带有钥匙斗篷的springboot

时间:2018-10-17 23:49:46

标签: java spring-boot keycloak

我试图通过keycloak使用spring boot,所以我在keycloak中创建了2个客户端

1-“中央前线”是公开的,我的用户将在此获得令牌 2-“ central-api”是“仅承载者”,我的api将验证令牌

在我的“ centra-api”中,我创建了两个角色CLIENTE和CARTORIO,然后使用CLIENTE ROLE创建了一个用户,并使用CARTORIO创建了另一个用户。

在我的背上,我像这样配置:

fixture

和我的keycloak.json

package br.com.lumera.centralback.config;

import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

@Configuration
@EnableWebSecurity
public class KeycloakSecurityConfigurer extends KeycloakWebSecurityConfigurerAdapter {

    @Bean
    public GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
        //o Springboot espera que toda role comeca com "ROLE_" essa configuracao coloca o ROLE_ nas roles que estao cehgando
        SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
        mapper.setConvertToUpperCase(true);
        return mapper;
    }

    @Override
    protected KeycloakAuthenticationProvider keycloakAuthenticationProvider() {
        final KeycloakAuthenticationProvider provider = super.keycloakAuthenticationProvider();
        provider.setGrantedAuthoritiesMapper(grantedAuthoritiesMapper());
        return provider;
    }

    @Override
    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(keycloakAuthenticationProvider());
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        super.configure(http);
        http
          .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers("/estado/*").hasRole("CLIENTE")
                .antMatchers("/natureza/*").hasRole("CLIENTE")
                .antMatchers("/cartorio/*").hasRole("CLIENTE")
                .antMatchers("/mensagem/*").hasRole("CLIENTE")
                .anyRequest().permitAll();
    }

    @Bean
    public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(
            final KeycloakAuthenticationProcessingFilter filter) {
        final FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
            final KeycloakPreAuthActionsFilter filter) {
        final FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

}

因此,当我尝试访问GET URI时,这些角色工作正常,如果我登录CARTORIO,则无法访问上面列出的任何URL,并且如果我登录CLIENTE,则可以正常访问。但是在我的网址/ mensagem /中,我在/ mensagem /中有一个POST,当我尝试发布某些东西时,我总是被禁止蚂蚁,我已经尝试放

{
  "realm" :  "Lumera",
  "bearer-only" :  true,
  "auth-server-url" :  "http://localhost:9090/auth",
  "ssl-required" :  "external",
  "resource" :  "central-api",
  "use-resource-role-mappings" :  true,
  "principal-attribute" :  "preferred_username"
}

我确实尝试删除

.antMatchers(HttpMethod.POST, "/mensagem/**")

也没有成功

0 个答案:

没有答案