我正在尝试使用keycloak配置Spring Boot OAuth2。当我使用application.properties文件中的属性时,代码工作正常。当前配置如下:
rest.security.issuer-uri=http://172.30.30.172:8080/auth/realms/<REALM_NAME>
security.oauth2.resource.id=test
security.oauth2.resource.token-info-uri=${rest.security.issuer-uri}/protocol/openid-connect/token/introspect
security.oauth2.resource.user-info-uri=${rest.security.issuer-uri}/protocol/openid-connect/userinfo
security.oauth2.resource.jwt.key-value=<PUBLIC KEY>
security.oauth2.client.client-id=<CLIENT ID>
security.oauth2.client.client-secret=<CLIENT SECRET>
security.oauth2.client.user-authorization-uri=${rest.security.issuer-uri}/protocol/openid-connect/auth
security.oauth2.client.access-token-uri=${rest.security.issuer-uri}/protocol/openid-connect/token
security.oauth2.client.scope=openid
security.oauth2.client.grant-type=client_credentials
我想以动态方式配置客户端配置设置,方法是从数据库中为每个客户端(自己的领域)请求获取客户端配置。以动态方式设置客户端属性的Java Spring Boot Security配置应该是什么。
当前安全性配置如下:
@Configuration
@EnableWebSecurity
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@ConditionalOnProperty(prefix = "rest.security", value = "enabled", havingValue = "true")
@Import({SecurityProperties.class})
public class SecurityConfigurer extends ResourceServerConfigurerAdapter{
private ResourceServerProperties resourceServerProperties;
private SecurityProperties securityProperties;
/* Using spring constructor injection, @Autowired is implicit */
public SecurityConfigurer(ResourceServerProperties resourceServerProperties, SecurityProperties securityProperties) {
this.resourceServerProperties = resourceServerProperties;
this.securityProperties = securityProperties;
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(resourceServerProperties.getResourceId());
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http.cors()
.configurationSource(corsConfigurationSource())
.and()
.headers()
.frameOptions()
.disable()
.and()
.csrf()
.disable()
.authorizeRequests()
.antMatchers(securityProperties.getApiMatcher())
.authenticated();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
if (null != securityProperties.getCorsConfiguration()) {
source.registerCorsConfiguration("/**", securityProperties.getCorsConfiguration());
}
return source;
}
@Bean
public JwtAccessTokenCustomizer jwtAccessTokenCustomizer(ObjectMapper mapper) {
return new JwtAccessTokenCustomizer(mapper);
}
}
我尝试使用以下代码重写bean ResourceServerProperties。但是,它会抛出NoUniqueBeanDefinitionException异常。
@Configuration
@Import({ResourceServerProperties.class})
public class ResourceSecurityProperties {
@Primary
@Bean
ResourceServerProperties resourceServerProperties(){
ResourceServerProperties resourceServerProperties= new ResourceServerProperties("<CLIENT-ID>", "<CLIENT-SECRET>");
ResourceServerProperties.Jwt jwt= resourceServerProperties.new Jwt();
resourceServerProperties.setId("test001001");
resourceServerProperties.setTokenInfoUri("http://172.30.30.172:8080/auth/realms/conf/protocol/openid-connect/token/introspect");
resourceServerProperties.setUserInfoUri("http://172.30.30.172:8080/auth/realms/conf/protocol/openid-connect/userinfo");
jwt.setKeyValue("<PUBLIC KEY>");
resourceServerProperties.setJwt(jwt);
return resourceServerProperties;
}
}
您是否找到了解决此问题的方法,并遇到了同样的问题。如果您可以分享您的发现,那就太好了。
对于覆盖OAuth2ProtectedResourceDetails bean的安全的模块间通信来说,这个技巧可以解决,但是对于动态资源属性,我还没有发现任何东西。