小贝子编程

在Spring 6服务器中使用承载访问令牌



我使用Spring 6.0来创建一个可以通过浏览器或独立应用程序连接的应用程序。它使用Keycloak作为OAuth2授权服务器,而应用程序应该提供数据。

通过浏览器访问可以正常工作,但是独立应用程序从keycloak(设备授权授予或密码授予)获得访问令牌。当它将令牌传递给Spring应用程序时,调用被重定向到keycloak登录站点,而不是使用有效的令牌。

我的配置很简单:

@Configuration
public class OAuth2Config
{
/**
* The primary client authentication manager.
* 
* @param clientRegistrationRepository
* @param authorizedClientRepository
* @return The authorized client manager
*/
@Bean
public OAuth2AuthorizedClientManager clientManager( 
ClientRegistrationRepository clientRegistrationRepository, 
OAuth2AuthorizedClientRepository authorizedClientRepository )
{
// Use the default OAuth client manager - configurations can be made in
// the properties - and set the built provider.
//
DefaultOAuth2AuthorizedClientManager clientManager = new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository );
return clientManager;
}
}

但我显然错过了什么。我还需要在请求中提供什么,或者调整我的参数,以便我的资源服务器将检查提供的令牌,而不是重定向回登录页面?

日志似乎表明它没有正确读取我的令牌——一切都是匿名的,这是不应该的。

2023-01-04T15:30:19.996-06:00 TRACE 9680 --- [nio-8081-exec-4] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@6c6c93f8, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@38e88e13, org.springframework.security.web.context.SecurityContextHolderFilter@89178b4, org.springframework.security.web.header.HeaderWriterFilter@20ad64c, org.springframework.security.web.csrf.CsrfFilter@1512efe9, org.springframework.security.web.authentication.logout.LogoutFilter@7fa86ddd, org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter@59509393, org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter@7ec75228, org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter@1d6dc2b8, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@3314f179, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@3a720ae3, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@64836643, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@42684d86, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1fe37d27, org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter@3fc7abf6, org.springframework.security.web.access.ExceptionTranslationFilter@600b3bee, org.springframework.security.web.access.intercept.AuthorizationFilter@565030b7]] (1/1)
2023-01-04T15:30:19.996-06:00 DEBUG 9680 --- [nio-8081-exec-4] o.s.security.web.FilterChainProxy        : Securing GET /users
2023-01-04T15:30:19.996-06:00 TRACE 9680 --- [nio-8081-exec-4] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/17)
:
:
2023-01-04T15:30:20.000-06:00 TRACE 9680 --- [nio-8081-exec-4] o.s.security.web.FilterChainProxy        : Invoking AuthorizationFilter (17/17)
2023-01-04T15:30:25.332-06:00 TRACE 9680 --- [nio-8081-exec-4] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@60be86e5]
2023-01-04T15:30:25.332-06:00 TRACE 9680 --- [nio-8081-exec-4] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@60be86e5] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@3ba6b23
2023-01-04T15:30:25.332-06:00 TRACE 9680 --- [nio-8081-exec-4] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2023-01-04T15:30:25.332-06:00 TRACE 9680 --- [nio-8081-exec-4] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-01-04T15:30:25.333-06:00 TRACE 9680 --- [nio-8081-exec-4] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-01-04T15:30:25.333-06:00 TRACE 9680 --- [nio-8081-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=192.168.0.119, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2023-01-04T15:30:25.334-06:00 TRACE 9680 --- [nio-8081-exec-4] o.s.s.w.a.ExceptionTranslationFilter     : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=192.168.0.119, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

REST API是一个资源服务器,而不是客户端。

当你应该使用spring-boot-starter-oauth2-resource-server时,我猜你使用了spring-boot-starter-oauth2-client(或为spring-security 6 OAuth2客户端编写了相当多的配置文件)。

如果除了REST端点之外还提供html页面,则需要两个安全过滤器链:用于REST端点的资源服务器链和用于html页面的客户端链。

所有已经在这个SO答案中描述的"使用Keycloak Spring Adapter with Spring Boot 3">

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium