使用 Keycloak 身份验证的我的 Spring Boot (Jhipster) 应用程序在本地运行良好。
但它需要在 linux 机器上运行在 nginx 和 SSL 证书之后。
在 linux 实现上,Jhipster 似乎正常启动,例如开始加载 Liquibase,但随后抛出
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtDecoder' defined in class path resource [XXX/config/SecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method 'jwtDecoder' threw exception; nested exception is java.lang.IllegalStateException: com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Connection refused (Connection refused)
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:658)
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:486)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1352)
我发现很多关于“无法检索远程 JWK 集”的帖子,但它们似乎是关于超时问题,而不是连接被拒绝。
我相信 JHipster 必须通过 Keycloak 因为如果我改变
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI
它抱怨与 Keycloak 的实际位置不匹配。
在 /etc/hosts 中是以下内容,尽管我注意到它的存在没有任何变化
127.0.0.1 钥匙斗篷
SSL 和 nginx 是工作的本地和失败的 linux 实现之间的区别。
nginx sites-enabled/default 有
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name XXX; # managed by Certbot
location / {
proxy_pass http://localhost:9080 ;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate XXX/fullchain.pem; # managed by Certbot
ssl_certificate_key XXX/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = XXX) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name XXX;
return 404; # managed by Certbot
}