Keycloak Spring Boot 适配器和匿名资源
Posted
技术标签:
【中文标题】Keycloak Spring Boot 适配器和匿名资源【英文标题】:Keycloak Spring Boot adapter and anonymous resources 【发布时间】:2018-07-25 07:18:08 【问题描述】:我无法让 Keycloak 跳过对公共资源路径的授权检查。
我们正在使用 Spring Boot Keycloak Adapter。
我们尝试了以下解决方案:
-
未在应用属性中使用安全约束指定路径(“/static/*”没有映射)
以下使用“public”
keycloak.security-constraints[10].securityCollections[0].name=public
keycloak.security-constraints[10].securityCollections[0].patterns[0]=/static/*
在 SecurityConfig.configure() 中
http.authorizeRequests().antMatchers("/static/**").permitAll()
阅读有关使用策略执行器的信息,但除了使用策略执行器配置之外,没有关于使用 Spring Boot 执行此操作的说明。我不知道在哪里指定,因为我们没有 keycloak.json 文件。
以上所有结果总是:
java.lang.ClassCastException: org.springframework.security.authentication.AnonymousAuthenticationToken cannot be cast to org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken
at org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade.getSecurityContext(SimpleHttpFacade.java:63) ~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
at org.keycloak.adapters.AuthenticatedActionsHandler.corsRequest(AuthenticatedActionsHandler.java:102) ~[keycloak-adapter-core-3.4.2.Final.jar:3.4.2.Final]
at org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:54) ~[keycloak-adapter-core-3.4.2.Final.jar:3.4.2.Final]
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter.doFilter(KeycloakAuthenticatedActionsFilter.java:78) ~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at com.testing.SimpleCORSFilter.doFilter(SimpleCORSFilter.java:51) ~[classes/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter.doFilter(KeycloakSecurityContextRequestFilter.java:79) ~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter.doFilter(KeycloakAuthenticatedActionsFilter.java:82) ~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:84) ~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) ~[spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) ~[tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94) [tomcat-embed-core-8.0.43.jar:8.0.43]
at org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67) [spring-boot-container-bundle-3.4.2.Final.jar:3.4.2.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616) [tomcat-embed-core-8.0.43.jar:8.0.43]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181) [spring-boot-container-bundle-3.4.2.Final.jar:3.4.2.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) [tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132) [tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) [tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1533) [tomcat-embed-core-8.0.43.jar:8.0.43]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1489) [tomcat-embed-core-8.0.43.jar:8.0.43]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_152]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_152]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.43.jar:8.0.43]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_152]
任何帮助将不胜感激。
谢谢。
【问题讨论】:
你是如何解决这个问题的? @Teo 我也无法正常工作。他们在他们的 JIRA 上关闭了这张票,但我仍然收到java.lang.ClassCastException: org.springframework.security.authentication.AnonymousAuthenticationToken cannot be cast to org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken
@doublemc 等等?我们能做什么?
@Teo 没有找到任何可以正常工作的东西 - 认为你可能自己拥有 ;)
@doublemc 看来我们并不孤单:P ***.com/questions/50228797/…
【参考方案1】:
其他帖子提到调用 web.ignoring()...,但我重写了没有忽略方法的 configure(HttpSecurity) 方法。
我终于意识到我可以重写这两个配置方法(HttpSecurity 和 WebSecurity)来完成这个。
public void configure(WebSecurity web) throws Exception
web.ignoring().antMatchers("/static/*");
如果我们可以在应用程序属性文件中使用 keycloak 参数指定匿名访问,那就太好了,但是这样可以。
【讨论】:
【参考方案2】:可以通过将以下代码添加到https://issues.jboss.org/browse/KEYCLOAK-6468中来解决该问题
@Override
public void configure(final WebSecurity web) throws Exception
web.ignoring().antMatchers("/keycloak.json");
【讨论】:
【参考方案3】:我的应用程序中有类似的所需配置,并且遇到了相同的异常。我可以通过覆盖一些 Keycloak 的类并在 HTTP 外观的 getSecurityContext() 方法中添加一个 isAssignableFrom(Class) 检查来解决它:
/**
* Hack to fix issue accessing resources anonymously while Keycloak adapter is part of the security chain.
