.SECONDS)) { // close
try {
Thread.sleep(30 * 1000L);
} finally {
lock.unlock(); // open
}
} else {
return "rejected";
}
return "acquired";
}
注意:该用例在使用 Hazelcast 分布式锁时有效。
观察到的行为是,通过在第一个实例上调用 API,第一个锁已在数据库中正式注册。然后,在 30 秒内,在另一个实例(其他端口)上请求第二次打开,并且它正在更新现有 int_lock 表的行(client_id 更改)而不是失败。因此,第一个端点在 30 秒后交付(无解锁失败),第二个端点在其自己的 …
仅使用 keycloak-authz-client (6.0.1)(无 Spring Security),我需要从服务提供商处读取用户信息和用户组。
获得正确的访问令牌后,借助 AuthzClient,我能够访问用户信息 API:
UriBuilder target = UriBuilder.fromUri(kcURL);
target.path("realms/{realm}/protocol/openid-connect/userinfo")
.resolveTemplate("realm", this.realm);
UserInfoOIDC info = new UserInfoOIDC();
try {
UserInfo response = this.buildBearerInvocation(target, accessToken).get(UserInfo.class);
info.setName(response.getName());
info.setUsername(response.getPreferredUsername());
info.setCompleted(true);
log.info("User info successfully retrieved from {}", this.realm);
} catch (WebApplicationException e) {
log.error("User info failure on {}: {}", this.realm, e.getMessage());
}
...
private Invocation.Builder buildBearerInvocation(UriBuilder target, String accessToken) {
WebTarget webTarget = restClient.target(target);
Invocation.Builder builder = webTarget.request(APPLICATION_JSON)
.header(AUTHORIZATION, "Bearer " + accessToken);
return builder;
}
但我无法访问“admin API”:
UriBuilder target = …spring-boot ×2
api-gateway ×1
java ×1
jdbc ×1
keycloak ×1
locking ×1
resteasy ×1
security ×1
spring ×1
spring-cloud ×1
spring-mvc ×1