HttpSecurity配置不适用于Spring上的Keycloak适配器

时间:2018-12-27 05:02:17

标签: spring spring-security spring-security-oauth2 keycloak spring-security-rest

完整代码:https://github.com/czetsuya/Spring-Keycloak-with-REST-API

我正在尝试在Spring中实现一个由Keycloak(4.8.1)保护的REST API,它仅使用承载客户端。

问题:不尊重configure(HttpSecurity http),只要用户通过了身份验证,就可以访问REST端点。

例如,使用.antMatchers(“ / admin *”)。hasRole(“ ADMIN”),/ admin应该只能由具有ADMIN角色的用户访问,但是我可以使用USER角色进行访问。

我还尝试在application.yml中设置安全约束(但没有帮助):

  security-constraints:
  - auth-roles:
    - ADMIN
  - security-collections:
    - name: admin
    - patterns:
      - /admin*

将@EnableGlobalMethodSecurity与@PreAuthorize(“ hasRole('ADMIN')”)结合使用可以解决问题,但是真的没有其他方法吗?

这是application.xml。

keycloak:
  enabled: true
  realm: dev
  auth-server-url: http://localhost:8083/auth
  ssl-required: external
  resource: dev-api
  bearer-only: true
  confidential-port: 0
  use-resource-role-mappings: false
  principal-attribute: preferred_username

以下是pom的依赖项:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.keycloak</groupId>
        <artifactId>keycloak-spring-boot-starter</artifactId>
    </dependency>
    .....

以及SecurityConfig类的一部分:

@KeycloakConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        SimpleAuthorityMapper simpleAuthorityMapper = new SimpleAuthorityMapper();
        simpleAuthorityMapper.setConvertToUpperCase(true);
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(simpleAuthorityMapper);
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Bean
    public KeycloakConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Autowired
    public KeycloakClientRequestFactory keycloakClientRequestFactory;

    @Bean
    @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
    public KeycloakRestTemplate keycloakRestTemplate() {
        return new KeycloakRestTemplate(keycloakClientRequestFactory);
    }

    /**
     * Secure appropriate endpoints
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.authorizeRequests() //
                .antMatchers("/users*").hasRole("USER") //
                .antMatchers("/admin*").hasRole("ADMIN") //
                .anyRequest().authenticated() //
                .and().csrf().disable() //
        ;
    }

启用详细日志后。我发现正在应用application.yml中定义的安全性约束,而不是java类中定义的约束。

现在的问题是如何使用Java约束而不是定义的application.yml。

1 个答案:

答案 0 :(得分:0)

问题是错误的yml配置。这是正确的版本:

security-constraints:
    - auth-roles:
      - User
      security-collections:
      - name: unsecured
        patterns:
        - /users
    - auth-roles: 
      - Admin
      security-collections:
      - name: secured
        patterns:
        - /admin

请注意,在定义KeycloakSpringBootConfigResolver时,还将调用configure(httpSecurity)。

在application.yml中启用以下日志将向我们显示安全约束检查:

logging:
  level:
    org.apache.catalina: DEBUG

这是代码更详细的说明:http://czetsuya-tech.blogspot.com/2018/12/secure-spring-boot-rest-project-with.html