在 Java 而不是属性中表达安全约束
Expressing security constraints in Java rather than in properties
试图跳过 application.properties 文件中安全约束的使用:
# keycloak.securityConstraints[1].authRoles[0] = admin
# keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
并在 Spring 安全配置中的 Java 中表达它们:
super.configure(http);
http.authorizeRequests().antMatchers("/admin*").hasRole("admin").anyRequest().permitAll();
但是他们随后被忽略了。
我的 application.properties 文件:
server.compression.enabled = true
server.compression.min-response-size = 2048
server.compression.mime-types = application/json,application/xml,text/html,text/xml,text/plain
server.connection-timeout = 5000
server.port = 8082
keycloak.enabled = true
keycloak.auth-server-url = http://localhost:8180/auth
keycloak.ssl-required = external
keycloak.realm = learnintouch
keycloak.resource = learnintouch-web
keycloak.public-client = true
# keycloak.bearer-only = true
# keycloak.credentials.secret = c123028f-2654-403b-a9d0-????????
# keycloak.cors = true
#
# This is an extra property that allows retrieving the username of the currently
# logged user from the Principal object
keycloak.principal-attribute = preferred_username
# keycloak.securityConstraints[0].authRoles[0] = user
# keycloak.securityConstraints[0].authRoles[1] = admin
# keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /user
# keycloak.securityConstraints[1].authRoles[0] = admin
# keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
# keycloak.securityConstraints[2].authRoles[0] = user
# keycloak.securityConstraints[2].authRoles[1] = admin
# keycloak.securityConstraints[2].securityCollections[0].patterns[0] = /products
我的Spring安全配置:
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
// Avoid prefixing the roles with ROLE_
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
// Use the Spring Boot properties file instead of the default Keycloak Spring Security Adapter keycloak.json file
@Bean
public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
我正在 Spring 启动 2.0.3.RELEASE 和 Keycloak 适配器 4.0.0.Final
更新:根据下面提供的答案,我使用唯一的依赖项配置了 Keycloak 安全性:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-security-adapter</artifactId>
<version>4.0.0.Final</version>
</dependency>
src/main/webapp/WEB-INF/keycloak.json 文件包含:
{
"auth-server-url": "http://localhost:8180/auth",
"ssl-required": "external",
"realm": "learnintouch",
"resource": "learnintouch-web",
"public-client": "false",
"credentials": {
"secret": "??????..."
},
"principal-attribute": "preferred_username"
}
路由受到一些Spring安全声明的保护:
super.configure(http);
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/user*").hasRole("user")
.antMatchers("/admin*").hasRole("admin")
.antMatchers("/products*").hasRole("user")
.anyRequest().permitAll();
为了更灵活的配置,你最好选择Spring Security adapter。它提供了在 Java 中指定配置的能力,而不仅仅是应用程序属性。 Spring 引导适配器旨在用作基本配置工具,以便将 URI 限制为特定角色。
为了使用 Spring 安全适配器,我首先删除 Spring 引导适配器,因为它们可能会导致冲突。如果您仍想使用应用程序属性来使您的配置更灵活,您始终可以使用 Spring 引导标准方式,因为最后,您只是使用 @Configuration class 在 Spring 引导项目中。
试图跳过 application.properties 文件中安全约束的使用:
# keycloak.securityConstraints[1].authRoles[0] = admin
# keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
并在 Spring 安全配置中的 Java 中表达它们:
super.configure(http);
http.authorizeRequests().antMatchers("/admin*").hasRole("admin").anyRequest().permitAll();
但是他们随后被忽略了。
我的 application.properties 文件:
server.compression.enabled = true
server.compression.min-response-size = 2048
server.compression.mime-types = application/json,application/xml,text/html,text/xml,text/plain
server.connection-timeout = 5000
server.port = 8082
keycloak.enabled = true
keycloak.auth-server-url = http://localhost:8180/auth
keycloak.ssl-required = external
keycloak.realm = learnintouch
keycloak.resource = learnintouch-web
keycloak.public-client = true
# keycloak.bearer-only = true
# keycloak.credentials.secret = c123028f-2654-403b-a9d0-????????
# keycloak.cors = true
#
# This is an extra property that allows retrieving the username of the currently
# logged user from the Principal object
keycloak.principal-attribute = preferred_username
# keycloak.securityConstraints[0].authRoles[0] = user
# keycloak.securityConstraints[0].authRoles[1] = admin
# keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /user
# keycloak.securityConstraints[1].authRoles[0] = admin
# keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
# keycloak.securityConstraints[2].authRoles[0] = user
# keycloak.securityConstraints[2].authRoles[1] = admin
# keycloak.securityConstraints[2].securityCollections[0].patterns[0] = /products
我的Spring安全配置:
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
// Avoid prefixing the roles with ROLE_
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
// Use the Spring Boot properties file instead of the default Keycloak Spring Security Adapter keycloak.json file
@Bean
public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
我正在 Spring 启动 2.0.3.RELEASE 和 Keycloak 适配器 4.0.0.Final
更新:根据下面提供的答案,我使用唯一的依赖项配置了 Keycloak 安全性:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-security-adapter</artifactId>
<version>4.0.0.Final</version>
</dependency>
src/main/webapp/WEB-INF/keycloak.json 文件包含:
{
"auth-server-url": "http://localhost:8180/auth",
"ssl-required": "external",
"realm": "learnintouch",
"resource": "learnintouch-web",
"public-client": "false",
"credentials": {
"secret": "??????..."
},
"principal-attribute": "preferred_username"
}
路由受到一些Spring安全声明的保护:
super.configure(http);
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/user*").hasRole("user")
.antMatchers("/admin*").hasRole("admin")
.antMatchers("/products*").hasRole("user")
.anyRequest().permitAll();
为了更灵活的配置,你最好选择Spring Security adapter。它提供了在 Java 中指定配置的能力,而不仅仅是应用程序属性。 Spring 引导适配器旨在用作基本配置工具,以便将 URI 限制为特定角色。
为了使用 Spring 安全适配器,我首先删除 Spring 引导适配器,因为它们可能会导致冲突。如果您仍想使用应用程序属性来使您的配置更灵活,您始终可以使用 Spring 引导标准方式,因为最后,您只是使用 @Configuration class 在 Spring 引导项目中。