我想通过Keycloak对用户进行身份验证,但我需要向身份验证对象添加其他角色,即Spring Security使用的角色。添加角色保存在 Postgres 数据库中。
-
我尝试使用自定义身份验证提供程序覆盖配置全局,但它不起作用。
@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { ApplicationAuthenticationProvider provider = new ApplicationAuthenticationProvider(); provider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); auth.authenticationProvider(provider); }
@Component public class ApplicationAuthenticationProvider extensions KeycloakAuthenticationProvider {
@Autowired private UserService userService; private GrantedAuthoritiesMapper grantedAuthoritiesMapper; public void setGrantedAuthoritiesMapper(GrantedAuthoritiesMapper grantedAuthoritiesMapper) { this.grantedAuthoritiesMapper = grantedAuthoritiesMapper; } @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication; List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); String username = ((KeycloakAuthenticationToken) authentication) .getAccount().getKeycloakSecurityContext().getToken().getPreferredUsername(); List<Role> roles = userService.findRoles(username); for (Role role : roles) { grantedAuthorities.add(new KeycloakRole(role.toString())); } return new KeycloakAuthenticationToken(token.getAccount(), token.isInteractive(), mapAuthorities(grantedAuthorities)); } @Override public boolean supports(Class<?> authentication) { return authentication.equals(UsernamePasswordAuthenticationToken.class); } private Collection<? extends GrantedAuthority> mapAuthorities( Collection<? extends GrantedAuthority> authorities) { return grantedAuthoritiesMapper != null ? grantedAuthoritiesMapper.mapAuthorities(authorities) : authorities; }
}
-
尝试添加其他过滤器,但我不确定配置是否正确。
@Bean
@Override protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception { RequestMatcher requestMatcher = new OrRequestMatcher( new AntPathRequestMatcher("/api/login"), new QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN), // We're providing our own authorization header matcher new IgnoreKeycloakProcessingFilterRequestMatcher() ); return new KeycloakAuthenticationProcessingFilter(authenticationManagerBean(), requestMatcher); } // Matches request with Authorization header which value doesn't start with "Basic " prefix private class IgnoreKeycloakProcessingFilterRequestMatcher implements RequestMatcher { IgnoreKeycloakProcessingFilterRequestMatcher() { } public boolean matches(HttpServletRequest request) { String authorizationHeaderValue = request.getHeader("Authorization"); return authorizationHeaderValue != null && !authorizationHeaderValue.startsWith("Basic "); }
}
现在我只使用Keycloak进行登录/密码。角色和权限现在保存在本地数据库中。