Spring Boot Service Auth不支持prop配置,但使用java配置

时间:2018-08-27 07:27:04

标签: java spring-boot spring-security keycloak

我们有一个spring boot应用程序,它是后端应用程序,并提供使用spring-boot 2.0.4的rest api。我们通过密钥斗篷并使用4.0.0.Final版本增加了安全性。最初,我将java config用于keycloak身份验证设置,如下所示。

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    private static final String[] AUTH_WHITELIST = {
            // -- swagger ui
            "/v2/api-docs",
            "/swagger-resources",
            "/swagger-resources/**",
            "/configuration/ui",
            "/configuration/security",
            "/swagger-ui.html",
            "/actuator",
            "/actuator/**",
            "/api-docs",
            "/api/**",
            "/webjars/**"
            // other public endpoints of your API may be appended to this array
    };

    @Autowired
    public KeycloakClientRequestFactory keycloakClientRequestFactory;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        auth.authenticationProvider(keycloakAuthenticationProvider());
    }

    @Bean
    public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy()         {

        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http
            .csrf().disable().anonymous().disable()
            .authorizeRequests()
                .antMatchers(AUTH_WHITELIST).permitAll()
            .and()
            .authorizeRequests()
                .antMatchers("/*").hasRole("SERVICE")
            .and()
            .authorizeRequests()
                .anyRequest().permitAll();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(AUTH_WHITELIST);
    }

    @Bean
    @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
    public KeycloakRestTemplate keycloakRestTemplate() {
        return new KeycloakRestTemplate(keycloakClientRequestFactory);
    }
}

application.properties具有以下设置

keycloak.auth-server-url=http://localhost:8081/auth
keycloak.realm=realmName
keycloak.resource=masterdata
keycloak.bearer-only=true
keycloak.cors=true
keycloak.enabled=true
keycloak.ssl-required = external
keycloak.use-resource-role-mappings = true

上面的代码运行良好,并且它正在授权具有承载令牌的传入请求,并且上面的代码成功地验证了令牌是否具有服务角色。

但是我们希望拥有更灵活的配置,因此我们尝试使用以下代码摆脱java config并在application.properties中对其进行配置

keycloak.securityConstraints[0].authRoles[0]=SERVICE
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/*

现在我正在获得未经授权的代码。 如果需要,我可以添加日志。有人可以帮我告诉我appProp配置在哪里起作用吗?

0 个答案:

没有答案
相关问题
最新问题