我使用 Docker 设置了 Keycloak 服务器。配置领域和客户端等。我成功地为一些 RestController 编写了 Spring Boot 服务。工作依此类推。
但是当我尝试将 Spring Security 与 Keycloak Adapter 一起使用时,我陷入了困境。
这是我的安全配置:
@KeycloakConfiguration
class SecurityConfig : KeycloakWebSecurityConfigurerAdapter() {
@Autowired
lateinit var keycloakClientRequestFactory: KeycloakClientRequestFactory
@Bean
fun keycloakConfigResolver(): KeycloakSpringBootConfigResolver = KeycloakSpringBootConfigResolver()
@Bean
override fun sessionAuthenticationStrategy(): SessionAuthenticationStrategy =
NullAuthenticatedSessionStrategy()
@Autowired
@Throws(Exception::class)
fun configureGlobal(auth: AuthenticationManagerBuilder) {
val keycloakAuthProvider: KeycloakAuthenticationProvider = keycloakAuthenticationProvider()
keycloakAuthProvider.setGrantedAuthoritiesMapper(SimpleAuthorityMapper())
auth.authenticationProvider(keycloakAuthProvider)
}
@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
super.configure(http)
http.cors().disable()
.csrf().disable()
.exceptionHandling().and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionAuthenticationStrategy(sessionAuthenticationStrategy()).and()
.formLogin().disable()
.authorizeRequests()
.antMatchers("/apps/manual-data-collection/**").hasRole("user")
.anyRequest().permitAll()
}
/**
* https://www.keycloak.org/docs/latest/securing_apps/index.html#avoid-double-bean-registration
*/
@Bean
@ConditionalOnMissingBean(HttpSessionManager::class)
override fun httpSessionManager(): HttpSessionManager = HttpSessionManager()
}
现在我尝试访问服务器,但收到 403 禁止错误。以下是 spring 的日志:
2020-01-08 14:08:01.817 DEBUG 12396 --- [nio-8080-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/apps/manual-data-collection/document-templates'; against '/apps/manual-data-collection/**'
2020-01-08 14:08:01.817 DEBUG 12396 --- [nio-8080-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /apps/manual-data-collection/document-templates; Attributes: [hasRole('ROLE_user')]
2020-01-08 14:08:01.817 DEBUG 12396 --- [nio-8080-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken@bc432bbc: Principal: willy; Credentials: [PROTECTED]; Authenticated: true; Details: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount@42db7613; Not granted any authorities
2020-01-08 14:08:01.818 DEBUG 12396 --- [nio-8080-exec-5] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3d0602a7, returned: -1
2020-01-08 14:08:01.818 DEBUG 12396 --- [nio-8080-exec-5] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
令我困惑的是,它说:未授予任何权限。如果我省略该部分,一切都会正常。必要的角色(在本例中为“用户”)存储在领域中。 JWT token 也提供这些。我不知道为什么它不起作用。
编辑:
我应该提到这一点。 Spring Boot 服务器只能用作 Angular 应用程序的 REST 服务器,因此是STATELESS。
最佳答案
好吧,我发现我的错误了。我在 application.yml 中激活了以下内容:
keycloak.use-resource-role-mappings=true
但它必须是假。 Keycloak documentation说如下:
use-resource-role-mappings - If set to true, the adapter will look inside the token for application level role mappings for the user. If false, it will look at the realm level for user role mappings. This is OPTIONAL. The default value is false.
关于java - 为什么 Spring Security 和 Keycloak 收到 "Access is denied"错误?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59646942/