spring-security 如何将另一个授权过滤器添加到已受Keycloak保护的url

djmepvbi  于 2022-11-11  发布在  Spring
关注(0)|答案(1)|浏览(179)

我有一个用KeycloakWebSecurityConfigurerAdapter保护的Sping Boot 应用程序。现在我想为某些端点添加另一种(自定义)身份验证方式。因此,我创建了一个类,用它的自定义逻辑扩展AbstractAuthenticationProcessingFilterAuthenticationProvider。现在,我想使用以下命令将自定义过滤器添加到我的安全配置中的HttpSecurity对象

http.addFilterBefore(new VendorSessionAuthorizationFilter(), KeycloakAuthenticationProcessingFilter.class);

我的理解是,我先得到我的自定义过滤器,并根据结果,security-filter-chain继续到Keycloak-filter。当我测试调用一个端点时,我从来没有得到我在过滤器中实现的attemptAuthentication方法。我有一种感觉,无论我在调用http.addFilterBefore(...时做什么,Keycloak-filter-过滤器总是被执行,所以我没有办法有另一种身份验证方式。
此处显示“安全配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(jsr250Enabled = true, prePostEnabled = true)
public class KeycloakSecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);

        http.addFilterBefore(new VendorSessionAuthorizationFilter(), KeycloakAuthenticationProcessingFilter.class);
        http.authenticationProvider(new VendorSessionAuthenticationProvider());

        http
                .cors().and()
                .csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
                .and().formLogin().disable()
                .httpBasic().disable()
                .logout().disable()

                .authorizeRequests()
                .anyRequest().authenticated();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Bean
    public KeycloakConfigResolver KeycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Bean
    public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(
            KeycloakAuthenticationProcessingFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
            KeycloakPreAuthActionsFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
            KeycloakAuthenticatedActionsFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
            KeycloakSecurityContextRequestFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }
}
r1zhe5dt

r1zhe5dt1#

如果您想对某些端点使用替代的身份验证方法,有一种方法如下
在适配器的configure部分,可以添加一个antMatcher并引用bean的函数。

.antMatchers("/your-api-here")
.access("@keycloakSecurityConfiguration.checkSomething()")

您的总配置如下所示(适当调整)

public class KeycloakSecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    super.configure(http);

    http.addFilterBefore(new VendorSessionAuthorizationFilter(), KeycloakAuthenticationProcessingFilter.class);
    http.authenticationProvider(new VendorSessionAuthenticationProvider());

    http
            .cors().and()
            .csrf().disable()
            .antMatchers("/your-api-here") 
            .access("@keycloakSecurityConfiguration.checkSomething()")

            .....
}

public boolean checkSomething(){

    // your code here
}

注意这将覆盖API的默认keycloak身份验证,而不是在顶部提供额外的身份验证

相关问题