迁移到使用spring安全性的应用程序的keycloak

时间:2015-10-08 04:43:12

标签: spring spring-mvc spring-security keycloak

我正在寻找针对当前使用spring安全性的Spring MVC应用程序的keycloak的步骤。

我想在Sitewhere中使用keycloak。

1 个答案:

答案 0 :(得分:1)

如果我完全阅读了keycloak的文档,我想这很简单:)。以下是我在Sitewhere迁移到keycloak时所遵循的步骤。

  1. 按照spring-security
    2. 的keycloak doc中给出的步骤操作
  2. 将依赖项添加到sitewhere-core& sitewhere-web pom.xml,如adapter installation
    3. 中所述
  3. 还在sitewhere-web的pom.xml中添加了jboss-logging依赖项,因为keycloak spring适配器对jboss-logging具有硬编码依赖性。

  4. 修改applicationcontext.xml,以便它可以使用keycloak进行web& api,关注api的样本

    <sec:http pattern="/api/**"  entry-point-ref="keycloakAuthenticationEntryPoint">
<sec:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" />
<sec:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />

  5. 按如下方式修改LoginManager.java 

    public static IUser getCurrentlyLoggedInUser() throws SiteWhereException {
Authentication KeyCloakAuth = SecurityContextHolder.getContext().getAuthentication();
if (KeyCloakAuth == null) {
    throw new SiteWhereSystemException(ErrorCode.NotLoggedIn, ErrorLevel.ERROR,
            HttpServletResponse.SC_FORBIDDEN);
}

KeycloakAccount  keyAccount = ((KeycloakAuthenticationToken) KeyCloakAuth).getAccount();

String username = keyAccount.getKeycloakSecurityContext().getIdToken().getPreferredUsername();
String password = "";

IUser user = SiteWhere.getServer().getUserManagement().authenticate(username, password);
List<IGrantedAuthority> auths =
        SiteWhere.getServer().getUserManagement().getGrantedAuthorities(user.getUsername());
SitewhereUserDetails details = new SitewhereUserDetails(user, auths);


Authentication auth = new SitewhereAuthentication(details, password);

if (!(auth instanceof SitewhereAuthentication)) {
    throw new SiteWhereException("Authentication was not of expected type: "
            + SitewhereAuthentication.class.getName() + " found " + auth.getClass().getName()
            + " instead.");
}
return (IUser) ((SitewhereAuthentication) auth).getPrincipal();

    }

  6. 因为我们已将我们的身份验证迁移到keycloak,并且我们不会在siterwhere中获取用户凭据,因此最好在IUserManagement的身份验证方法中取消与密码验证相关的代码。以下是MongoUserManagement.java的样本

    public IUser authenticate(String username, String password) throws SiteWhereException {
if (password == null) {
    throw new SiteWhereSystemException(ErrorCode.InvalidPassword, ErrorLevel.ERROR,
            HttpServletResponse.SC_BAD_REQUEST);
}
DBObject userObj = assertUser(username);
String inPassword = SiteWherePersistence.encodePassoword(password);
User match = MongoUser.fromDBObject(userObj);
//nullify authentication since we are using keycloak
/*if (!match.getHashedPassword().equals(inPassword)) {
    throw new SiteWhereSystemException(ErrorCode.InvalidPassword, ErrorLevel.ERROR,
            HttpServletResponse.SC_UNAUTHORIZED);
}*/

// Update last login date.
match.setLastLogin(new Date());
DBObject updated = MongoUser.toDBObject(match);
DBCollection users = getMongoClient().getUsersCollection();
BasicDBObject query = new BasicDBObject(MongoUser.PROP_USERNAME, username);
MongoPersistence.update(users, query, updated);

return match;}

  7. 确保您在keycloak中具有更多特定于sitewhere的用户的相应角色。

  8. 更改主页,以便重定向到keycloak以进行身份​​验证。以下是重定向的示例:

        Tracer.start(TracerCategory.AdminUserInterface, "login", LOGGER);
try {
    Map<String, Object> data = new HashMap<String, Object>();
    data.put("version", VersionHelper.getVersion());
    String keycloakConfig = environment.getProperty("AUTHSERVER_REDIRECTION_URL");          
    if (SiteWhere.getServer().getLifecycleStatus() == LifecycleStatus.Started) {
        return new ModelAndView("redirect:"+keycloakConfig);
    } else {
        ServerStartupException failure = SiteWhere.getServer().getServerStartupError();
        data.put("subsystem", failure.getDescription());
        data.put("component", failure.getComponent().getLifecycleError().getMessage());
        return new ModelAndView("noserver", data);
    }
} finally {
    Tracer.stop(LOGGER);
}
相关问题
最新问题