我创建了一个wildfly容器(wildfly 25.0.1和keycloft 15.0.2(,keycloft作为子系统。我还有一个正在运行的密钥斗篷容器。尝试使用如下web.xml部署一个简单的jakarta应用程序(通过maven构建为war并将其上传到wildfly(会导致以下错误:
{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit."demo1-1.0-
SNAPSHOT.war".undertow-deployment" => "java.lang.RuntimeException:
java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available
in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The
required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT,
DIGEST, FORM] from the HttpAuthenticationFactory.
Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is
not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the
HttpAuthenticationFactory."}}
web-INF:下的我的web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>demo</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>my-auth</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
我的wildfly docker文件:
FROM jboss/wildfly:25.0.0.Final
ENV KEYCLOAK_VERSION 15.0.2
ENV WILDFLY_HOME /opt/jboss/wildfly
RUN cd $WILDFLY_HOME && curl -LO https://github.com/keycloak/keycloak/releases/download/${KEYCLOAK_VERSION}/keycloak-oidc-wildfly-adapter-${KEYCLOAK_VERSION}.tar.gz
&& tar -xzvf keycloak-oidc-wildfly-adapter-${KEYCLOAK_VERSION}.tar.gz
&& rm keycloak-oidc-wildfly-adapter-${KEYCLOAK_VERSION}.tar.gz
&& bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli
# Admin-User anlegen
&& bin/add-user.sh admin admin1234 --silent
# Zu Vermeidung von Fehlermeldungen beim Start
&& rm -r standalone/configuration/standalone_xml_history/current/
CMD ["/opt/jboss/wildfly/bin/standalone.sh", "-b", "0.0.0.0", "-bmanagement", "0.0.0.0"]
EXPOSE 8285
EXPOSE 9992
在浏览器中打开野花->配置->子系统显示密钥斗篷在那里。我可以在wildfly容器的tandalone.xml文件中看到已经设置了以下内容:
<http-authentication-factory name="keycloak-http-authentication" security-domain="KeycloakDomain" http-server-mechanism-factory="keycloak-http-server-mechanism-factory">
<mechanism-configuration>
<mechanism mechanism-name="KEYCLOAK">
<mechanism-realm realm-name="KeycloakOIDCRealm" realm-mapper="keycloak-oidc-realm-mapper"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
该应用程序在WEB-INF中也有keyclaock.json。知道怎么解决这个问题吗?
Keycloft已弃用内置Elytron OIDC验证器中的Wildfly Adapter。https://www.keycloak.org/2021/12/keycloak-1510-released
您可以检查这是否符合您的要求,或者暂时使用Wildfly 24。
请参阅https://wildfly-security.github.io/wildfly-elytron/blog/securing-wildfly-apps-openid-connect/有关使用Elytron的内置身份验证的更多信息。
不要将适配器安装到Wildfly 25或Wildfly 26中。使用wildfly:elytron-oidc-client:1.0的方式进行配置。我的问题是一样的,但当我进行配置时,我得到了一个403状态代码错误。如果更改为wildfly 23,一切正常。
以下是我解决此问题的方法:野蝇:23适配器:keyclock-wildfly-Adapter-dist-21.1.1.zipWeb应用程序:https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-profile-jee-vanilla
我按照建议部署了插件https://www.keycloak.org/docs/latest/securing_apps/index.html#_jboss_adapter使用以下命令:
$ cd $WILDFLY_HOME
$ unzip keycloak-wildfly-adapter-dist-21.1.1.zip
$./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli
使用了上面的脱机安装程序,其他安装程序不起作用
然后将此部分放在standalone.xml:中
<subsystem xmlns="urn:jboss:domain:keycloak:1.2">
<secure-deployment name="vanilla.war">
<realm>mydevrealm</realm>
<resource>myclient</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
<auth-server-url>http://192.168.1.4:8180/</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
<verify-token-audience>true</verify-token-audience>
<credential name="secret">HYjSBguWHQ3lAf2DXB7fel2QWeQ2Epm8</credential>
</secure-deployment>
</subsystem>
需要注意的是,在互联网上的任何地方,他们都将名称空间称为urn:jboss:domain:key斗篷:1.1,但适配器创建了urn:jbos:domain:Key斗篷:1.2,因此配置被放在urn:jbss:domain:key斗篷:1.2下
之后,当尝试使用部署网络应用程序时
mvn clean wildfly:deploy
我得到了这样一个错误:
INFO: ELY00001: WildFly Elytron version 1.1.7.Final
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10.073 s
[INFO] Finished at: 2023-05-25T18:51:12-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.2.2.Final:deploy (default-cli) on project keycloak-app-profile-jee-vanilla: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit."vanilla.war".undertow-deployment" => "java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
[ERROR] Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
[ERROR] Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory."}}}}
那么是什么修复了这个错误
- 在standalone.xml中添加两个额外的安全域,如下所示
本节中的第一个条目:<子系统xmlns=";urn:jboss:domain:ejb3:9.0">
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
<!--Additional entry below-->
<application-security-domain name="keycloak" security-domain="KeycloakDomain"/>
</application-security-domains>
本节中的第二个条目:<子系统xmlns=";urn:jboss:domain:bundertow:12.0">
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
<!--Additional entry below-->
<application-security-domain name="keycloak" http-authentication-factory="keycloak-http-authentication"/>
</application-security-domains>
- 在应用程序WEB-INF文件夹中创建了一个新文件:src/main/webapp/WEB-INF/jboss-WEB.xml
<!-- Define a security domain for the webapp --> <jboss-web> <security-domain>keycloak</security-domain> </jboss-web>
然后再次部署应用程序,它会正常运行。
[dev@localhost应用程序配置文件jee vanilla]$mvn clean wildfly:部署
应用程序部署正常,可以访问/vanial/,它重定向到keycapture,经过身份验证后,它会返回到/vanialcontext中的页面,显示主体的ID。