来自Docker应用的Keycloak服务器身份验证错误行为

时间:2020-03-18 18:40:20

标签: spring-boot docker keycloak

我有两个Docker容器:

  1. RedHat Keycloak服务器(https://keycloak.some.domain.com
  2. Springboot应用(http://localhost:8081

在我的Springboot应用程序中,我已在以下位置定义了一个安全页面:http://localhost:8081/api/sample.json

现在,当我命中该端点时,我将重定向到正确的登录页面,并且,如果我提交正确的登录名/密码凭据,则会收到以下403错误(禁止)页面:

introducir la descripción de la imagen aquí

但是,如果我直接运行Springboot应用程序,而没有docker包装器,像这样:

java -jar app.jar

然后,当我命中相同的受保护端点时,我将重定向到正确的登录页面,并且,如果我提交正确的登录名/密码凭据,在这种情况下,我会得到预期的 CORRECT 页面/响应! (这是同一个应用程序!!!)

鉴于这种情况,我已经启动了dockerized的Springboot应用程序,并使用以下命令将其放入了容器内部:

docker exec -it app bash

然后像这样安装天猫:

apt-get install lynx

从那里,我确实在本地命中了受保护的端点:

山猫http://localhost:8081/api/sample.json

但是我得到了完全相同的错误页面(403)错误。因此,我相信问题在于Docker包装器,而不是应用程序。这很关键,因为这意味着keycloak和任何dockerized应用之间的这种行为将相似。 :(

结论是,如果我执行“ docker run -d -p 8081:8081 springboot-app-image”,则除 身份验证过程(针对容器内部和外部)之外,所有操作均正常运行。

从Springboot应用程序日志中,当我按下dockerized端点时,我可以看到此错误跟踪:

2020-03-17 15:29:19.503  INFO 1 --- [           main] com.example.app.MainApp            : Started MainApp in 13.257 seconds (JVM running for 14.845)
2020-03-17 15:29:30.139 DEBUG 1 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8081/api/sample2.json
2020-03-17 15:29:30.169 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Using provider 'secret' for authentication of client 'login-app'
2020-03-17 15:29:30.176 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2020-03-17 15:29:30.179 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2020-03-17 15:29:30.182 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret-jwt
2020-03-17 15:29:30.184 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2020-03-17 15:29:30.185 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2020-03-17 15:29:30.188 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret-jwt
2020-03-17 15:29:30.457 DEBUG 1 --- [nio-8081-exec-1] o.keycloak.adapters.KeycloakDeployment   : resolveUrls
2020-03-17 15:29:30.461 DEBUG 1 --- [nio-8081-exec-1] o.k.adapters.KeycloakDeploymentBuilder   : Use authServerUrl: https://keycloak.some.domain.com/auth, tokenUrl: https://keycloak.ci.ultrasist.net/auth/realms/SpringBootKeycloak/protocol/openid-connect/token, relativeUrls: NEVER
2020-03-17 15:29:30.479 DEBUG 1 --- [nio-8081-exec-1] .k.a.t.AbstractAuthenticatedActionsValve : AuthenticatedActionsValve.invoke /api/sample2.json
2020-03-17 15:29:30.481 DEBUG 1 --- [nio-8081-exec-1] o.k.a.AuthenticatedActionsHandler        : AuthenticatedActionsValve.invoke http://localhost:8081/api/sample2.json
2020-03-17 15:29:30.483 DEBUG 1 --- [nio-8081-exec-1] o.k.a.AuthenticatedActionsHandler        : Policy enforcement is disabled.
2020-03-17 15:29:30.494  INFO 1 --- [nio-8081-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring DispatcherServlet 'dispatcherServlet'
2020-03-17 15:29:30.495  INFO 1 --- [nio-8081-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2020-03-17 15:29:30.526  INFO 1 --- [nio-8081-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 29 ms
2020-03-17 15:29:30.592 DEBUG 1 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8081/api/sample2.json
2020-03-17 15:29:30.694 DEBUG 1 --- [nio-8081-exec-1] o.k.a.s.management.HttpSessionManager    : Session created: E9F1974D7E734867356A0366CC0AC52A
2020-03-17 15:29:30.705 DEBUG 1 --- [nio-8081-exec-1] k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login URI /sso/login
2020-03-17 15:29:30.731 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8081/sso/login
2020-03-17 15:29:30.735 DEBUG 1 --- [nio-8081-exec-3] .k.a.t.AbstractAuthenticatedActionsValve : AuthenticatedActionsValve.invoke /sso/login
2020-03-17 15:29:30.737 DEBUG 1 --- [nio-8081-exec-3] o.k.a.AuthenticatedActionsHandler        : AuthenticatedActionsValve.invoke http://localhost:8081/sso/login
2020-03-17 15:29:30.739 DEBUG 1 --- [nio-8081-exec-3] o.k.a.AuthenticatedActionsHandler        : Policy enforcement is disabled.
2020-03-17 15:29:30.757 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8081/sso/login
2020-03-17 15:29:30.764 DEBUG 1 --- [nio-8081-exec-3] f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
2020-03-17 15:29:30.766 DEBUG 1 --- [nio-8081-exec-3] f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
2020-03-17 15:29:30.795 DEBUG 1 --- [nio-8081-exec-3] o.k.a.s.token.SpringSecurityTokenStore   : Checking if org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@1273c136 is cached
2020-03-17 15:29:30.800 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.OAuthRequestAuthenticator   : there was no code
2020-03-17 15:29:30.805 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.OAuthRequestAuthenticator   : redirecting to auth server
2020-03-17 15:29:30.809 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.OAuthRequestAuthenticator   : callback uri: http://localhost:8081/sso/login
2020-03-17 15:29:30.822 DEBUG 1 --- [nio-8081-exec-3] f.KeycloakAuthenticationProcessingFilter : Auth outcome: NOT_ATTEMPTED
2020-03-17 15:29:30.824 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.OAuthRequestAuthenticator   : Sending redirect to login page: https://keycloak.some.domain.com/auth/realms/SpringBootKeycloak/protocol/openid-connect/auth?response_type=code&client_id=login-app&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fsso%2Flogin&state=412c7a6f-720f-4eea-b825-209c76d3a3db&login=true&scope=openid
2020-03-17 15:29:34.680 DEBUG 1 --- [nio-8081-exec-4] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8081/sso/login?state=412c7a6f-720f-4eea-b825-209c76d3a3db&session_state=802e466d-7b1e-4180-8870-cdae07b2fbae&code=7d93b2cf-d72b-4e83-b219-19d48897c9b7.802e466d-7b1e-4180-8870-cdae07b2fbae.35bc9442-2e19-485a-afad-adc1e62b4c52
2020-03-17 15:29:34.687 DEBUG 1 --- [nio-8081-exec-4] .k.a.t.AbstractAuthenticatedActionsValve : AuthenticatedActionsValve.invoke /sso/login
2020-03-17 15:29:34.688 DEBUG 1 --- [nio-8081-exec-4] o.k.a.AuthenticatedActionsHandler        : AuthenticatedActionsValve.invoke http://localhost:8081/sso/login?state=412c7a6f-720f-4eea-b825-209c76d3a3db&session_state=802e466d-7b1e-4180-8870-cdae07b2fbae&code=7d93b2cf-d72b-4e83-b219-19d48897c9b7.802e466d-7b1e-4180-8870-cdae07b2fbae.35bc9442-2e19-485a-afad-adc1e62b4c52
2020-03-17 15:29:34.691 DEBUG 1 --- [nio-8081-exec-4] o.k.a.AuthenticatedActionsHandler        : Policy enforcement is disabled.
2020-03-17 15:29:34.694 DEBUG 1 --- [nio-8081-exec-4] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8081/sso/login?state=412c7a6f-720f-4eea-b825-209c76d3a3db&session_state=802e466d-7b1e-4180-8870-cdae07b2fbae&code=7d93b2cf-d72b-4e83-b219-19d48897c9b7.802e466d-7b1e-4180-8870-cdae07b2fbae.35bc9442-2e19-485a-afad-adc1e62b4c52
2020-03-17 15:29:34.701 DEBUG 1 --- [nio-8081-exec-4] f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
2020-03-17 15:29:34.703 DEBUG 1 --- [nio-8081-exec-4] f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
2020-03-17 15:29:34.711 DEBUG 1 --- [nio-8081-exec-4] o.k.a.s.token.SpringSecurityTokenStore   : Checking if org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@4c5ab508 is cached
2020-03-17 15:29:34.712 DEBUG 1 --- [nio-8081-exec-4] o.k.adapters.OAuthRequestAuthenticator   : there was a code, resolving
2020-03-17 15:29:34.712 DEBUG 1 --- [nio-8081-exec-4] o.k.adapters.OAuthRequestAuthenticator   : checking state cookie for after code
2020-03-17 15:29:34.715 DEBUG 1 --- [nio-8081-exec-4] o.k.adapters.OAuthRequestAuthenticator   : ** reseting application state cookie
2020-03-17 15:29:35.365 ERROR 1 --- [nio-8081-exec-4] o.k.adapters.OAuthRequestAuthenticator   : failed to turn code into token

