1. Zuhause
  2. Frage und Antwort
  3. Frühling Sicherheit Keycloak Adapter Träger Konfiguration

Frühling Sicherheit Keycloak Adapter Träger Konfiguration

2016-10-10 8 views
1

Ich habe Java-REST-Anwendung, die ich durch keycloak schützen möchte. Ich habe einige Tests gemacht, Anwendung funktioniert gut mit Keycloak Servlet Filter, aber ich habe Probleme mit Feder Sicherheitsadapter.Frühling Sicherheit Keycloak Adapter Träger Konfiguration

keycloak.json (Werte gelöscht)

{ 
    "realm": "", 
    "realm-public-key": "", 
    "bearer-only": true, 
    "auth-server-url": "", 
    "ssl-required": "external", 
    "resource": "" 
}

Wie sichtbar Ich brauche nur Trägerautorisierung, wenn Anfrage gültiges Token enthält dann erwarte ich http 200, wenn nicht 401. http ich diese XML-Konfiguration verwendet:

<security:global-method-security jsr250-annotations="enabled"/> 

    <security:authentication-manager alias="authenticationManager"> 
     <security:authentication-provider ref="keycloakAuthenticationProvider"/> 
    </security:authentication-manager> 


    <bean id="keycloakAuthenticationEntryPoint" 
       class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"> 
      </bean> 
    <bean id="keycloakAuthenticationProvider" 
       class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"> 
     <property name="grantedAuthoritiesMapper"> 
      <bean class="org.springframework.security.core.authority.mapping.SimpleAuthorityMapper"> 
       <property name="convertToUpperCase" value="true"/> 
       <property name="prefix" value="ROLE_"/> 
      </bean> 

     </property> 
    </bean> 

    <bean id="keycloakPreAuthActionsFilter" 
       class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"/> 
    <bean id="keycloakAuthenticationProcessingFilter" 
       class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter"> 
     <constructor-arg name="authenticationManager" ref="authenticationManager"/> 
    </bean> 

    <bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean"> 
     <constructor-arg value="/WEB-INF/keycloak.json" /> 
    </bean> 


    <security:http auto-config="false" entry-point-ref="keycloakAuthenticationEntryPoint" create-session="stateless"> 
     <security:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" /> 
     <security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER"/> 


     <security:intercept-url pattern="*" access="permitAll()" /> 
     <security:intercept-url pattern="/services/protected/*" access="isFullyAuthenticated()" /> 
     <security:csrf disabled="true"/> 
    </security:http>

Was passiert wirklich? Anfrage wird authentifiziert, aber nach Erfolg werde ich nach '/' umgeleitet. Dann bin ich immer wieder authentifiziert. Protokolle:

11:18:36,492 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4) /services/protected/getAttributes at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
11:18:36,508 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4) /services/protected/getAttributes at position 2 of 9 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 
11:18:36,508 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4) /services/protected/getAttributes at position 3 of 9 in additional filter chain; firing Filter: 'HeaderWriterFilter' 
11:18:36,508 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4) /services/protected/getAttributes at position 4 of 9 in additional filter chain; firing Filter: 'KeycloakPreAuthActionsFilter' 
11:18:36,508 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-0.0.0.0:8080-4) adminRequest http://test.srv:8080/core2/services/protected/getAttributes 
11:18:36,508 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4) /services/protected/getAttributes at position 5 of 9 in additional filter chain; firing Filter: 'KeycloakAuthenticationProcessingFilter' 
11:18:36,508 DEBUG [org.springframework.security.web.util.matcher.OrRequestMatcher] (http-0.0.0.0:8080-4) Trying to match using Ant [pattern='/sso/login'] 
11:18:36,508 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http-0.0.0.0:8080-4) Checking match of request : '/services/protected/getAttributes'; against '/sso/login' 
11:18:36,508 DEBUG [org.springframework.security.web.util.matcher.OrRequestMatcher] (http-0.0.0.0:8080-4) Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=Authorization, expectedHeaderValue=null] 
11:18:36,508 DEBUG [org.springframework.security.web.util.matcher.OrRequestMatcher] (http-0.0.0`enter code here`.0:8080-4) matched 
11:18:36,508 DEBUG [org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter] (http-0.0.0.0:8080-4) Request is to process authentication 
11:18:36,508 DEBUG [org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter] (http-0.0.0.0:8080-4) Attempting Keycloak authentication 
11:18:36,555 DEBUG [org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator] (http-0.0.0.0:8080-4) Completing bearer authentication. Bearer roles: [uma_authorization] 
11:18:36,555 DEBUG [org.keycloak.adapters.RequestAuthenticator] (http-0.0.0.0:8080-4) User 'e9ae6919-c0f3-4dcb-96f6-82e3373932e9' invoking 'http://test.srv:8080/core2/services/protected/getAttributes' on client 'mak_test' 
11:18:36,555 DEBUG [org.keycloak.adapters.RequestAuthenticator] (http-0.0.0.0:8080-4) Bearer AUTHENTICATED 
11:18:36,555 DEBUG [org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter] (http-0.0.0.0:8080-4) Auth outcome: AUTHENTICATED 
11:18:36,555 DEBUG [org.springframework.security.authentication.ProviderManager] (http-0.0.0.0:8080-4) Authentication attempt using org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider 
11:18:36,555 DEBUG [org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter] (http-0.0.0.0:8080-4) Authentication success. Updating SecurityContextHolder to contain: org.keycloak.adapters.springsecurity.token.KeycloakAuthent[email protected]: Principal: e9ae6919-c0f3-4dcb-96f6-82e3373932e9; Credentials: [PROTECTED]; Authenticated: true; Details: org[email protected]44667d3a; Granted Authorities: ROLE_UMA_AUTHORIZATION 
11:18:36,555 DEBUG [org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler] (http-0.0.0.0:8080-4) Using default Url:/
11:18:36,555 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] (http-0.0.0.0:8080-4) Redirecting to '/core2/' 
11:18:36,555 DEBUG [org.springframework.security.web.header.writers.HstsHeaderWriter] (http-0.0.0.0:8080-4) Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]159e9b90 
11:18:36,555 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] (http-0.0.0.0:8080-4) SecurityContextHolder now cleared, as request processing completed 
11:18:36,570 DEBUG [org.springframework.security.web.FilterChainProxy] (http-0.0.0.0:8080-4)/at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'

Ich teste diese endpoit von Junit

@Test 
    public void protectedTest() throws IOException { 
     String token = getToken(); 
     long time1 = System.currentTimeMillis(); 
     String url = server + "/services/protected/getAttributes"; 
     URL obj = new URL(url); 
     HttpURLConnection con = (HttpURLConnection) obj.openConnection(); 
     con.setRequestMethod("GET"); 
     con.setRequestProperty("Authorization", token); 
     Assert.assertEquals(200, con.getResponseCode()); 
     System.out.print(String.format("Authorized time: %s ms ", (System.currentTimeMillis() - time1))); 
    }

Endpoint Code:

@RestController 
public class ProtectedService { 

    @RequestMapping(value = "/services/protected/getAttributes", 
      method = RequestMethod.GET, 
      produces = {MediaType.APPLICATION_XML_VALUE, MediaType.APPLICATION_JSON_VALUE}) 
    @ResponseBody 
    @RolesAllowed("ROLE_UMA_AUTHORIZATION") 
    public GetCustAttrsRes getAttributes() { 
     return new GetCustAttrsRes(); 
    } 
}

Keycloak Server-Version: 2.1.0.Final

Keycloak verwandten Pom Teil:

<dependency> 
      <groupId>org.keycloak</groupId> 
      <artifactId>keycloak-spring-security-adapter</artifactId> 
      <version>2.2.1.Final</version> 
     </dependency> 
    <dependency> 
      <groupId>org.springframework.security</groupId> 
      <artifactId>spring-security-web</artifactId> 
      <version>4.1.3.RELEASE</version> 
     </dependency> 
     <dependency> 
      <groupId>org.springframework.security</groupId> 
      <artifactId>spring-security-config</artifactId> 
      <version>4.1.3.RELEASE</version> 
     </dependency> 

     <dependency> 
      <groupId>org.springframework.security</groupId> 
      <artifactId>spring-security-core</artifactId> 
      <version>4.1.3.RELEASE</version> 
     </dependency>

Alle Vorschläge willkommen.

Quelle

2016-10-10 Wojciech Piotrowiak

Antwort

0

Problem gelöst. In meinem Testcode ist ein Fehler aufgetreten. Die Methode getToken() gibt "bearer" zurück. Dies ist akzeptabel in Keycloak Filter Adapter, aber nicht in Feder Sicherheitsadapter. Der richtige Weg ist "Bearer" und es funktioniert in beiden Adaptern.

Quelle

2016-10-11 07:23:05

Verwandte Themen

 Verwandte Themen