我正在尝试将 Keycloak 与 Spring Boot 结合使用,并为 Keycloak 配置了两个用户:user1 的角色为“user”,user2 的角色为“not-user”。
我希望当我使用 user1 调用端点时一切正常,而当我使用 user2 调用端点时访问被拒绝......但它不会发生!!!
即使使用 user2,我也可以调用电话!
这是我与 user2 进行一次调用时的日志:
2020-05-21 10:32:22.483 DEBUG 30380 --- [nio-7771-exec-5] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:7771/contexts/LOCAL/files/upload
2020-05-21 10:32:22.485 DEBUG 30380 --- [nio-7771-exec-5] .k.a.t.AbstractAuthenticatedActionsValve : AuthenticatedActionsValve.invoke /contexts/LOCAL/files/upload
2020-05-21 10:32:22.485 DEBUG 30380 --- [nio-7771-exec-5] o.k.a.AuthenticatedActionsHandler : AuthenticatedActionsValve.invoke http://localhost:7771/contexts/LOCAL/files/upload
2020-05-21 10:32:22.486 DEBUG 30380 --- [nio-7771-exec-5] o.k.a.AuthenticatedActionsHandler : Policy enforcement is disabled.
2020-05-21 10:32:22.486 DEBUG 30380 --- [nio-7771-exec-5] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:7771/contexts/LOCAL/files/upload
2020-05-21 10:32:22.487 DEBUG 30380 --- [nio-7771-exec-5] f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
2020-05-21 10:32:22.487 DEBUG 30380 --- [nio-7771-exec-5] f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
2020-05-21 10:32:22.487 DEBUG 30380 --- [nio-7771-exec-5] o.k.a.BearerTokenRequestAuthenticator : Found [1] values in authorization header, selecting the first value for Bearer.
2020-05-21 10:32:22.488 DEBUG 30380 --- [nio-7771-exec-5] o.k.a.BearerTokenRequestAuthenticator : Verifying access_token
2020-05-21 10:32:22.493 DEBUG 30380 --- [nio-7771-exec-5] o.k.a.BearerTokenRequestAuthenticator : successful authorized
2020-05-21 10:32:22.493 DEBUG 30380 --- [nio-7771-exec-5] a.s.a.SpringSecurityRequestAuthenticator : Completing bearer authentication. Bearer roles: [not-user]
2020-05-21 10:32:22.493 DEBUG 30380 --- [nio-7771-exec-5] o.k.adapters.RequestAuthenticator : User 'user2' invoking 'http://localhost:7771/contexts/LOCAL/files/upload' on client 'fs-app'
2020-05-21 10:32:22.494 DEBUG 30380 --- [nio-7771-exec-5] o.k.adapters.RequestAuthenticator : Bearer AUTHENTICATED
2020-05-21 10:32:22.494 DEBUG 30380 --- [nio-7771-exec-5] f.KeycloakAuthenticationProcessingFilter : Auth outcome: AUTHENTICATED
2020-05-21 10:32:22.494 DEBUG 30380 --- [nio-7771-exec-5] f.KeycloakAuthenticationProcessingFilter : Authentication success using bearer token/basic authentication. Updating SecurityContextHolder to contain: org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken@8e43f478: Principal: user2; Credentials: [PROTECTED]; Authenticated: true; Details: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount@6489f7f5; Granted Authorities: ROLE_not-user
2020-05-21 10:32:22.494 DEBUG 30380 --- [nio-7771-exec-5] o.k.a.AuthenticatedActionsHandler : AuthenticatedActionsValve.invoke http://localhost:7771/contexts/LOCAL/files/upload
2020-05-21 10:32:22.494 DEBUG 30380 --- [nio-7771-exec-5] o.k.a.AuthenticatedActionsHandler : Policy enforcement is disabled.
2020-05-21 10:32:22.495 DEBUG 30380 --- [nio-7771-exec-5] f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
2020-05-21 10:32:22.495 DEBUG 30380 --- [nio-7771-exec-5] f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
2020-05-21 10:32:22.496 DEBUG 30380 --- [nio-7771-exec-5] o.k.a.BearerTokenRequestAuthenticator : Found [1] values in authorization header, selecting the first value for Bearer.
2020-05-21 10:32:22.496 DEBUG 30380 --- [nio-7771-exec-5] o.k.a.BearerTokenRequestAuthenticator : Verifying access_token
2020-05-21 10:32:22.500 DEBUG 30380 --- [nio-7771-exec-5] o.k.a.BearerTokenRequestAuthenticator : successful authorized
2020-05-21 10:32:22.501 DEBUG 30380 --- [nio-7771-exec-5] a.s.a.SpringSecurityRequestAuthenticator : Completing bearer authentication. Bearer roles: [not-user]
2020-05-21 10:32:22.501 DEBUG 30380 --- [nio-7771-exec-5] o.k.adapters.RequestAuthenticator : User 'user2' invoking 'http://localhost:7771/contexts/LOCAL/files/upload' on client 'fs-app'
2020-05-21 10:32:22.501 DEBUG 30380 --- [nio-7771-exec-5] o.k.adapters.RequestAuthenticator : Bearer AUTHENTICATED
2020-05-21 10:32:22.501 DEBUG 30380 --- [nio-7771-exec-5] f.KeycloakAuthenticationProcessingFilter : Auth outcome: AUTHENTICATED
2020-05-21 10:32:22.502 DEBUG 30380 --- [nio-7771-exec-5] f.KeycloakAuthenticationProcessingFilter : Authentication success using bearer token/basic authentication. Updating SecurityContextHolder to contain: org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken@c999a381: Principal: user2; Credentials: [PROTECTED]; Authenticated: true; Details: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount@55a7758e; Granted Authorities: ROLE_not-user
2020-05-21 10:32:22.502 DEBUG 30380 --- [nio-7771-exec-5] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:7771/contexts/LOCAL/files/upload
2020-05-21 10:32:22.533 INFO 30380 --- [nio-7771-exec-5] c.s.s.f.c.FileStorageController : POST request on /contexts/{context}/files/upload
在我的 build.gradle 中,我包含了依赖项:
compile group: 'org.keycloak', name: 'keycloak-spring-boot-starter', version: '10.0.1'
compile group: 'org.keycloak', name: 'keycloak-spring-security-adapter', version: '10.0.1'
implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.springframework.security:spring-security-test'
Keycloak 的属性是:
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.realm=SpringBootKeycloak
keycloak.resource=fs-app
#keycloak.use-resource-role-mappings=true
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
Keycloak配置类是:
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(
new SessionRegistryImpl());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/*")
.hasRole("user")
.anyRequest()
.permitAll();
}
}
我错过了什么? Keycloak 有什么特殊的配置吗?
编辑:
This是一个类似的问题,但就我而言,我的 SecurityConfig 类不会被忽略!
最佳答案
您正在使用Spring Boot adapter这不是保护您的网络内容的方法。您应该使用 Spring Boot 配置来完成此操作:
keycloak.securityConstraints[1].authRoles[0] = user
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /*
如果您想使用提供更多灵活性的 Spring Security,请使用 Spring Security adapter相反(是的,您可以使用它 even with Spring Boot altogether )。
关于java - 为什么 Spring Boot 中的 Keycloak 允许(预期未经授权的)用户?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61918103/