Keycloak策略实施器不与示例Sprint Boot 应用程序一起工作。
我正在使用Keycloak版本6.0.1,并尝试集成一个示例Sprint Boot 应用程序(Sprint启动版本2.1.3)。我的目标是在Keycloak中设置策略和权限,并在示例Spring启动应用程序中使用Keycloak策略实施器,以便使用Keycloak中定义的适当权限自动实施所有授权决策,并且在示例应用程序中不需要任何代码。
我的示例spring Boot 应用程序只打印内存中List的用户列表:
public class JPAUserResource {
@Autowired
private UserRepository userRepo;
@GetMapping(path = "/jpausers")
public List<JPAUser> retrieveAllUsers() {
return userRepo.findAll();
}
}我的application.properties文件包含以下内容:
server.port=38080
spring.jpa.show-sql=true
spring.h2.console.enabled=true
logging.level.org.springframework.security=DEBUG
logging.level.org.keycloak.adapters.authorization=DEBUG
#Keycloak Configuration
keycloak.auth-server-url=http://192.168.154.190:18180/auth
keycloak.realm=master
keycloak.resource=login-app
keycloak.principal-attribute=preferred_username
keycloak.credentials.secret=195925d6-b258-407d-a65d-f1fd12d7a876
keycloak.policy-enforcer-config.enforcement-mode=enforcing
keycloak.realm-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjyYRe6LxBxO9hVtr4ScsMCBp3aPE9qbJLptPIMQCZR6JhVhOxA1kxhRmVYHXR5pdwiQWU8MriRhAY1JGniG6GNS1+BL+JaUiaGxov4rpD2SIMdrs8YjjSoD3Z8wvsMAopzWG48i9T/ppNaqKTkDZHbHAXOYJn+lymQ4EqpQrJ1Uh+SUA8XcLvWUQ12ty9BieujudWhnAgQ4zxyJY3I8sZwjaRIxndzSlyPJo45lWzXkpqcl92eU/Max7LRM4WKqsUvu86DgqlXbJcz8T+GUeF30ONQDSLX9rwNIT4ZiCVMT7x6YfKXZW6jxC0UiXxZuT23xk8A9iCP4rC9xo1NfGTwIDAQAB
keycloak.policy-enforcer-config.paths[0].path=/jpausers
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET我的Keycloak授权设置如下:
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "Default Resource",
"type": "urn:login-app:resources:default",
"ownerManagedAccess": false,
"attributes": {},
"_id": "501febc8-f3e1-411f-aecf-376b4786c24e",
"uris": [
"/*"
]
},
{
"name": "jpausers",
"ownerManagedAccess": false,
"displayName": "jpausers",
"attributes": {},
"_id": "a8f691db-39ef-4b2c-80fb-37224e270f1e",
"uris": [
"/jpausers"
],
"scopes": [
{
"name": "GET"
},
{
"name": "POST"
}
]
}
],
"policies": [
{
"id": "94518189-3794-451c-9996-eec22543d802",
"name": "Default Policy",
"description": "A policy that grants access only for users within this realm",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {
"code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
}
},
{
"id": "0242cf72-365d-49ae-8d5b-4ced24736f24",
"name": "test_jpa",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"jpa\",\"required\":false}]"
}
},
{
"id": "5c34e2b4-a56a-45f9-a1cc-94788bcb41b0",
"name": "test_perm1",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"jpausers\"]",
"applyPolicies": "[\"test_jpa\"]"
}
}
],
"scopes": [
{
"id": "4ee351e6-7095-453a-a4f4-badbc9ec1ba0",
"name": "GET",
"displayName": "GET"
},
{
"id": "9119aab2-75a0-49d1-a076-8d9210c3e457",
"name": "POST",
"displayName": "POST"
}
]
}当我向Rest API“/jpausers”发送请求时,请求失败,控制台上显示以下消息:
*19:17:52.044 [http-nio-38080-exec-1] INFO o.k.a.authorization.PolicyEnforcer - Paths provided in configuration.
19:17:52.045 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Trying to find resource with uri [/jpausers] for path [/jpausers].
19:17:52.151 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Initialization complete. Path configurations:
19:17:52.151 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - PathConfig{name='null', type='null', path='/jpausers', scopes=[], id='a8f691db-39ef-4b2c-80fb-37224e270f1e', enforcerMode='ENFORCING'}
19:17:52.154 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Policy enforcement is enabled. Enforcing policy decisions for path [http://192.168.109.97:38080/jpausers].
19:17:52.156 [http-nio-38080-exec-1] DEBUG o.k.a.a.KeycloakAdapterPolicyEnforcer - Sending challenge
19:17:52.157 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Policy enforcement result for path [http://192.168.109.97:38080/jpausers] is : DENIED
19:17:52.157 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Returning authorization context with permissions:*UMA授权已禁用。我首先使用具有密码凭据授予类型的Openid Connect令牌API检索访问令牌,然后我尝试使用访问令牌访问我的Rest API“/jpausers”。
有人能帮助解决这个问题吗?我如何解决这个问题?我必须启用UMA才能使策略实施器工作吗?
4条答案
按热度按时间xt0899hw1#
通过快速浏览,我可以看到您在
application.properties中的Map并不完整,您还没有将HTTP方法Map到您在keycloak中配置的作用域。dffbzjpn2#
我认为您缺少密钥罩。安全约束[0]。安全集合[0]。名称= jpausers
0wi1tuuw3#
我有同样的问题,我能够解决它与类似的设置在我的应用程序属性yaml文件,如下所示:
bxgwgixi4#
它在Keycloak 19.0.1上对我有效