我正在使用Keycloak验证我的Spring Boot应用程序,
我已经与客户端(聊天系统)创建了一个新领域(CommonServices)
我有此配置
keycloak:
auth-server-url: http://localhost:8083/auth
realm: CommonServices
resource: chatting-system
public-client: true
principal-attribute: preferred_username
use-resource-role-mappings: true
security-constraints[0].authRoles[0]: user
ssl-required: external
spring:
data:
mongodb:
host: localhost
port: 27017
database: Chat
username: saga
password: password
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: http://localhost:8083/auth/realms/CommonServices/protocol/openid-connect/certs
issuer-uri: http://localhost:8083/auth/realms/CommonServices
并且我已经将安全性配置为:
@KeycloakConfiguration
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.antMatchers("/**")
.hasRole("user")
.anyRequest()
.authenticated();
}
}
@Configuration
public class KeycloakConfig {
@Bean
public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
}
问题
当我访问GET API时,一切正常,但是
如果我访问POST rest API,则会禁止使用403
答案 0 :(得分:1)
我想这是CSRF默认启用的Spring Security保护的问题。尝试在SecurityConfig中将其禁用,以确保是这种情况。
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.csrf().disable() // <- THIS LINE
.authorizeRequests()
.antMatchers("/**")
.hasRole("user")
.anyRequest()
.authenticated();
}
如果那是原因,我建议设置适当的CSRF保护,因为禁用它会节省开发时间,但是从总体上讲,部署到生产环境不是一个好主意。