如何使用Keycloack验证Jquery ajax请求,

时间:2017-11-05 11:44:20

标签: jboss keycloak jboss-tools jboss-eap-7 keycloak-services

我有一个弹簧启动应用程序(mvc),它使用keycloack进行保护。 (使用spring-boot-starter-security和keycloak-spring-boot-starter)

我像这样配置了KeycloakWebSecurityConfigurerAdapter; 

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    protected KeycloakAuthenticationProvider keycloakAuthenticationProvider() {
        return this.tybsKimlikSaglayici;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);

        http.cors().and().authorizeRequests().antMatchers("/", 
                "/home").permitAll().antMatchers("/admin").permitAll()
                .anyRequest().authenticated().and()
                .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/sso/logout")).permitAll();

        http.exceptionHandling().accessDeniedPage("accessDeniedPage");
    }

  @Bean 
        public CorsConfigurationSource corsConfigurationSource() {
            final CorsConfiguration configuration = new CorsConfiguration();
            configuration.setAllowedOrigins(ImmutableList.of("*"));
            configuration.setAllowedMethods(ImmutableList.of("HEAD",
                    "GET", "POST", "PUT", "DELETE", "PATCH"));

            configuration.setAllowCredentials(true);

            configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
            final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
            source.registerCorsConfiguration("/**", configuration);
            return source;
        }

请求控制器方法,响应html视图正常工作(keycloack验证请求)

但是, 形成对控制器方法的动作 Ajax请求休息控制器方法不起作用(post,put,delete .. requests)

我将@CrossOrigin(originins =" *")添加到我的控制器。

这是我的ajax要求,

$.ajax({
    type : "method_here",
    contentType : "application/json; charset=utf-8;",
    url : "url_here",
    data : JSON.stringify(data),
    timeout : 30000, 
    success : function(response) {

    },
    error : function(error) {

    }
});

这里是keycloack客户端

enter image description here

这里是kecloack json(我试过app.properties文件)

{
  "realm": "demo-realm",
  "auth-server-url": "url_of_sso_app",
  "ssl-required": "external",
  "resource": "kie-remote",
  "principal-attribute": "preferred_username",
  #"enable-cors": true,     **tryed to add**
  #"cors-max-age" : 10000,   
  #"cors-allowed-methods": "GET, POST, PUT, HEAD, OPTIONS", 
  #"cors-allowed-headers": "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headersl", 
  "credentials": {
     "secret": "secret_of_realm_client"
  }
}

我该如何解决这个问题。如何使用keycloack验证ajax请求帮助。

1 个答案:

答案 0 :(得分:0)

我发现了我的失踪。 

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
                  .antMatchers(HttpMethod.POST, "/**")
                  .antMatchers(HttpMethod.PUT, "/**")
                  .antMatchers(HttpMethod.DELETE, "/**");
}

此方法必须在Web安全配置中覆盖。它必须像.antMatchers一样改变(HttpMethod.POST,“/ allowed_method_path”)

修改

此代码忽略这些http方法类型的身份验证过程。正确的解决方案不使用web.ignoring()方法。问题与csrf有关,(csrf的默认弹簧安全设置是启用)spring防止put,delete,post http方法保护服务器免受csrf攻击。如果服务不在浏览器上消耗,可以禁用csrf,但是服务正在生成浏览器页面,解决方法是配置csrf。请检查How to obtain csrf token in a velocity macro when using spring security

由于

相关问题
最新问题