大家好,我现在有一个Keycloft问题。也许我还没有完全了解这一切。
我想做的事:将休息服务固定在钥匙斗篷上——这是唯一的持有者。客户端从Keycloft请求一个令牌,并使用该令牌调用Rest Service。
到目前为止我做了什么:
步骤1确保休息服务:
keyclock.json文件添加:
{
"realm": "services",
"bearer-only": true,
"auth-server-url": "https://vckeycloak.xxx.xxxxx/auth/",
"ssl-required": "external",
"resource": "vux-services",
"verify-token-audience": true,
"use-resource-role-mappings": true
}
编辑web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<module-name>vux-services-rs</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>VUXServices</web-resource-name>
<url-pattern>/Keycloak/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>services</realm-name>
</login-config>
<security-role>
<role-name>users</role-name>
</security-role>
</web-app>
-->如果我现在呼叫RestService,ReST服务是安全的;未经授权的";作为响应
步骤2配置密钥斗篷
添加新境界为服务添加2个客户端1(仅作为承载,称为vux服务(为客户端添加1(称为Postman,因为我将使用Postman作为客户端(定义范围
步骤3向邮差申请代币
请求令牌工作正常。
如果我解码它,它看起来像:
{
"exp": 1609755969,
"iat": 1609755669,
"auth_time": 1609755666,
"jti": "238a590c-4603-4aa6-8b20-3a0d6a6dfb3d",
"iss": "https://vckeycloak.xxx.xxxx/auth/realms/services",
"aud": [
"vux-services",
"account"
],
"sub": "xxxxxx",
"typ": "Bearer",
"azp": "postman",
"session_state": "xxxxxx",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"users"
]
},
"resource_access": {
"vux-services": {
"roles": [
"users"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email vux-services profile",
"email_verified": false,
"name": "XXXXX",
"preferred_username": "user1",
"given_name": "XXXX",
"family_name": "XXXX",
"email": "XXXXX"
}
因此我可以在令牌等中访问vux服务。如果我现在用这个代币通过邮差打电话给其他服务,比如:
带有授权标题的邮差呼叫
首先,我遇到了ReST服务未经授权响应的问题。我能够(在斯塔克弗洛的大力支持下(处理这件事。问题是我没有在授权头中的令牌前面添加Bearer(+空格(。
Nethertheless我得到一个NullPointer异常:
<pre>java.lang.NullPointerException
at java.base/java.net.URI$Parser.parse(URI.java:3104)
at java.base/java.net.URI.<init>(URI.java:600)
at java.base/java.net.URI.create(URI.java:881)
at org.apache.httpcomponents.core//org.apache.http.client.methods.HttpGet.<init>(HttpGet.java:66)
at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendRequest(JWKPublicKeyLocator.java:97)
at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublicKey(JWKPublicKeyLocator.java:63)
at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.rotation.AdapterTokenVerifier.getPublicKey(AdapterTokenVerifier.java:121)
at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.rotation.AdapterTokenVerifier.createVerifier(AdapterTokenVerifier.java:111)
at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.rotation.AdapterTokenVerifier.verifyToken(AdapterTokenVerifier.java:47)
at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:103)
at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:88)
at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:67)
at org.keycloak.keycloak-wildfly-elytron-oidc-adapter@11.0.3//org.keycloak.adapters.elytron.ElytronRequestAuthenticator.authenticate(ElytronRequestAuthenticator.java:44)
at org.keycloak.keycloak-wildfly-elytron-oidc-adapter@11.0.3//org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism.evaluateRequest(KeycloakHttpServerAuthenticationMechanism.java:92)
at org.wildfly.security.elytron-private@1.12.1.Final//org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)
at org.wildfly.security.elytron-private@1.12.1.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)
at org.wildfly.security.elytron-private@1.12.1.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:270)
at org.wildfly.security.elytron-private@1.12.1.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:249)
at org.wildfly.security.elytron-private@1.12.1.Final//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:97)
at org.wildfly.security.elytron-web.undertow-server@1.7.1.Final//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:96)
at org.wildfly.security.elytron-web.undertow-server-servlet@1.7.1.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at org.wildfly.security.elytron-web.undertow-server-servlet@1.7.1.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at org.keycloak.keycloak-wildfly-elytron-oidc-adapter@11.0.3//org.keycloak.adapters.elytron.KeycloakServletExtension.lambda$null$0(KeycloakServletExtension.java:39)
at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
at io.undertow.core@2.1.3.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
at io.undertow.core@2.1.3.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:834)
</pre>
我将在WildFly服务器上安装他们的KeyCloak适配器,希望问题可能就在那里。我会随时向你通报最新情况。
非常感谢您投入时间:-(
我的上一个问题只是证书问题。我通过Keyclock.json禁用了信任管理器,现在它工作正常。感谢您的帮助