我尝试使用Javascript策略进行一些测试,但是默认策略($ evaluation.grant();)在我的Spring Boot API REST中不起作用。
我的配置spring boot配置:
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.realm=myrealm
keycloak.resource=mywebservice
keycloak.ssl-required = external
keycloak.credentials.secret = mysecret
keycloak.use-resource-role-mappings = true
keycloak.bearer-only = true
春季启动时我的Keycloak安全配置
public class SpringKeycloakSecurityConfig {
@Configuration
@EnableWebSecurity
@ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true", matchIfMissing = true)
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public static class KeycloakConfigurationAdapter extends KeycloakWebSecurityConfigurerAdapter{
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
public KeycloakConfigResolver KeycloakConfigResolver(){
return new KeycloakSpringBootConfigResolver();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.sessionManagement()
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
.addFilterBefore(keycloakAuthenticationProcessingFilter(), X509AuthenticationFilter.class)
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and()
.authorizeRequests().antMatchers(HttpMethod.OPTIONS).permitAll()
.anyRequest().authenticated();
}
}
}
和我的密钥斗篷配置:
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "Default Resource",
"type": "urn:mywebservice:resources:default",
"ownerManagedAccess": false,
"attributes": {},
"_id": "70a6ee62-fa92-4f40-afff-6e196d89f426",
"uris": [
"/*"
]
}
],
"policies": [
{
"id": "73ff20e1-047f-4c96-a7a5-8b31270c4011",
"name": "Default Policy",
"description": "A policy that grants access only for users within this realm",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {
"code": "// by default, grants any permission associated with this policy\n$evaluation.deny();\n"
}
},
{
"id": "9c2cf912-64ab-4526-ad3f-0ad277c775e6",
"name": "Default Permission",
"description": "A permission that applies to the default resource type",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"defaultResourceType": "urn:mywebservice:resources:default",
"applyPolicies": "[\"Default Policy\"]"
}
}
],
"scopes": [],
"decisionStrategy": "UNANIMOUS"
}
基本上,它设置为Grant(),但是为了测试配置,我将其设置为拒绝访问。
但是不起作用,我可以使用带有承载令牌的身份验证来访问所有资源。
我确定这是我所缺乏的理解。
感谢您的帮助。
答案 0 :(得分:1)
尝试在 spring boot 配置中设置 keycloak.policy-enforcer-config.enforcement-mode=ENFORCING。