由于我使用Keycloak(在localhost:8180上为6.0.1)将Vue.js Spring(Boot 2.1.10)应用程序(localhost:8080)从基本身份验证迁移到SSO,所以我最终遇到了与XSS相关的错误:
Refused to apply style from 'http://localhost:8180/auth/realms/SpringBootRealm/protocol/openid-connect/auth?response_type=code&client_id=scorpio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsso%2Flogin&state=b89ab247-5b3b-4147-9772-c948a0193044&login=true&scope=openid' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled.
Refused to apply style from 'http://localhost:8180/auth/realms/SpringBootRealm/protocol/openid-connect/auth?response_type=code&client_id=scorpio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsso%2Flogin&state=53308c65-d3f3-4ce7-8710-cffad789f1fc&login=true&scope=openid' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled.
Refused to execute script from 'http://localhost:8180/auth/realms/SpringBootRealm/protocol/openid-connect/auth?response_type=code&client_id=scorpio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsso%2Flogin&state=bfe0aa54-2997-429c-8f14-4ce4b704a7f5&login=true&scope=openid' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
Refused to execute script from 'http://localhost:8180/auth/realms/SpringBootRealm/protocol/openid-connect/auth?response_type=code&client_id=scorpio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsso%2Flogin&state=223d0102-2560-4064-b82b-380972f82a96&login=true&scope=openid' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
我想这与“ X-Content-Type-Options”和/或“ X-Frame-Options”有关;所以我尝试了这种配置:
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class KeycloakAuthConfig extends KeycloakWebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.requestMatchers(EndpointRequest.to(InfoEndpoint.class)).permitAll()
.requestMatchers(EndpointRequest.to(HealthEndpoint.class)).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole(HAB_ADMIN)
.anyRequest().authenticated();
http.csrf().disable(); // useless for REST APIs anyway
http.headers().frameOptions().sameOrigin(); // this was already necessary with basic authentication
http.headers().contentTypeOptions().disable(); // added this, but it didn't seem to have an impact
}
...
}
我还尝试将Keycloak的领域安全防御参数“ X-Frame-Options”的值从“ SAMEORIGIN”更改为“ ALLOW-FROM localhost”;反正没有成功。顺便说一句,我以为我只需要在生产时处理它,即当应用程序客户端可以从远程计算机访问SSO时。
仅供参考:有效的重定向URI设置为“ http://localhost:8080/ *”
好吧,我认为我对此事并不了解,如果有人在这里有想法或经验,我会很高兴学习。预先感谢!