Keycloak:无法使用Spring Security Adapter

时间:2016-11-08 17:13:31

标签: spring-security keycloak

我将非常感谢您对以下问题的帮助。 我尝试配置Spring Security Adapter(版本2.3.0.Final): https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html

我认为Keycloak使用静态客户端注册,因为当我尝试连接而没有Keycloak中的客户端配置时,我得到以下内容:

16:15:43,174 WARN  [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=st_1, userId=null, ipAddress=192.168.111.33, error=client_not_found

请注意,我成功使用mod-auth-openidc和mitreid客户端。

我不确定什么是“有效重定向URI”,我在IDP中配置了以下值: http://192.168.110.2:8081/app/sso/login

现在,客户端使用此URL重定向到Keycloak IDP http://192.168.110.2:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=10%2Fc0079a4b-e896-4400-9357-77fdacde9a56&login=true&scope=openid

我对用户进行身份验证,IDP使用以下URL将URL返回给客户端: http://192.168.110.2:8081/app/sso/login?state=14%2F9a4376fa-06e2-4188-a616-a182363dab3a&code=JzKXHOm7jRp5pkfT6GT6rRPZ5HOcZyGEB5uA-fjrk1I.7d91a145-76a5-4bc4-960f-f4a67f242fba

不幸的是,我有无限循环。 当我调试KeycloakAuthenticationProcessingFilter时,我看到AuthOutcome获得值NOT_ATTEMPTED并且它导致额外的重定向到IDP。 我错过了什么? keycloak.json

{
  "realm" : "master",
  "resource" : "st_1",
  "auth-server-url" : "http://192.168.110.2:8080/auth",
  "ssl-required" : "none",
  "use-resource-role-mappings" : false,
  "enable-cors" : true,
  "cors-max-age" : 1000,
  "cors-allowed-methods" : "POST, PUT, DELETE, GET",
  "bearer-only" : false,
  "enable-basic-auth" : false,
  "expose-token" : true,
  "credentials" : {
    "secret" : "bc644880-5544-4110-8e05-5bbd2a95b3e2"
  },

  "connection-pool-size" : 20,
  "disable-trust-manager": true,
  "allow-any-hostname" : true,
  "token-minimum-time-to-live" : 10

}

弹簧security.xml文件

<?xml version="1.0" encoding="UTF-8"?>

<!--
  - Sample namespace-based configuration
  -
  -->


<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">




    <sec:global-method-security pre-post-annotations="enabled">
        <!-- AspectJ pointcut expression that locates our "post" method and applies security that way
        <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
        -->
    </sec:global-method-security>

    <context:component-scan base-package="org.keycloak.adapters.springsecurity" />





    <sec:http use-expressions="true" disable-url-rewriting="false" entry-point-ref="keycloakAuthenticationEntryPoint">
        <sec:intercept-url pattern="/**" access="isAuthenticated()"/>
        <sec:csrf disabled="true"/>
        <sec:headers disabled="true"/>
        <sec:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" />
        <sec:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
        <sec:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />

    </sec:http>


    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="keycloakAuthenticationProvider" />
    </sec:authentication-manager>

    <bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean">
        <constructor-arg value="/WEB-INF/keycloak/keycloak.json" />
    </bean>

    <bean id="keycloakAuthenticationEntryPoint" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" />
    <bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" />
    <bean id="keycloakPreAuthActionsFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" />
    <bean id="keycloakAuthenticationProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
        <constructor-arg name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="keycloakLogoutHandler" class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
        <constructor-arg ref="adapterDeploymentContext" />
    </bean>

    <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <constructor-arg name="logoutSuccessUrl" value="/" />
        <constructor-arg name="handlers">
            <list>
                <ref bean="keycloakLogoutHandler" />
                <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
            </list>
        </constructor-arg>
        <property name="logoutRequestMatcher">
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg name="pattern" value="/sso/logout**" />
                <constructor-arg name="httpMethod" value="GET" />
            </bean>
        </property>
    </bean>




</beans>

1 个答案:

答案 0 :(得分:0)

亲自打这个。 Doc是错误的。将keycloakAuthenticationEntryPoint更改为

get