*/
public class FixedKeycloakAuthenticatedActionsFilter extends KeycloakAuthenticatedActionsFilter
private static final Logger log = LoggerFactory.getLogger(FixedKeycloakAuthenticatedActionsFilter.class);
private ApplicationContext applicationContext;
private AdapterDeploymentContext deploymentContext;
FixedKeycloakAuthenticatedActionsFilter()
super();
/*
* Must override this because deploymentContext is set to private on the super class
*/
@Override
protected void initFilterBean() throws ServletException
super.initFilterBean();
deploymentContext = applicationContext.getBean(AdapterDeploymentContext.class);
/*
* Must override this because applicationContext is set to private on the super class
*/
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
super.setApplicationContext(applicationContext);
this.applicationContext = applicationContext;
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException
// use our fixed facade class
HttpFacade facade = new FixedSimpleHttpFacade((HttpServletRequest)request, (HttpServletResponse)response);
AuthenticatedActionsHandler handler = new AuthenticatedActionsHandler(deploymentContext.resolveDeployment(facade), (OIDCHttpFacade)facade);
boolean handled = handler.handledRequest();
if (handled)
log.debug("Authenticated filter handled request: ", ((HttpServletRequest) request).getRequestURI());
else
chain.doFilter(request, response);
/**
* Hack to add missing class check on @link SimpleHttpFacade#getSecurityContext().
*/
static class FixedSimpleHttpFacade extends SimpleHttpFacade
/**
* Creates a new simple HTTP facade for the given request and response.
*
* @param request the current <code>HttpServletRequest</code> (required)
* @param response the current <code>HttpServletResponse</code> (required)
*/
FixedSimpleHttpFacade(HttpServletRequest request, HttpServletResponse response)
super(request, response);
@Override
public KeycloakSecurityContext getSecurityContext()
SecurityContext context = SecurityContextHolder.getContext();
if (context != null && context.getAuthentication() != null &&
// this check is missing in the super class
KeycloakAuthenticationToken.class.isAssignableFrom(context.getAuthentication().getClass())
)
KeycloakAuthenticationToken authentication = (KeycloakAuthenticationToken) context.getAuthentication();
return authentication.getAccount().getKeycloakSecurityContext();
return null;
然后我在 KeycloakWebSecurityConfigurerAdapter 子类中覆盖返回特定过滤器的方法:
/**
* Override to return our fixed filter.
* @return An instance of our fixed @link KeycloakAuthenticatedActionsFilter.
*/
@Bean
@Override
protected KeycloakAuthenticatedActionsFilter keycloakAuthenticatedActionsFilter()
return new FixedKeycloakAuthenticatedActionsFilter();
现在我可以在没有身份验证的情况下访问我的公共端点,并且我的安全端点仍然可以按预期工作。
这似乎是一个简单的检查...我不知道为什么它不包含在 Keycloak Spring Security 适配器附带的SimpleHttpFacade 中。
【讨论】:
【参考方案4】:如果您使用 keycloak-spring-boot 适配器,您只需要避免为该安全约束声明角色,例如:
keycloak:
realm: Demo
auth-server-url: http://localhost:8080/auth
ssl-required: none
resource: demo-service
credentials:
secret: your-service-credentials
bearer-only: true
principal-attribute: preferred_username
use-resource-role-mappings: true
security-constraints:
-
authRoles:
securityCollections:
-
name: public
patterns:
- /actuator/health
-
authRoles:
- SECURE_ROLE
securityCollections:
-
name: protected
patterns:
- /secure/*
在上面的 YAML 文件中,我将 URL /actuator/health 声明为公共的,如您所见,它没有角色。 用户需要 SECURE_ROLE 才能访问 /secure/ URL 下的所有链接。
【讨论】:
以上是关于Keycloak Spring Boot 适配器和匿名资源的主要内容,如果未能解决你的问题,请参考以下文章
是否可以告诉 Spring Boot Keycloak 适配器 Keycloak 服务器可能有多个别名?
如何使 Spring Boot 适配器中的 Keycloak 策略执行器与 vaadin 一起使用
如何使用 Spring boot keycloak 适配器 + spring security 强制更新 oAuth 令牌(访问令牌 + 刷新令牌)。?