我试图重现一个使用Keylock的例子。我使用一个适配器连接到Keycloak。
下面是应用程序代码
@KeycloakConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authManagerBuilder) {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
authManagerBuilder.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
public KeycloakConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.authorizeRequests()
.antMatchers("/api/anonymous/**").permitAll()
.anyRequest().fullyAuthenticated();
}
}控制器
@RestController
@RequestMapping("/api")
public class SampleController {
@GetMapping("/user")
@PreAuthorize("hasRole('USER')")
public String getUserInfo() {
return "user info";
}
@GetMapping("/admin")
@PreAuthorize("hasRole('ADMIN')")
public String getAdminInfo() {
return "admin info";
}
}这些是Spring设置
server:
port: ${SERVER_PORT:11002}
spring:
application.name: ${APPLICATION_NAME:spring-security-keycloak}
keycloak:
auth-server-url: http://10.15.68.8:8484/auth
realm: first-test
resource: first-login
public-client: truepom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.9.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>org.akazakov.keycloak</groupId>
<artifactId>demo-keycloak-adapter</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>Demo Keycloak Adapter</name>
<description>Demo project for Spring Boot and Keycloak</description>
<properties>
<java.version>11</java.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.keycloak.bom</groupId>
<artifactId>keycloak-adapter-bom</artifactId>
<version>12.0.3</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
</project>Keycloak本身在Docker中启动,地址为http://10.15.68.8:8484
在浏览器中打开页面
http://localhost:11002/api/admin而不是
http://10.15.68.8:8484/auth我上车
http://localhost:11002/sso/login而且,结果是循环的,即,存在到该地址的恒定转变。
而在Spring应用程序中,每次这样的转换都会导致错误崩溃
2022-09-28 16:09:53.661 ERROR 74584 --- [io-11002-exec-7] o.a.c.c.C.[Tomcat].[localhost] : Exception Processing /sso/login
java.lang.NoClassDefFoundError: java/security/acl/Group
at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.createPrincipalFactory(KeycloakAuthenticatorValve.java:96) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.createSessionTokenStore(AbstractKeycloakAuthenticatorValve.java:262) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.getTokenStore(AbstractKeycloakAuthenticatorValve.java:251) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.getTokenStore(KeycloakAuthenticatorValve.java:106) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.checkKeycloakSession(AbstractKeycloakAuthenticatorValve.java:228) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:180) ~[spring-boot-container-bundle-12.0.3.jar:12.0.3]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:887) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1684) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) ~[na:na]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) ~[na:na]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.43.jar:9.0.43]
at java.base/java.lang.Thread.run(Thread.java:832) ~[na:na]
Caused by: java.lang.ClassNotFoundException: java.security.acl.Group
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602) ~[na:na]
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) ~[na:na]
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) ~[na:na]
... 19 common frames omitted
1条答案
按热度按时间w80xi6nr1#
不要使用Spring的Keycloak配接器. It is (very) deprecated。请改用
spring-boot-starter-oauth2-resource-server。See here how。您的
@RestControllers表单资源服务器。从OAuth2资源服务器的观点来看,当要求具有BearerAuthorization信头时,即表示要求已获得受权。但这并不重要:在客户端中放置登录、注销、访问令牌获取和刷新等。为您的客户端框架选择一个OpenID库来完成这些操作(或者使用Postman进行测试,Postman集成了用于获取OAuth2访问令牌的工具)。