我有一个包含Angular前端,spring-boot后端和REST服务的应用程序,我可以在其中获取资源和数据。一切都由相同的keycloak实例保护。到目前为止,我一直在使用在前端创建的承载令牌对应用程序进行身份验证,然后将其设置为spring-boot后端的标头,然后通过KeycloakRestTemplate将其发送到服务。
这种方法的问题在于,身份验证取决于后端执行任何工作之前存在的用户。据我所知,有一种使用credentials.secret进行身份验证的方法,但是我不确定该怎么做并且找不到任何资源。
Keycloak的配置存在于一个域中,其中Spring-boot服务器具有一个客户端resource: cl-gui,其余服务具有另一个客户端resource: cl-data
这是我的SecurityConfig:
@Configuration
@ComponentScan(
basePackageClasses = KeycloakSecurityComponents.class,
excludeFilters = @ComponentScan.Filter(type = FilterType.REGEX, pattern = "org.keycloak.adapters.springsecurity.management.HttpSessionManager"))
@EnableWebSecurity
public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter
{
@Value("${application.production:true}")
Boolean isProduction;
private final KeycloakClientRequestFactory keycloakClientRequestFactory;
public SecurityConfiguration(KeycloakClientRequestFactory keycloakClientRequestFactory) {
this.keycloakClientRequestFactory = keycloakClientRequestFactory;
// SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);
}
/**
* Registers the KeycloakAuthenticationProvider with the authentication manager.
*/
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
public KeycloakRestTemplate keycloakRestTemplate() {
return new KeycloakRestTemplate(keycloakClientRequestFactory);
}
/**
*
* Load Keycloak configuration from application.properties or application.yml
*/
@Bean
public KeycloakConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
/**
* Defines the session authentication strategy.
*/
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Bean
public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(
KeycloakAuthenticationProcessingFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
if (isProduction) {
http.csrf()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
.and()
.authorizeRequests()
.antMatchers("/**").hasRole("ROLE_USER")
.anyRequest().permitAll();
} else {
http.csrf().disable().authorizeRequests().anyRequest().permitAll();
}
}
}
Keycloak依赖项:
<!-- Keycloak -->
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-security-adapter</artifactId>
</dependency>
在这样的应用程序中获取信息的最佳实践是什么,即无需用户进行身份验证就可以从服务中获取数据? (keycloak客户端身份验证)