我在下面 WebSecurityConfigurerAdapter 使用 KeyCloak 如果它没有特定的路径,则在url中。就我而言,除了 "/payment/**" 一切都应该绕过。仅限 "/payment/**" 应使用 KeyCloak .
@Bean
@Override
@Primary
public KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception {
KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(
authenticationManagerBean()
, new RequestMatcher(new AntPathRequestMatcher("/payment/**"))
);
filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.csrf().disable().cors().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests()
.anyRequest().permitAll()
.antMatchers("/payment/**").authenticated();
http.headers().addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy", "script-src 'self'"));
}实际情况:如果我点击了@get request /public/** 对于承载令牌(仅在承载toke的情况下,因为我有其他包含承载令牌的请求),它会给我以下错误
错误:o.k.a.rotation.adaptertokenverifier:未找到儿童的公钥:rvh0bfdx6zpkfkvbvcl5zv2bvpgmtvbhena6dh9idxs
例外:不应调用 KeyCloak 完全按照要求 /payment/** 尝试过:所有可能的否定方法( /payment/** )或者只接受( /payment/** )在请求筛选器中。不过,如果它看到了授权头,它就会进入key斗篷以获取任何请求或路径。
堆栈跟踪:
2021-03-30 15:56:37.298 DEBUG 67688 --- [ XNIO-1 task-1] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:9090/api/public/orders/94
2021-03-30 15:56:37.299 DEBUG 67688 --- [ XNIO-1 task-1] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:9090/api/public/orders/94
2021-03-30 15:56:37.309 DEBUG 67688 --- [ XNIO-1 task-1] o.k.a.BearerTokenRequestAuthenticator : Found [1] values in authorization header, selecting the first value for Bearer.
2021-03-30 15:56:37.309 DEBUG 67688 --- [ XNIO-1 task-1] o.k.a.BearerTokenRequestAuthenticator : Verifying access_token
2021-03-30 15:56:37.318 DEBUG 67688 --- [ XNIO-1 task-1] o.keycloak.adapters.KeycloakDeployment : Resolving URLs from https://keycloak-dev.deviceapi.com/auth/realms/admin/.well-known/openid-configuration
2021-03-30 15:56:38.018 INFO 67688 --- [ XNIO-1 task-1] o.keycloak.adapters.KeycloakDeployment : Loaded URLs from https://keycloak-dev.deviceapi.com/auth/realms/admin/.well-known/openid-configuration
2021-03-30 15:56:38.128 DEBUG 67688 --- [ XNIO-1 task-1] o.k.a.rotation.JWKPublicKeyLocator : Realm public keys successfully retrieved for client DEVICE-PROJECT-EVENT. New kids: [yUDSD-1WHU4B07pkSQZTfA7_XPGu4jeUdAZKPTBJT98]
2021-03-30 15:56:38.128 ERROR 67688 --- [ XNIO-1 task-1] o.k.a.rotation.AdapterTokenVerifier : Didn't find publicKey for kid: RVH0bfDX6ZPkFkVBvCl5zV2BVPGMtvbhenA6dh9IDxs
2021-03-30 15:56:38.128 DEBUG 67688 --- [ XNIO-1 task-1] o.k.a.BearerTokenRequestAuthenticator : Failed to verify token
2021-03-30 15:56:38.130 DEBUG 67688 --- [ XNIO-1 task-1] o.k.adapters.RequestAuthenticator : Bearer FAILED为什么keydrope从authorization头获取值,因为请求应该被绕过,因为它不是 /payment/** ?
在授权头中找到[1]个值,选择承载的第一个值。
调查结果:
请求失败 org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(...) 尽管它不应该,因为请求来自 /public/** (带有授权标头)而不是 /payment/** 有没有一种方法可以在key斗篷配置中发出这样的请求,它只能接受( /payment/** )使用授权令牌而忽略其余的?
暂无答案!
目前还没有任何答案,快来回答吧!