我试图通过keycloak使用spring boot,所以我在keycloak中创建了2个客户端
1-“中央前线”是公开的,我的用户将在此获得令牌 2-“ central-api”是“仅承载者”,我的api将验证令牌
在我的“ centra-api”中,我创建了两个角色CLIENTE和CARTORIO,然后使用CLIENTE ROLE创建了一个用户,并使用CARTORIO创建了另一个用户。
在我的背上,我像这样配置:
fixture
和我的keycloak.json
package br.com.lumera.centralback.config;
import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
@Configuration
@EnableWebSecurity
public class KeycloakSecurityConfigurer extends KeycloakWebSecurityConfigurerAdapter {
@Bean
public GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
//o Springboot espera que toda role comeca com "ROLE_" essa configuracao coloca o ROLE_ nas roles que estao cehgando
SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
mapper.setConvertToUpperCase(true);
return mapper;
}
@Override
protected KeycloakAuthenticationProvider keycloakAuthenticationProvider() {
final KeycloakAuthenticationProvider provider = super.keycloakAuthenticationProvider();
provider.setGrantedAuthoritiesMapper(grantedAuthoritiesMapper());
return provider;
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(keycloakAuthenticationProvider());
}
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
super.configure(http);
http
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/estado/*").hasRole("CLIENTE")
.antMatchers("/natureza/*").hasRole("CLIENTE")
.antMatchers("/cartorio/*").hasRole("CLIENTE")
.antMatchers("/mensagem/*").hasRole("CLIENTE")
.anyRequest().permitAll();
}
@Bean
public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(
final KeycloakAuthenticationProcessingFilter filter) {
final FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
final KeycloakPreAuthActionsFilter filter) {
final FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
}
因此,当我尝试访问GET URI时,这些角色工作正常,如果我登录CARTORIO,则无法访问上面列出的任何URL,并且如果我登录CLIENTE,则可以正常访问。但是在我的网址/ mensagem /中,我在/ mensagem /中有一个POST,当我尝试发布某些东西时,我总是被禁止蚂蚁,我已经尝试放
{
"realm" : "Lumera",
"bearer-only" : true,
"auth-server-url" : "http://localhost:9090/auth",
"ssl-required" : "external",
"resource" : "central-api",
"use-resource-role-mappings" : true,
"principal-attribute" : "preferred_username"
}
我确实尝试删除
.antMatchers(HttpMethod.POST, "/mensagem/**")
也没有成功