java - KeyCloak - Spring Boot 只让请求工作

问题描述

我有一个非常奇怪的问题 - 我试图从教程中启用 KeyCloak，我看到它只在 get 方法上工作。我的配置非常简单：

protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeRequests()
        .anyRequest().hasRole("admin");
    super.configure(http);
}

我在解析器上添加了一些调试：

@Override
protected void configure(AuthenticationManagerBuilder auth) {
    KeycloakAuthenticationProvider keycloakAuthenticationProvider = new KeycloakAuthenticationProvider() {
        @Override
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            log.debug("Auth successes.");
            final KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication;
            log.debug("User id:" + token.getAccount().getPrincipal().getName());
            log.debug("User roles:" + String.join(",", token.getAccount().getRoles()));
            return super.authenticate(authentication);
        }
    };
    keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
    auth.authenticationProvider(keycloakAuthenticationProvider);
}

当我将 GET 请求发送到 http://localhost:8080/admin/test 时，这是一个问题，一切都很好：

DEBUG 2021-08-18 15:26:55,704 [http-nio-8080-exec-3][][] c.j.b.i.c.SecurityConfiguration 'Auth successes.'
DEBUG 2021-08-18 15:26:55,704 [http-nio-8080-exec-3][][] c.j.b.i.c.SecurityConfiguration 'User id:e53fa4a8-e7c3-46a0-9685-175fede5098e'
DEBUG 2021-08-18 15:26:55,704 [http-nio-8080-exec-3][][] c.j.b.i.c.SecurityConfiguration 'User roles:default-roles-springbootkeycloak,offline_access,admin,uma_authorization'
WARN  2021-08-18 15:26:56,093 [http-nio-8080-exec-3][][] o.a.c.util.SessionIdGeneratorBase 'Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [384] milliseconds.'
DEBUG 2021-08-18 15:26:56,102 [http-nio-8080-exec-3][50168e1c-0481-416e-a202-a24fafab58c7][] c.j.b.i.c.SecurityConfiguration 'Auth successes.'
DEBUG 2021-08-18 15:26:56,103 [http-nio-8080-exec-3][50168e1c-0481-416e-a202-a24fafab58c7][] c.j.b.i.c.SecurityConfiguration 'User id:e53fa4a8-e7c3-46a0-9685-175fede5098e'
DEBUG 2021-08-18 15:26:56,103 [http-nio-8080-exec-3][50168e1c-0481-416e-a202-a24fafab58c7][] c.j.b.i.c.SecurityConfiguration 'User roles:default-roles-springbootkeycloak,offline_access,admin,

我得到了正确的响应，没有任何问题，但是当我对 POST / DELETE / PUT 提出完全相同的请求时，我也得到了理论上角色很好的日志：

DEBUG 2021-08-18 15:28:45,876 [http-nio-8080-exec-4][][] c.j.b.i.c.SecurityConfiguration 'Auth successes.'
DEBUG 2021-08-18 15:28:45,876 [http-nio-8080-exec-4][][] c.j.b.i.c.SecurityConfiguration 'User id:e53fa4a8-e7c3-46a0-9685-175fede5098e'
DEBUG 2021-08-18 15:28:45,877 [http-nio-8080-exec-4][][] c.j.b.i.c.SecurityConfiguration 'User roles:default-roles-springbootkeycloak,offline_access,admin,uma_authorization'

但作为回应，我有：

{
    "timestamp": 1629293325879,
    "status": 403,
    "error": "Forbidden",
    "message": "Forbidden",
    "path": "/admin/test"
}

标签： javaspring-bootspring-securitykeycloak

我认为问题是csrf。您super.configure(http)在禁用 csrf 后拨打电话。但是在超级调用中（如果您使用的是 KeycloakWebSecurityConfigurerAdapter）csrf 将再次启用。

 http
   csrf().requireCsrfProtectionMatcher(keycloakCsrfRequestMatcher())
   ...

并且 keycloakCsrfRequestMatcher 默认阻止所有 Post 和 Delete 方法。实际上它只允许以下方法：

^(GET|HEAD|TRACE|OPTIONS)$

见https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakCsrfRequestMatcher.java

因此，快速的解决方案是将超级调用放在开头。

protected void configure(HttpSecurity http) throws Exception {
  super.configure(http);    
  http.csrf().disable().authorizeRequests()
        .anyRequest().hasRole("admin");
    
}

java - KeyCloak - Spring Boot 只让请求工作

问题描述

解决方案

推荐阅读