KeyCloak - Spring启动只获得请求工作 - KeyCloak - Spring boot only get requests work 小贝子编程网

我有一个非常奇怪的问题-我试图从教程中启用KeyCloak，我看到它只在get方法上工作。我的配置非常简单:

protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.anyRequest().hasRole("admin");
super.configure(http);
}

我在解析器上添加了一些调试:

@Override
protected void configure(AuthenticationManagerBuilder auth) {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = new KeycloakAuthenticationProvider() {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
log.debug("Auth successes.");
final KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication;
log.debug("User id:" + token.getAccount().getPrincipal().getName());
log.debug("User roles:" + String.join(",", token.getAccount().getRoles()));
return super.authenticate(authentication);
}
};
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}

这里是一个问题，当我把GET请求http://localhost:8080/admin/test一切都很好:

DEBUG 2021-08-18 15:26:55,704 [http-nio-8080-exec-3][][] c.j.b.i.c.SecurityConfiguration 'Auth successes.'
DEBUG 2021-08-18 15:26:55,704 [http-nio-8080-exec-3][][] c.j.b.i.c.SecurityConfiguration 'User id:e53fa4a8-e7c3-46a0-9685-175fede5098e'
DEBUG 2021-08-18 15:26:55,704 [http-nio-8080-exec-3][][] c.j.b.i.c.SecurityConfiguration 'User roles:default-roles-springbootkeycloak,offline_access,admin,uma_authorization'
WARN  2021-08-18 15:26:56,093 [http-nio-8080-exec-3][][] o.a.c.util.SessionIdGeneratorBase 'Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [384] milliseconds.'
DEBUG 2021-08-18 15:26:56,102 [http-nio-8080-exec-3][50168e1c-0481-416e-a202-a24fafab58c7][] c.j.b.i.c.SecurityConfiguration 'Auth successes.'
DEBUG 2021-08-18 15:26:56,103 [http-nio-8080-exec-3][50168e1c-0481-416e-a202-a24fafab58c7][] c.j.b.i.c.SecurityConfiguration 'User id:e53fa4a8-e7c3-46a0-9685-175fede5098e'
DEBUG 2021-08-18 15:26:56,103 [http-nio-8080-exec-3][50168e1c-0481-416e-a202-a24fafab58c7][] c.j.b.i.c.SecurityConfiguration 'User roles:default-roles-springbootkeycloak,offline_access,admin,

我得到了正确的响应，没有任何问题，但当我对POST/DELETE/PUT做出完全相同的请求时，我也得到了理论上角色很好的日志:

DEBUG 2021-08-18 15:28:45,876 [http-nio-8080-exec-4][][] c.j.b.i.c.SecurityConfiguration 'Auth successes.'
DEBUG 2021-08-18 15:28:45,876 [http-nio-8080-exec-4][][] c.j.b.i.c.SecurityConfiguration 'User id:e53fa4a8-e7c3-46a0-9685-175fede5098e'
DEBUG 2021-08-18 15:28:45,877 [http-nio-8080-exec-4][][] c.j.b.i.c.SecurityConfiguration 'User roles:default-roles-springbootkeycloak,offline_access,admin,uma_authorization'

但作为回应，我有:

{
"timestamp": 1629293325879,
"status": 403,
"error": "Forbidden",
"message": "Forbidden",
"path": "/admin/test"
}

我认为问题出在csrf。禁用csrf后，正在呼叫super.configure(http)。但在超级调用(如果你使用KeycloakWebSecurityConfigurerAdapter) csrf将再次启用。

http
csrf().requireCsrfProtectionMatcher(keycloakCsrfRequestMatcher())
...

keycloakCsrfRequestMatcher默认阻塞所有Post和Delete方法。实际上它只允许以下方法:

^(GET|HEAD|TRACE|OPTIONS)$

见https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakCsrfRequestMatcher.java

因此，快速的解决方案是将super调用放在开头。

protected void configure(HttpSecurity http) throws Exception {
super.configure(http);    
http.csrf().disable().authorizeRequests()
.anyRequest().hasRole("admin");

}

KeyCloak - Spring启动只获得请求工作

相关内容

最新更新

热门标签：