我正在尝试使用Keycloak保护Spring Boot应用程序并通过Java而不是XML对其进行配置。我的SecurityConfig类看起来像这样:
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class,
excludeFilters = @ComponentScan.Filter(type = FilterType.REGEX, pattern = "org.keycloak.adapters.springsecurity.management.HttpSessionManager"))
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.anyRequest().hasRole("admin");
}
}
据我所知,如果用户当前未登录,对anyRequest的调用应确保将[[all请求重定向到KeyCloak登录页面。但是,这似乎仅适用于非根URL。该项目当前有两个端点,“ /”“ / sync”。尝试访问同步端点会正确重定向到登录页面。尝试访问根页面不会,因此似乎被忽略了。我也尝试过使用antMatchers("*", "**", "/", "/*", "/**").hasRole("admin"),但是这些模式似乎都无法使根URL得到保护。
super.configure(http)的呼唤。但是,这执行了一些相对重要的事情,例如CSRF保护,登录/退出端点等。这是提取到方法中的等效代码,而不是超级调用: @Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().requireCsrfProtectionMatcher(this.keycloakCsrfRequestMatcher())
.and().sessionManagement().sessionAuthenticationStrategy(this.sessionAuthenticationStrategy())
.and().addFilterBefore(this.keycloakPreAuthActionsFilter(), LogoutFilter.class)
.addFilterBefore(this.keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class)
.addFilterBefore(this.keycloakAuthenticatedActionsFilter(), BasicAuthenticationFilter.class)
.addFilterAfter(this.keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class)
.exceptionHandling().authenticationEntryPoint(this.authenticationEntryPoint())
.and().logout().addLogoutHandler(this.keycloakLogoutHandler()).logoutUrl("/sso/logout").permitAll().logoutSuccessUrl("/");
http.authorizeRequests()
.anyRequest().hasRole("admin");
}
颠倒超级调用和我自己的授权代码之间的顺序也没有导致根URL受到保护。
.and().logout().addLogoutHandler(this.keycloakLogoutHandler()).logoutUrl("/sso/logout").permitAll().logoutSuccessUrl("/");
到
.and().logout().addLogoutHandler(this.keycloakLogoutHandler()).logoutUrl("/sso/logout").permitAll().logoutSuccessUrl("/somethingelse");