2016-10-10 104 views
1

我有我希望通過keycloak保護的java REST應用程序。我做了一些測試,應用程序適用於keycloak servlet過濾器,但我在彈簧安全適配器方面遇到了問題。彈簧安全keycloak適配器承載配置

keycloak.json(值刪除)

{ 
    "realm": "", 
    "realm-public-key": "", 
    "bearer-only": true, 
    "auth-server-url": "", 
    "ssl-required": "external", 
    "resource": "" 
} 

中可見我只需要承載的授權,如果請求包含有效的標記,然後我希望HTTP 200如果不是http 401.我用這個xml配置:

<security:global-method-security jsr250-annotations="enabled"/> 

    <security:authentication-manager alias="authenticationManager"> 
     <security:authentication-provider ref="keycloakAuthenticationProvider"/> 
    </security:authentication-manager> 


    <bean id="keycloakAuthenticationEntryPoint" 
       class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"> 
      </bean> 
    <bean id="keycloakAuthenticationProvider" 
       class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"> 
     <property name="grantedAuthoritiesMapper"> 
      <bean class="org.springframework.security.core.authority.mapping.SimpleAuthorityMapper"> 
       <property name="convertToUpperCase" value="true"/> 
       <property name="prefix" value="ROLE_"/> 
      </bean> 

     </property> 
    </bean> 

    <bean id="keycloakPreAuthActionsFilter" 
       class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"/> 
    <bean id="keycloakAuthenticationProcessingFilter" 
       class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter"> 
     <constructor-arg name="authenticationManager" ref="authenticationManager"/> 
    </bean> 

    <bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean"> 
     <constructor-arg value="/WEB-INF/keycloak.json" /> 
    </bean> 


    <security:http auto-config="false" entry-point-ref="keycloakAuthenticationEntryPoint" create-session="stateless"> 
     <security:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" /> 
     <security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER"/> 


     <security:intercept-url pattern="*" access="permitAll()" /> 
     <security:intercept-url pattern="/services/protected/*" access="isFullyAuthenticated()" /> 
     <security:csrf disabled="true"/> 
    </security:http> 

究竟發生了什麼?請求被認證,但成功後,我被重定向到「/」。然後我一次又一次地得到認證。 日誌:

11:18:36,492 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4) /services/protected/getAttributes at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
11:18:36,508 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4) /services/protected/getAttributes at position 2 of 9 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 
11:18:36,508 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4) /services/protected/getAttributes at position 3 of 9 in additional filter chain; firing Filter: 'HeaderWriterFilter' 
11:18:36,508 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4) /services/protected/getAttributes at position 4 of 9 in additional filter chain; firing Filter: 'KeycloakPreAuthActionsFilter' 
11:18:36,508 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-0.0.0.0:8080-4) adminRequest http://test.srv:8080/core2/services/protected/getAttributes 
11:18:36,508 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4) /services/protected/getAttributes at position 5 of 9 in additional filter chain; firing Filter: 'KeycloakAuthenticationProcessingFilter' 
11:18:36,508 DEBUG [org.springframework.security.web.util.matcher.OrRequestMatcher] (http-0.0.0.0:8080-4) Trying to match using Ant [pattern='/sso/login'] 
11:18:36,508 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http-0.0.0.0:8080-4) Checking match of request : '/services/protected/getAttributes'; against '/sso/login' 
11:18:36,508 DEBUG [org.springframework.security.web.util.matcher.OrRequestMatcher] (http-0.0.0.0:8080-4) Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=Authorization, expectedHeaderValue=null] 
11:18:36,508 DEBUG [org.springframework.security.web.util.matcher.OrRequestMatcher] (http-0.0.0`enter code here`.0:8080-4) matched 
11:18:36,508 DEBUG [org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter] (http-0.0.0.0:8080-4) Request is to process authentication 
11:18:36,508 DEBUG [org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter] (http-0.0.0.0:8080-4) Attempting Keycloak authentication 
11:18:36,555 DEBUG [org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator] (http-0.0.0.0:8080-4) Completing bearer authentication. Bearer roles: [uma_authorization] 
11:18:36,555 DEBUG [org.keycloak.adapters.RequestAuthenticator] (http-0.0.0.0:8080-4) User 'e9ae6919-c0f3-4dcb-96f6-82e3373932e9' invoking 'http://test.srv:8080/core2/services/protected/getAttributes' on client 'mak_test' 
11:18:36,555 DEBUG [org.keycloak.adapters.RequestAuthenticator] (http-0.0.0.0:8080-4) Bearer AUTHENTICATED 
11:18:36,555 DEBUG [org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter] (http-0.0.0.0:8080-4) Auth outcome: AUTHENTICATED 
11:18:36,555 DEBUG [org.springframework.security.authentication.ProviderManager] (http-0.0.0.0:8080-4) Authentication attempt using org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider 
11:18:36,555 DEBUG [org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter] (http-0.0.0.0:8080-4) Authentication success. Updating SecurityContextHolder to contain: org.key[email protected]65776c48: Principal: e9ae6919-c0f3-4dcb-96f6-82e3373932e9; Credentials: [PROTECTED]; Authenticated: true; Details: org[email protected]44667d3a; Granted Authorities: ROLE_UMA_AUTHORIZATION 
11:18:36,555 DEBUG [org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler] (http-0.0.0.0:8080-4) Using default Url:/
11:18:36,555 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] (http-0.0.0.0:8080-4) Redirecting to '/core2/' 
11:18:36,555 DEBUG [org.springframework.security.web.header.writers.HstsHeaderWriter] (http-0.0.0.0:8080-4) Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]159e9b90 
11:18:36,555 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] (http-0.0.0.0:8080-4) SecurityContextHolder now cleared, as request processing completed 
11:18:36,570 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4)/at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 

