尝试跳过在application.properties文件中使用安全性约束:
# keycloak.securityConstraints[1].authRoles[0] = admin
# keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
并在Spring安全配置中用Java表达它们:
super.configure(http);
http.authorizeRequests().antMatchers("/admin*").hasRole("admin").anyRequest().permitAll();
但他们会被忽略。
我的application.properties文件:
server.compression.enabled = true
server.compression.min-response-size = 2048
server.compression.mime-types = application/json,application/xml,text/html,text/xml,text/plain
server.connection-timeout = 5000
server.port = 8082
keycloak.enabled = true
keycloak.auth-server-url = http://localhost:8180/auth
keycloak.ssl-required = external
keycloak.realm = learnintouch
keycloak.resource = learnintouch-web
keycloak.public-client = true
# keycloak.bearer-only = true
# keycloak.credentials.secret = c123028f-2654-403b-a9d0-????????
# keycloak.cors = true
# https://stackoverflow.com/questions/41137766/keycloak-cors-filter-spring-boot
# This is an extra property that allows retrieving the username of the currently
# logged user from the Principal object
keycloak.principal-attribute = preferred_username
# keycloak.securityConstraints[0].authRoles[0] = user
# keycloak.securityConstraints[0].authRoles[1] = admin
# keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /user
# keycloak.securityConstraints[1].authRoles[0] = admin
# keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
# keycloak.securityConstraints[2].authRoles[0] = user
# keycloak.securityConstraints[2].authRoles[1] = admin
# keycloak.securityConstraints[2].securityCollections[0].patterns[0] = /products
我的Spring Security配置:
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
// Avoid prefixing the roles with ROLE_
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
// Use the Spring Boot properties file instead of the default Keycloak Spring Security Adapter keycloak.json file
@Bean
public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
我在Spring Boot 2.0.3.RELEASE和Keycloak适配器4.0.0.Final
更新:按照下面提供的答案,我将Keycloak安全性配置为唯一依赖:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-security-adapter</artifactId>
<version>4.0.0.Final</version>
</dependency>
src/main/webapp/WEB-INF/keycloak.json文件包含:
{
"auth-server-url": "http://localhost:8180/auth",
"ssl-required": "external",
"realm": "learnintouch",
"resource": "learnintouch-web",
"public-client": "false",
"credentials": {
"secret": "??????..."
},
"principal-attribute": "preferred_username"
}
路由由一些Spring Security声明保护:
super.configure(http);
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/user*").hasRole("user")
.antMatchers("/admin*").hasRole("admin")
.antMatchers("/products*").hasRole("user")
.anyRequest().permitAll();
答案 0 :(得分:0)
要获得更灵活的配置,最好使用Spring Security adapter。它提供了用Java指定配置的能力,而不仅仅是应用程序属性。 Spring Boot适配器旨在用作基本配置工具,以将URI限制为特定角色。
为了使用Spring Security适配器,我首先要删除Spring Boot适配器,因为它们会引起冲突。如果您仍然希望使用应用程序属性来灵活地进行配置,则可以始终使用Spring Boot标准方式,最后,您仅在Spring Boot项目中使用@Configuration类。 / p>