spring-security - spring security oauth2 客户端提供程序颁发​​者-uri 上的自签名证书

标签 spring-security keycloak self-signed-certificate

我正在尝试创建一个可以访问 Keycloak 安全休息服务的 Spring Boot 客户端应用程序示例。

正如几乎所有教程中所描述的,应该定义 spring.security.oauth2.client 。 这是我的:

  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: my-id
            client-secret: my-secret
            authorization-grant-type: client_credentials
        provider:
          keycloak:
            issuer-uri: https://myhost/auth/realms/master

但是我在 myhost Keycloak 测试服务器下有自签名证书,所以当应用程序启动时我得到这个:

Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "https://myhost/auth/realms/master"
    at org.springframework.security.oauth2.client.registration.ClientRegistrations.getConfiguration(ClientRegistrations.java:177)
    at org.springframework.security.oauth2.client.registration.ClientRegistrations.fromIssuerLocation(ClientRegistrations.java:140)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getBuilderFromIssuerIfPossible(OAuth2ClientPropertiesRegistrationAdapter.java:83)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistration(OAuth2ClientPropertiesRegistrationAdapter.java:59)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.lambda$getClientRegistrations$0(OAuth2ClientPropertiesRegistrationAdapter.java:53)
    at java.util.HashMap.forEach(HashMap.java:1289)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistrations(OAuth2ClientPropertiesRegistrationAdapter.java:52)
    at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration.clientRegistrationRepository(OAuth2ClientRegistrationRepositoryConfiguration.java:49)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
    ... 74 common frames omitted
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://myhost/auth/realms/master/.well-known/openid-configuration": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:751)
    at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:654)
    at org.springframework.security.oauth2.client.registration.ClientRegistrations.getConfiguration(ClientRegistrations.java:170)
    ... 86 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

如何在应用程序启动时禁用证书验证?

最佳答案

当尝试从restapi客户端或任何Web应用程序连接keycloak时,请查看是否遇到如下错误

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://myhost/auth/realms/master/.well-known/openid-configuration": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

它试图告诉您证书未添加到 java keystore 中或添加到 keystore 中的证书错误。

由于您在终点中给出了 https,因此必须在 Java keystore 中导入/添加证书。

您必须将证书导入客户端计算机

在客户端计算机中导入证书

 keytool -import -noprompt -trustcacerts -alias "initcert" -file keycloak.cer -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"

默认情况下 Java keystore 的密码 changeit

关于spring-security - spring security oauth2 客户端提供程序颁发​​者-uri 上的自签名证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60362419/

上一篇:laravel-从下拉菜单中删除重复项

下一篇:vbscript - 在wix中,使用vbscript,如何写入日志文件?

相关文章:

docker - docker中的Grails应用程序,安装spring-security插件?

Grails Spring 安全 : how to undo s2-quickstart

Keycloak CLI : Creating an Identity Provider Mapper

kubernetes - 自签名证书可以用于 kubernetes 验证 webhook 吗?

android - 如何在Android手机中导入带有私钥的自签名certificate.ca?

android - 在 Android 中使用 websocat 连接到 WSS

java - 无法阻止用户使用带有自定义 UserDetail 和 AuthenticationProvider 的 spring security 多次登录

grails - 本地 401 工作,临时服务器得到 302

java - 在 Keycloak 中创建新用户期间未分配客户端角色

openid-connect - Keycloak:在 JSON 中获取授权码?

©2024 IT工具网  联系我们