我被Junit的

@Test 
    public void protectedTest() throws IOException { 
     String token = getToken(); 
     long time1 = System.currentTimeMillis(); 
     String url = server + "/services/protected/getAttributes"; 
     URL obj = new URL(url); 
     HttpURLConnection con = (HttpURLConnection) obj.openConnection(); 
     con.setRequestMethod("GET"); 
     con.setRequestProperty("Authorization", token); 
     Assert.assertEquals(200, con.getResponseCode()); 
     System.out.print(String.format("Authorized time: %s ms ", (System.currentTimeMillis() - time1))); 
    } 

端點代碼測試這個endpoit:

@RestController 
public class ProtectedService { 

    @RequestMapping(value = "/services/protected/getAttributes", 
      method = RequestMethod.GET, 
      produces = {MediaType.APPLICATION_XML_VALUE, MediaType.APPLICATION_JSON_VALUE}) 
    @ResponseBody 
    @RolesAllowed("ROLE_UMA_AUTHORIZATION") 
    public GetCustAttrsRes getAttributes() { 
     return new GetCustAttrsRes(); 
    } 
} 

Keycloak服務器版本:2.1.0.Final

Keycloak相關pom部分:

<dependency> 
      <groupId>org.keycloak</groupId> 
      <artifactId>keycloak-spring-security-adapter</artifactId> 
      <version>2.2.1.Final</version> 
     </dependency> 
    <dependency> 
      <groupId>org.springframework.security</groupId> 
      <artifactId>spring-security-web</artifactId> 
      <version>4.1.3.RELEASE</version> 
     </dependency> 
     <dependency> 
      <groupId>org.springframework.security</groupId> 
      <artifactId>spring-security-config</artifactId> 
      <version>4.1.3.RELEASE</version> 
     </dependency> 

     <dependency> 
      <groupId>org.springframework.security</groupId> 
      <artifactId>spring-security-core</artifactId> 
      <version>4.1.3.RELEASE</version> 
     </dependency> 

歡迎任何建議。

回答

0

問題已解決。我的測試代碼中有一個錯誤。方法getToken()返回「承載」。這在keycloak過濾器適配器中是可以接受的,但在彈簧安全適配器中則不然正確的方法是「持票人」,它適用於兩個適配器。