为了在我的代码中实现类似的功能,我将遵循Baeldung https://www.baeldung.com/spring-boot-keycloak的示例。
但是,仅通过JWT访问是行不通的,它只能通过登录屏幕进行访问。
在代码示例中,而不是在我的代码中,只需克隆repo,获取keycloak服务器并运行它,当尝试访问http://localhost:8081/customers
时,一切都按计划工作
应用程序将重定向到keycloak登录,我输入凭据,API将返回数据,如下图所示
所以这个例子完全有效。
但是,当 Postman 成功获取令牌时,如下所示,我无法通过输入令牌作为身份验证载体来访问 Postman 的资源。
应用程序仍会将我重定向到登录keycloak屏幕
1.为什么会发生这种情况?
1.如何才能通过登录屏幕和JWT标记来获得这两种方式的访问权限?
应用程序的调试日志包括
12:11:49.133 [http-nio-8081-exec-2] DEBUG o.k.adapters.PreAuthActionsHandler - adminRequest http://localhost:8081/customers
12:11:49.137 [http-nio-8081-exec-2] DEBUG o.k.a.a.ClientCredentialsProviderUtils - Using provider 'secret' for authentication of client 'login-app'
12:11:49.138 [http-nio-8081-exec-2] DEBUG o.k.a.a.ClientCredentialsProviderUtils - Loaded clientCredentialsProvider secret
12:11:49.139 [http-nio-8081-exec-2] DEBUG o.k.a.a.ClientCredentialsProviderUtils - Loaded clientCredentialsProvider jwt
12:11:49.139 [http-nio-8081-exec-2] DEBUG o.k.a.a.ClientCredentialsProviderUtils - Loaded clientCredentialsProvider secret-jwt
12:11:49.139 [http-nio-8081-exec-2] DEBUG o.k.a.a.ClientCredentialsProviderUtils - Loaded clientCredentialsProvider secret
12:11:49.139 [http-nio-8081-exec-2] DEBUG o.k.a.a.ClientCredentialsProviderUtils - Loaded clientCredentialsProvider jwt
12:11:49.139 [http-nio-8081-exec-2] DEBUG o.k.a.a.ClientCredentialsProviderUtils - Loaded clientCredentialsProvider secret-jwt
12:11:49.145 [http-nio-8081-exec-2] DEBUG o.k.a.t.AbstractAuthenticatedActionsValve - AuthenticatedActionsValve.invoke /customers
12:11:49.145 [http-nio-8081-exec-2] DEBUG o.k.a.AuthenticatedActionsHandler - AuthenticatedActionsValve.invoke http://localhost:8081/customers
12:11:49.145 [http-nio-8081-exec-2] DEBUG o.k.a.AuthenticatedActionsHandler - Policy enforcement is disabled.
12:11:49.147 [http-nio-8081-exec-2] INFO o.a.c.c.C.[Tomcat].[localhost].[/] - Initializing Spring DispatcherServlet 'dispatcherServlet'
12:11:49.147 [http-nio-8081-exec-2] INFO o.s.web.servlet.DispatcherServlet - Initializing Servlet 'dispatcherServlet'
12:11:49.147 [http-nio-8081-exec-2] DEBUG o.s.web.servlet.DispatcherServlet - Detected StandardServletMultipartResolver
12:11:49.147 [http-nio-8081-exec-2] DEBUG o.s.web.servlet.DispatcherServlet - Detected AcceptHeaderLocaleResolver
12:11:49.147 [http-nio-8081-exec-2] DEBUG o.s.web.servlet.DispatcherServlet - Detected FixedThemeResolver
12:11:49.148 [http-nio-8081-exec-2] DEBUG o.s.web.servlet.DispatcherServlet - Detected org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator@28b16193
12:11:49.148 [http-nio-8081-exec-2] DEBUG o.s.web.servlet.DispatcherServlet - Detected org.springframework.web.servlet.support.SessionFlashMapManager@5d56c2d2
12:11:49.148 [http-nio-8081-exec-2] DEBUG o.s.web.servlet.DispatcherServlet - enableLoggingRequestDetails='false': request parameters and headers will be masked to prevent unsafe logging of potentially sensitive data
12:11:49.148 [http-nio-8081-exec-2] INFO o.s.web.servlet.DispatcherServlet - Completed initialization in 1 ms
12:11:49.155 [http-nio-8081-exec-2] DEBUG o.s.security.web.FilterChainProxy - Securing GET /customers
12:11:49.158 [http-nio-8081-exec-2] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - Set SecurityContextHolder to empty SecurityContext
12:11:49.160 [http-nio-8081-exec-2] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
