如何在 Spring Boot 应用程序中使用 Keycloak Policy Enforcer
Posted
技术标签:
【中文标题】如何在 Spring Boot 应用程序中使用 Keycloak Policy Enforcer【英文标题】:How to use Keycloak Policy Enforcer with Spring boot application 【发布时间】:2019-10-31 08:32:52 【问题描述】:Keycloak 策略执行器无法与示例 Sprint 启动应用程序一起使用。
我正在使用 Keycloak 版本 6.0.1 并尝试集成示例 Sprint 启动应用程序(Sprint 启动版本 2.1.3)。我的目标是在 Keycloak 中设置策略和权限,并在我的示例 Spring 引导应用程序中使用 Keycloak 策略执行器,以便使用 Keycloak 中定义的适当权限自动执行所有授权决策,并且示例应用程序中不需要代码。
我的 Spring Boot 示例应用程序只是从内存列表中打印用户列表:
public class JPAUserResource
@Autowired
private UserRepository userRepo;
@GetMapping(path = "/jpausers")
public List<JPAUser> retrieveAllUsers()
return userRepo.findAll();
我的 application.properties 文件有以下内容:
server.port=38080
spring.jpa.show-sql=true
spring.h2.console.enabled=true
logging.level.org.springframework.security=DEBUG
logging.level.org.keycloak.adapters.authorization=DEBUG
#Keycloak Configuration
keycloak.auth-server-url=http://192.168.154.190:18180/auth
keycloak.realm=master
keycloak.resource=login-app
keycloak.principal-attribute=preferred_username
keycloak.credentials.secret=195925d6-b258-407d-a65d-f1fd12d7a876
keycloak.policy-enforcer-config.enforcement-mode=enforcing
keycloak.realm-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjyYRe6LxBxO9hVtr4ScsMCBp3aPE9qbJLptPIMQCZR6JhVhOxA1kxhRmVYHXR5pdwiQWU8MriRhAY1JGniG6GNS1+BL+JaUiaGxov4rpD2SIMdrs8YjjSoD3Z8wvsMAopzWG48i9T/ppNaqKTkDZHbHAXOYJn+lymQ4EqpQrJ1Uh+SUA8XcLvWUQ12ty9BieujudWhnAgQ4zxyJY3I8sZwjaRIxndzSlyPJo45lWzXkpqcl92eU/Max7LRM4WKqsUvu86DgqlXbJcz8T+GUeF30ONQDSLX9rwNIT4ZiCVMT7x6YfKXZW6jxC0UiXxZuT23xk8A9iCP4rC9xo1NfGTwIDAQAB
keycloak.policy-enforcer-config.paths[0].path=/jpausers
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET
我的 Keycloak 授权设置如下:
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
"name": "Default Resource",
"type": "urn:login-app:resources:default",
"ownerManagedAccess": false,
"attributes": ,
"_id": "501febc8-f3e1-411f-aecf-376b4786c24e",
"uris": [
"/*"
]
,
"name": "jpausers",
"ownerManagedAccess": false,
"displayName": "jpausers",
"attributes": ,
"_id": "a8f691db-39ef-4b2c-80fb-37224e270f1e",
"uris": [
"/jpausers"
],
"scopes": [
"name": "GET"
,
"name": "POST"
]
],
"policies": [
"id": "94518189-3794-451c-9996-eec22543d802",
"name": "Default Policy",
"description": "A policy that grants access only for users within this realm",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config":
"code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
,
"id": "0242cf72-365d-49ae-8d5b-4ced24736f24",
"name": "test_jpa",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config":
"roles": "[\"id\":\"jpa\",\"required\":false]"
,
"id": "5c34e2b4-a56a-45f9-a1cc-94788bcb41b0",
"name": "test_perm1",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config":
"resources": "[\"jpausers\"]",
"applyPolicies": "[\"test_jpa\"]"
],
"scopes": [
"id": "4ee351e6-7095-453a-a4f4-badbc9ec1ba0",
"name": "GET",
"displayName": "GET"
,
"id": "9119aab2-75a0-49d1-a076-8d9210c3e457",
"name": "POST",
"displayName": "POST"
]
当我向我的 Rest API '/jpausers' 发送请求时,它会失败并在控制台上显示以下消息:
*19:17:52.044 [http-nio-38080-exec-1] INFO o.k.a.authorization.PolicyEnforcer - Paths provided in configuration.
19:17:52.045 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Trying to find resource with uri [/jpausers] for path [/jpausers].
19:17:52.151 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Initialization complete. Path configurations:
19:17:52.151 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - PathConfigname='null', type='null', path='/jpausers', scopes=[], id='a8f691db-39ef-4b2c-80fb-37224e270f1e', enforcerMode='ENFORCING'
19:17:52.154 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Policy enforcement is enabled. Enforcing policy decisions for path [http://192.168.109.97:38080/jpausers].
19:17:52.156 [http-nio-38080-exec-1] DEBUG o.k.a.a.KeycloakAdapterPolicyEnforcer - Sending challenge
19:17:52.157 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Policy enforcement result for path [http://192.168.109.97:38080/jpausers] is : DENIED
19:17:52.157 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Returning authorization context with permissions:*
UMA 授权已禁用。我首先使用带有密码凭据授予类型的 Openid Connect 令牌 API 检索了访问令牌,然后我尝试使用访问令牌访问我的 Rest API '/jpausers'。
有人可以在这里帮助解决这个问题吗?我该如何解决 ?我是否必须启用 UMA 才能使策略执行器工作?
【问题讨论】:
【参考方案1】:通过快速查看,我可以看到您在 application.properties 中的映射不完整,您尚未将 HTTP 方法映射到您在 keycloak 中配置的范围。像这样的东西
keycloak.policy-enforcer-config.paths[0].path=/jpausers
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET
keycloak.policy-enforcer-config.paths[0].methods[0].scopes[0]=GET
【讨论】:
我尝试添加上述属性,但仍然是同样的错误。你能建议点别的吗?我尝试在 Keycloak 代码中进行更多调试,看起来 KeycloakSecurityContext 可能为空。任何想法如何解决这个问题? 在这里查看示例github.com/keycloak/keycloak-quickstarts/tree/latest/… 在 application.properties 中添加这两个属性对我有用:keycloak.securityConstraints[0].authRoles[0]=* keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/*【参考方案2】:
我认为您缺少 keycloak.securityConstraints[0].securityCollections[0].name= jpausers
【讨论】:
【参考方案3】:我遇到了同样的问题,我可以在我的应用程序属性 yaml 文件中使用类似的设置来解决它,如下所示:
keycloak:
security-constraints:
- auth-roles:
- "*"
security-collections:
- name:
patterns:
- /*
【讨论】:
欢迎来到 SO。查看此页面,了解如何在 SO 上提出好的问题——***.com/help/...。您遇到的错误/异常是什么?以上是关于如何在 Spring Boot 应用程序中使用 Keycloak Policy Enforcer的主要内容,如果未能解决你的问题,请参考以下文章
如何将基于 Spring Boot 构建的依赖项使用到典型的 Spring 应用程序中?
如何在 Spring-Boot 应用程序中使用 JavaScript 加入枚举
如何使用 CommandLineJobRunner 调用嵌入在 Spring Boot 应用程序中的 Spring Batch 作业
如何在 Spring (Boot) 应用程序的代码中动态添加 bean?