我使用:
Keycloak是Docker中的入门之作。
如果我尝试通过Postman向简单的REST端点发送请求,例如:
@PreAuthorize("hasAnyRole('MONITORING_ADMIN')") //this line is irrelevant, it doesn't matter
//whether I use it or not, the issue remains
@PostMapping("/test")
fun test() {
println("test")
}
然后,我将被重定向到登录页面(有效重定向URI:http://localhost:8085/ *)
可以在Docker Console中的日志中读取问题:
keycloak_1 | 12:54:28,866警告[org.keycloak.events](默认任务112),类型= CODE_TO_TOKEN_ERROR,realmId = smight,clientId = null,userId = null,ipAddress = 172.19.0.1,error = invalid_client_credentials,grant_type = authorization_code
我用邮递员定义授权(基本身份验证)
问题: 客户端ID = null userId = null
可能是Keycloak没有看到userId,clientId或Authorization标头。
这是我的安全配置:
@KeycloakConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
class WebSecurityConfig @Autowired constructor(val basicAuthenticationProvider: BasicAuthenticationProvider) : KeycloakWebSecurityConfigurerAdapter() {
...
@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
super.configure(http)
http
.authorizeRequests()
.antMatchers("/**").authenticated().anyRequest().permitAll()
}
@Bean
@Throws(Exception::class)
override fun keycloakAuthenticationProcessingFilter(): KeycloakAuthenticationProcessingFilter {
val requestMatcher = OrRequestMatcher(
AntPathRequestMatcher(KeycloakAuthenticationProcessingFilter.DEFAULT_LOGIN_URL),
QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN),
// We provide our own authorization header matcher
IgnoreKeycloakProcessingFilterRequestMatcher()
)
return KeycloakAuthenticationProcessingFilter(authenticationManagerBean(), requestMatcher)
}
...
/**
* Ignore the default keycloak processing once we receive a basic authentication request.
*/
internal class IgnoreKeycloakProcessingFilterRequestMatcher : RequestMatcher {
override fun matches(request: HttpServletRequest): Boolean {
val authorizationHeaderValue = request.getHeader("Authorization")
return authorizationHeaderValue != null && !authorizationHeaderValue.startsWith("Basic ")
}
}
}