12:11:49.160 [http-nio-8081-exec-2] DEBUG o.s.s.w.s.SessionManagementFilter - Request requested invalid session id 2188C37ADF15140FB15235D80AAA0C77
12:11:49.165 [http-nio-8081-exec-2] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Failed to authorize filter invocation [GET /customers] with attributes [authenticated]
12:11:49.207 [http-nio-8081-exec-2] DEBUG o.s.s.w.s.HttpSessionRequestCache - Saved request http://localhost:8081/customers to session
12:11:49.207 [http-nio-8081-exec-2] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@21fa9d8, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]]]
12:11:49.207 [http-nio-8081-exec-2] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@681b92a9
12:11:49.207 [http-nio-8081-exec-2] DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to http://localhost:8081/oauth2/authorization/keycloak
12:11:49.208 [http-nio-8081-exec-2] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - Did not store empty SecurityContext
12:11:49.209 [http-nio-8081-exec-2] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - Did not store empty SecurityContext
12:11:49.209 [http-nio-8081-exec-2] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - Cleared SecurityContextHolder to complete request
12:11:49.228 [http-nio-8081-exec-4] DEBUG o.k.adapters.PreAuthActionsHandler - adminRequest http://localhost:8081/oauth2/authorization/keycloak
12:11:49.229 [http-nio-8081-exec-4] DEBUG o.k.a.t.AbstractAuthenticatedActionsValve - AuthenticatedActionsValve.invoke /oauth2/authorization/keycloak
12:11:49.229 [http-nio-8081-exec-4] DEBUG o.k.a.AuthenticatedActionsHandler - AuthenticatedActionsValve.invoke http://localhost:8081/oauth2/authorization/keycloak
12:11:49.229 [http-nio-8081-exec-4] DEBUG o.k.a.AuthenticatedActionsHandler - Policy enforcement is disabled.
12:11:49.229 [http-nio-8081-exec-4] DEBUG o.s.security.web.FilterChainProxy - Securing GET /oauth2/authorization/keycloak
12:11:49.229 [http-nio-8081-exec-4] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - Set SecurityContextHolder to empty SecurityContext
12:11:49.234 [http-nio-8081-exec-4] DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to http://localhost:8090/auth/realms/main-authentication/protocol/openid-connect/auth?response_type=code&client_id=login-app&scope=openid&state=aoSFWCq-HdIiwwi_SB8oKFI29T2EJhHQmlz0e8h9RAY%3D&redirect_uri=http://localhost:8081/login/oauth2/code/keycloak&nonce=Dlsh8t93QaYB3oqVvAtlvssCEF_UBxdibFHfyIPGnv4
12:11:49.234 [http-nio-8081-exec-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - Did not store empty SecurityContext
12:11:49.234 [http-nio-8081-exec-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - Did not store empty SecurityContext
12:11:49.234 [http-nio-8081-exec-4] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - Cleared SecurityContextHolder to complete request
我试过用grant_type
到client_credentials
,password
来玩,但是没有任何效果。我也试过注解掉http.oauth2Login()
。仍然没有运气
通过extends KeycloakWebSecurityConfigurerAdapter
的其他示例并将keycloak安全性作为适配器来应用,实际上行为更好,访问是两种方式都可能的。
编辑1:如果有人需要,我可以发布跟踪日志
1条答案
按热度按时间yc0p9oo01#
您所引用的Baeldung博客文章配置了一个Spring OAurh 2客户机:它提供带有Thymeleaf页面的UI(并且它不是“官方的”)。
如果你试图构建一个具有OAuth2安全性的REST API,那么你应该看看教程来配置一个resource-server。
此外,不要使用Spring、it is already deprecated的Keycloak适配器(如果您查看 transient 依赖项,就会发现非常不赞成使用)。