完整代码:https://github.com/czetsuya/Spring-Keycloak-with-REST-API
我正在尝试在Spring中实现一个由Keycloak(4.8.1)保护的REST API,它仅使用承载客户端。
问题:不尊重configure(HttpSecurity http),只要用户通过了身份验证,就可以访问REST端点。
例如,使用.antMatchers(“ / admin *”)。hasRole(“ ADMIN”),/ admin应该只能由具有ADMIN角色的用户访问,但是我可以使用USER角色进行访问。
我还尝试在application.yml中设置安全约束(但没有帮助):
security-constraints:
- auth-roles:
- ADMIN
- security-collections:
- name: admin
- patterns:
- /admin*
将@EnableGlobalMethodSecurity与@PreAuthorize(“ hasRole('ADMIN')”)结合使用可以解决问题,但是真的没有其他方法吗?
这是application.xml。
keycloak:
enabled: true
realm: dev
auth-server-url: http://localhost:8083/auth
ssl-required: external
resource: dev-api
bearer-only: true
confidential-port: 0
use-resource-role-mappings: false
principal-attribute: preferred_username
以下是pom的依赖项:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>
.....
以及SecurityConfig类的一部分:
@KeycloakConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
SimpleAuthorityMapper simpleAuthorityMapper = new SimpleAuthorityMapper();
simpleAuthorityMapper.setConvertToUpperCase(true);
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(simpleAuthorityMapper);
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Bean
public KeycloakConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Autowired
public KeycloakClientRequestFactory keycloakClientRequestFactory;
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public KeycloakRestTemplate keycloakRestTemplate() {
return new KeycloakRestTemplate(keycloakClientRequestFactory);
}
/**
* Secure appropriate endpoints
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests() //
.antMatchers("/users*").hasRole("USER") //
.antMatchers("/admin*").hasRole("ADMIN") //
.anyRequest().authenticated() //
.and().csrf().disable() //
;
}
启用详细日志后。我发现正在应用application.yml中定义的安全性约束,而不是java类中定义的约束。
现在的问题是如何使用Java约束而不是定义的application.yml。
答案 0 :(得分:0)
问题是错误的yml配置。这是正确的版本:
security-constraints:
- auth-roles:
- User
security-collections:
- name: unsecured
patterns:
- /users
- auth-roles:
- Admin
security-collections:
- name: secured
patterns:
- /admin
请注意,在定义KeycloakSpringBootConfigResolver时,还将调用configure(httpSecurity)。
在application.yml中启用以下日志将向我们显示安全约束检查:
logging:
level:
org.apache.catalina: DEBUG
这是代码更详细的说明:http://czetsuya-tech.blogspot.com/2018/12/secure-spring-boot-rest-project-with.html