当我阅读有关将clocloak与Angular + REST应用程序集成的信息时,大多数情况下,我看到一种具有两个客户端,一个公共客户端和一个仅承载者的方法。这是最好的解决方案,还是我可以将单个机密客户端用于这两个应用程序。我读到,使用JavaScript的机密客户端不是最好的方法,因为无法将机密隐藏在javascript中。
此外,在使用两个客户端方法将keycloak集成到rest和UI项目中之后,身份验证似乎可以正常工作。但是我在其余方面没有任何作用。我正在使用spring安全适配器和springboot 1.5.18作为后端。我的keycloak服务器版本是3.4.12,keycloak弹簧适配器版本是3.4.3。下面还提供了Keycloak配置文件。
keycloak.json(Angular项目)
{
"realm": "dev",
"auth-server-url": "https://<keycloakserver> /auth",
"resource": "frontend-dev",
"public-client": true,
"use-resource-role-mappings": true,
"confidential-port": 0,
"ssl-required": "external",
"disable-trust-manager": true
}
application.properties(springboot)
keycloak.realm=dev
keycloak.bearer-only=true
keycloak.auth-server-url=https:// <keycloakserver> /auth
keycloak.resource= backend-dev
keycloak.use-resource-role-mappings=true
keycloak.credentials.secret=222-3333-4444-5555
#development only properties
keycloak.ssl-required=external
keycloak.disable-trust-manager=true
Keycloak Java配置
@KeycloakConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
/**
* Registers the KeycloakAuthenticationProvider with the authentication manager.
*/
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
/**
* Defines the session authentication strategy.
*/
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Bean
public KeycloakConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Bean
public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(KeycloakAuthenticationProcessingFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
@Scope(scopeName = WebApplicationContext.SCOPE_REQUEST, proxyMode = ScopedProxyMode.TARGET_CLASS)
public AccessToken accessToken() {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes())
.getRequest();
return ((KeycloakSecurityContext)((KeycloakAuthenticationToken) request.getUserPrincipal()).getCredentials())
.getToken();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests().antMatchers("/**").permitAll();
}
}
为保护休息资源,请使用注释
@RolesAllowed(“Name of the role”)
即使在为用户分配了客户端角色之后,它仍然抛出403-Access拒绝错误
我还尝试使用代码手动获得角色
SecurityContext securityContext = SecurityContextHolder.getContext();
securityContext.getAuthentication().getAuthorities();
但是它总是返回一个空数组。
答案 0 :(得分:1)
我终于能够解决问题。问题是前端密钥斗篷客户端中缺少Scope配置。 对于所有客户端,由于安全原因,已关闭了全部范围。因此,除非我们在前端客户端的客户端作用域配置中明确设置为包括后端客户端角色,否则它将不会成为令牌的一部分。