我有一个用KeycloakWebSecurityConfigurerAdapter保护的Sping Boot 应用程序。现在我想为某些端点添加另一种(自定义)身份验证方式。因此,我创建了一个类,用它的自定义逻辑扩展AbstractAuthenticationProcessingFilter和AuthenticationProvider。现在,我想使用以下命令将自定义过滤器添加到我的安全配置中的HttpSecurity对象
http.addFilterBefore(new VendorSessionAuthorizationFilter(), KeycloakAuthenticationProcessingFilter.class);我的理解是,我先得到我的自定义过滤器,并根据结果,security-filter-chain继续到Keycloak-filter。当我测试调用一个端点时,我从来没有得到我在过滤器中实现的attemptAuthentication方法。我有一种感觉,无论我在调用http.addFilterBefore(...时做什么,Keycloak-filter-过滤器总是被执行,所以我没有办法有另一种身份验证方式。
此处显示“安全配置:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(jsr250Enabled = true, prePostEnabled = true)
public class KeycloakSecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.addFilterBefore(new VendorSessionAuthorizationFilter(), KeycloakAuthenticationProcessingFilter.class);
http.authenticationProvider(new VendorSessionAuthenticationProvider());
http
.cors().and()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
.and().formLogin().disable()
.httpBasic().disable()
.logout().disable()
.authorizeRequests()
.anyRequest().authenticated();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Bean
public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(
KeycloakAuthenticationProcessingFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
KeycloakAuthenticatedActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
KeycloakSecurityContextRequestFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
}
1条答案
按热度按时间r1zhe5dt1#
如果您想对某些端点使用替代的身份验证方法,有一种方法如下
在适配器的
configure部分,可以添加一个antMatcher并引用bean的函数。您的总配置如下所示(适当调整)
注意这将覆盖API的默认keycloak身份验证,而不是在顶部提供额外的身份验证