Spring Boot 如何将Keycloak Policy Enforcer与Sping Boot 应用程序配合使用

1u4esq0p  于 2023-02-08  发布在  Spring
关注(0)|答案(4)|浏览(141)

Keycloak策略实施器不与示例Sprint Boot 应用程序一起工作。
我正在使用Keycloak版本6.0.1,并尝试集成一个示例Sprint Boot 应用程序(Sprint启动版本2.1.3)。我的目标是在Keycloak中设置策略和权限,并在示例Spring启动应用程序中使用Keycloak策略实施器,以便使用Keycloak中定义的适当权限自动实施所有授权决策,并且在示例应用程序中不需要任何代码。
我的示例spring Boot 应用程序只打印内存中List的用户列表:

public class JPAUserResource {

    @Autowired
    private UserRepository userRepo;

    @GetMapping(path = "/jpausers")
    public List<JPAUser> retrieveAllUsers() {
        return userRepo.findAll();
    }
}

我的application.properties文件包含以下内容:

server.port=38080
spring.jpa.show-sql=true
spring.h2.console.enabled=true
logging.level.org.springframework.security=DEBUG
logging.level.org.keycloak.adapters.authorization=DEBUG
#Keycloak Configuration
keycloak.auth-server-url=http://192.168.154.190:18180/auth
keycloak.realm=master
keycloak.resource=login-app
keycloak.principal-attribute=preferred_username
keycloak.credentials.secret=195925d6-b258-407d-a65d-f1fd12d7a876
keycloak.policy-enforcer-config.enforcement-mode=enforcing
keycloak.realm-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjyYRe6LxBxO9hVtr4ScsMCBp3aPE9qbJLptPIMQCZR6JhVhOxA1kxhRmVYHXR5pdwiQWU8MriRhAY1JGniG6GNS1+BL+JaUiaGxov4rpD2SIMdrs8YjjSoD3Z8wvsMAopzWG48i9T/ppNaqKTkDZHbHAXOYJn+lymQ4EqpQrJ1Uh+SUA8XcLvWUQ12ty9BieujudWhnAgQ4zxyJY3I8sZwjaRIxndzSlyPJo45lWzXkpqcl92eU/Max7LRM4WKqsUvu86DgqlXbJcz8T+GUeF30ONQDSLX9rwNIT4ZiCVMT7x6YfKXZW6jxC0UiXxZuT23xk8A9iCP4rC9xo1NfGTwIDAQAB
keycloak.policy-enforcer-config.paths[0].path=/jpausers
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET

我的Keycloak授权设置如下:

{
  "allowRemoteResourceManagement": true,
  "policyEnforcementMode": "ENFORCING",
  "resources": [
    {
      "name": "Default Resource",
      "type": "urn:login-app:resources:default",
      "ownerManagedAccess": false,
      "attributes": {},
      "_id": "501febc8-f3e1-411f-aecf-376b4786c24e",
      "uris": [
        "/*"
      ]
    },
    {
      "name": "jpausers",
      "ownerManagedAccess": false,
      "displayName": "jpausers",
      "attributes": {},
      "_id": "a8f691db-39ef-4b2c-80fb-37224e270f1e",
      "uris": [
        "/jpausers"
      ],
      "scopes": [
        {
          "name": "GET"
        },
        {
          "name": "POST"
        }
      ]
    }
  ],
  "policies": [
    {
      "id": "94518189-3794-451c-9996-eec22543d802",
      "name": "Default Policy",
      "description": "A policy that grants access only for users within this realm",
      "type": "js",
      "logic": "POSITIVE",
      "decisionStrategy": "AFFIRMATIVE",
      "config": {
        "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
      }
    },
    {
      "id": "0242cf72-365d-49ae-8d5b-4ced24736f24",
      "name": "test_jpa",
      "type": "role",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "roles": "[{\"id\":\"jpa\",\"required\":false}]"
      }
    },
    {
      "id": "5c34e2b4-a56a-45f9-a1cc-94788bcb41b0",
      "name": "test_perm1",
      "type": "resource",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"jpausers\"]",
        "applyPolicies": "[\"test_jpa\"]"
      }
    }
  ],
  "scopes": [
    {
      "id": "4ee351e6-7095-453a-a4f4-badbc9ec1ba0",
      "name": "GET",
      "displayName": "GET"
    },
    {
      "id": "9119aab2-75a0-49d1-a076-8d9210c3e457",
      "name": "POST",
      "displayName": "POST"
    }
  ]
}

当我向Rest API“/jpausers”发送请求时,请求失败,控制台上显示以下消息:

*19:17:52.044 [http-nio-38080-exec-1] INFO  o.k.a.authorization.PolicyEnforcer - Paths provided in configuration.
19:17:52.045 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Trying to find resource with uri [/jpausers] for path [/jpausers].
19:17:52.151 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Initialization complete. Path configurations:
19:17:52.151 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - PathConfig{name='null', type='null', path='/jpausers', scopes=[], id='a8f691db-39ef-4b2c-80fb-37224e270f1e', enforcerMode='ENFORCING'}
19:17:52.154 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Policy enforcement is enabled. Enforcing policy decisions for path [http://192.168.109.97:38080/jpausers].
19:17:52.156 [http-nio-38080-exec-1] DEBUG o.k.a.a.KeycloakAdapterPolicyEnforcer - Sending challenge
19:17:52.157 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Policy enforcement result for path [http://192.168.109.97:38080/jpausers] is : DENIED
19:17:52.157 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Returning authorization context with permissions:*

UMA授权已禁用。我首先使用具有密码凭据授予类型的Openid Connect令牌API检索访问令牌,然后我尝试使用访问令牌访问我的Rest API“/jpausers”。
有人能帮助解决这个问题吗?我如何解决这个问题?我必须启用UMA才能使策略实施器工作吗?

xt0899hw

xt0899hw1#

通过快速浏览,我可以看到您在application.properties中的Map并不完整,您还没有将HTTP方法Map到您在keycloak中配置的作用域。

keycloak.policy-enforcer-config.paths[0].path=/jpausers
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET 
keycloak.policy-enforcer-config.paths[0].methods[0].scopes[0]=GET
dffbzjpn

dffbzjpn2#

我认为您缺少密钥罩。安全约束[0]。安全集合[0]。名称= jpausers

0wi1tuuw

0wi1tuuw3#

我有同样的问题,我能够解决它与类似的设置在我的应用程序属性yaml文件,如下所示:

keycloak:
      security-constraints:
        - auth-roles: 
          - "*"
      security-collections:
        - name: 
          patterns:
          - /*
bxgwgixi

bxgwgixi4#

它在Keycloak 19.0.1上对我有效

keycloak.securityConstraints[0].authRoles[0]=*
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/
keycloak.securityConstraints[0].securityCollections[0].name= test

keycloak.policy-enforcer-config.on-deny-redirect-to=/403

相关问题