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[na:1.8.0_65]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_65]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_65]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[na:1.8.0_65]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_65]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_65]
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[na:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_65]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_65]
	at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:570) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.keycloak.adapters.SniSSLSocketFactory.createLayeredSocket(SniSSLSocketFactory.java:114) ~[keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) ~[keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.8.jar!/:4.5.8]
	at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111) ~[keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
	at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:335) [keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
	at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:280) [keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
	at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139) [keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
	at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:149) [keycloak-spring-security-adapter-4.8.3.Final.jar!/:4.8.3.Final]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:86) [keycloak-spring-security-adapter-4.8.3.Final.jar!/:4.8.3.Final]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:92) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67) [spring-boot-container-bundle-4.8.3.Final.jar!/:4.8.3.Final]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181) [spring-boot-container-bundle-4.8.3.Final.jar!/:4.8.3.Final]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_65]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_65]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_65]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_65]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_65]
	at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_65]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_65]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_65]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_65]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_65]
	... 87 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) ~[na:1.8.0_65]
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[na:1.8.0_65]
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_65]
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_65]
	... 93 common frames omitted

2020-03-17 15:29:35.373 DEBUG 1 --- [nio-8081-exec-4] f.KeycloakAuthenticationProcessingFilter : Auth outcome: FAILED
2020-03-17 15:29:35.377 DEBUG 1 --- [nio-8081-exec-4] f.KeycloakAuthenticationProcessingFilter : Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details

org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
	at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:157) ~[keycloak-spring-security-adapter-4.8.3.Final.jar!/:4.8.3.Final]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]

在上一个错误跟踪中,我能够看到有关SSL握手错误以及其他错误消息的信息:

无效的授权标头,有关详细信息,请参见WWW-Authenticate标头

但是...为什么在没有Docker容器的情况下直接运行Java应用程序时不出现此错误?

我找到了一些参考,但对我的问题没有帮助:

  1. Keycloak secure app in container
  2. Docker (Spring Boot or Thorntail) and Keycloak
  3. Spring Boot Application using Keycloak, single sign on doesn't work behind an Apache Web Server

这是我的用于keycloak的Spring启动配置类,它是代码的一部分,可以在docker容器外部完美运行,但不能在docker容器内部正常运行:

@KeycloakConfiguration
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
    KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
    keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
    auth.authenticationProvider(keycloakAuthenticationProvider);
}

@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
    return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}

@Bean
@Primary
public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
    return new KeycloakSpringBootConfigResolver();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    super.configure(http);
    http.cors().and().csrf().disable();
    http.authorizeRequests()
    .antMatchers("/api/sample*").hasRole("user")
    .antMatchers("/ui/second*").hasRole("user")
    .and()
    .logout()
    .logoutUrl("/logout")
    .logoutSuccessUrl("/")
    .permitAll();
}
}

而且,这是密钥斗篷的配置:

enter image description here

而且,这是我的Dockerfile被检测到不良行为:

FROM openjdk:8
COPY app.jar /deploy/app.jar
WORKDIR /deploy
CMD java -jar app.jar

它是通过以下方式构建的:

docker build . -t example

它是这样执行的:

docker run -d -p 8081:8081 example

您可以看到,在最后一种方式下,安全性无法正常工作。

现在,我不得不说,它可以很好地发挥作用:

java -jar app.jar

所以,(对于jboss或RedHat或任何有足够智慧的人),我的明显问题是,如何在容器化的Springboot应用程序中使它运行Keycloak Server?

1 个答案:

答案 0 :(得分:0)

最后,经过数周的测试,我找到了答案:不好的docker映像是通过使用jdk 1.8.0_65-b17完成的,对我有用的是1.8.0_232-b09:

enter image description here

因此,一旦我使用此新映像测试了keycloak服务器,一切都会按预期进行。

也许这有一天可以帮助遇到相同或类似问题的人。

相关问题
最新问题