spring-security Sping Boot 上的客户端未切换到Keylock进行授权

yh2wf1be  于 2022-11-11  发布在  Spring
关注(0)|答案(1)|浏览(196)

我试图重现一个使用Keylock的例子。我使用一个适配器连接到Keycloak。
下面是应用程序代码

@KeycloakConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder authManagerBuilder) {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
        authManagerBuilder.authenticationProvider(keycloakAuthenticationProvider);
    }

    @Bean
    public KeycloakConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http
                .authorizeRequests()
                .antMatchers("/api/anonymous/**").permitAll()
                .anyRequest().fullyAuthenticated();
    }
}

控制器

@RestController
@RequestMapping("/api")
public class SampleController {

    @GetMapping("/user")
    @PreAuthorize("hasRole('USER')")
    public String getUserInfo() {
        return "user info";
    }

    @GetMapping("/admin")
    @PreAuthorize("hasRole('ADMIN')")
    public String getAdminInfo() {
        return "admin info";
    }
}

这些是Spring设置

server:
  port: ${SERVER_PORT:11002}
spring: 
  application.name: ${APPLICATION_NAME:spring-security-keycloak}
keycloak:
  auth-server-url: http://10.15.68.8:8484/auth
  realm: first-test
  resource: first-login
  public-client: true

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.3.9.RELEASE</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>
    <groupId>org.akazakov.keycloak</groupId>
    <artifactId>demo-keycloak-adapter</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>Demo Keycloak Adapter</name>
    <description>Demo project for Spring Boot and Keycloak</description>
    <properties>
        <java.version>11</java.version>
    </properties>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.keycloak.bom</groupId>
                <artifactId>keycloak-adapter-bom</artifactId>
                <version>12.0.3</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-spring-boot-starter</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>

    </dependencies>
</project>

Keycloak本身在Docker中启动,地址为http://10.15.68.8:8484
在浏览器中打开页面

http://localhost:11002/api/admin

而不是

http://10.15.68.8:8484/auth

我上车

http://localhost:11002/sso/login

而且,结果是循环的,即,存在到该地址的恒定转变。
而在Spring应用程序中,每次这样的转换都会导致错误崩溃

2022-09-28 16:09:53.661 ERROR 74584 --- [io-11002-exec-7] o.a.c.c.C.[Tomcat].[localhost]           : Exception Processing /sso/login

java.lang.NoClassDefFoundError: java/security/acl/Group
    at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.createPrincipalFactory(KeycloakAuthenticatorValve.java:96) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
    at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.createSessionTokenStore(AbstractKeycloakAuthenticatorValve.java:262) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
    at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.getTokenStore(AbstractKeycloakAuthenticatorValve.java:251) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
    at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.getTokenStore(KeycloakAuthenticatorValve.java:106) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
    at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.checkKeycloakSession(AbstractKeycloakAuthenticatorValve.java:228) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
    at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:180) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:887) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1684) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) ~[na:na]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
    at java.base/java.lang.Thread.run(Thread.java:832) ~[na:na]
Caused by: java.lang.ClassNotFoundException: java.security.acl.Group
    at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602) ~[na:na]
    at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) ~[na:na]
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) ~[na:na]
    ... 19 common frames omitted
w80xi6nr

w80xi6nr1#

不要使用Spring的Keycloak配接器. It is (very) deprecated。请改用spring-boot-starter-oauth2-resource-serverSee here how

您的@RestControllers表单资源服务器。从OAuth2资源服务器的观点来看,当要求具有Bearer Authorization信头时,即表示要求已获得受权。但这并不重要:

  • 哪个已接受的授权服务器颁发了该令牌(在多租户情况下)
  • 令牌是如何获得的:
  • 使用授权代码流(可能涉及多因素身份验证)对用户进行授权
  • 使用客户端凭据流对程序进行身份验证
  • 甚至可以用设备流对设备进行授权。

在客户端中放置登录、注销、访问令牌获取和刷新等。为您的客户端框架选择一个OpenID库来完成这些操作(或者使用Postman进行测试,Postman集成了用于获取OAuth2访问令牌的工具)。

相关问题