1. 首頁
  2. 問答
  3. keycloak(彈簧啓動)未驗證REST端點

keycloak(彈簧啓動)未驗證REST端點

2017-02-10 156 views
0

我正在嘗試使用像keycloak這樣的開源用戶管理服務。構建一個angularJs應用程序,該應用程序將向通過keycloak保護的REST端點發送HTTP請求。我在後端使用了spring啓動。我可以調用端點並獲得不可能的結果,因爲它應該阻止來自未經授權來源的請求。keycloak(彈簧啓動)未驗證REST端點

這是兩個鏈接,我跟着

  1. keycloak with angular and spring boot

2. Github link to keycloak example

控制器,它包括REST端點,用戶將調用。與CORS

@RequestMapping(value = "/api/getSample") 
public test welcome() { 
    return new test("sample"); 
} 

@RequestMapping(value = "/check/test") 
public test welcome2() { 
    return new test("test"); 
}

春季啓動應用程序

@SpringBootApplication 
public class Application 
{ 
    public static void main(String[] args) 
    { 
     SpringApplication.run(Application.class, args); 
    } 

    @Bean 
    public FilterRegistrationBean corsFilter() { 
     UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); 
     CorsConfiguration config = new CorsConfiguration(); 
     config.setAllowCredentials(true); 
     config.addAllowedOrigin("*"); 
     config.addAllowedHeader("*"); 
     config.addAllowedMethod("*"); 
     source.registerCorsConfiguration("/api/*", config); 

     FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source)); 
     bean.setOrder(0); 
     return bean; 
    } 
}

應用程序屬性文件

server.port = 8090 

keycloak.realm = demo 
keycloak.auth-server-url = http://localhost:8080/auth 
keycloak.ssl-required = external 
keycloak.resource = tutorial-backend 
keycloak.bearer-only = true 
keycloak.credentials.secret = 111-1111-111-111 
keycloak.use-resource-role-mappings = true 
keycloak.cors= true 

keycloak.securityConstraints[0].securityCollections[0].name = spring secured api 
keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user 
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api 

keycloak.securityConstraints[0].securityCollections[1].name = insecure stuff 
keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = user 
keycloak.securityConstraints[0].securityCollections[1].patterns[0] = /check

有兩種測試用例

  1. 製作REST調用無需登錄。在這種情況下我能夠取回結果。這不應該是這樣,我得到應該阻止(得到401錯誤)。

  2. 登錄時進行REST調用。我可以調用api/getSample,這是正確的行爲。然而,當我打電話檢查/測試,我得到XMLHttpRequest cannot load http://localhost:8090/check/test. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access. The response had HTTP status code 403.

來源

2017-02-10 krs8888

回答

0

你有沒有在你的pom.xml添加的春天引導Keycloak適配器依賴。

對於2.您沒有爲/支票(僅用於/ API)

<dependency> 
     <groupId>org.keycloak</groupId> 
     <artifactId>keycloak-spring-boot-adapter</artifactId> 
     <version>${keycloak.version}</version> 
    </dependency>

來源

2017-02-28 15:36:04

+0

ofcourse I have have – krs8888

1

1)

我不知道你的測試究竟怎麼看起來像配置CORS,但也許系統認爲你還在登錄?您可以嘗試刪除您的Cookie以確保沒有保存訪問令牌。

另一種選擇可能是Spring Boot無法識別Keycloak適配器,因此無法保護訪問。您主要通過添加keycloak-spring-boot-adapterkeycloak-tomcat8-adapter依賴關係(more details here)來配置適配器。

2)

它看起來像CORS未正確配置。你可以考慮這個配置的實現(more details here):

@Bean 
FilterRegistrationBean corsFilter(
     @Value("${tagit.origin:http://localhost:9000}") String origin) { 
    return new FilterRegistrationBean(new Filter() { 
     public void doFilter(ServletRequest req, ServletResponse res, 
          FilterChain chain) throws IOException, ServletException { 
      HttpServletRequest request = (HttpServletRequest) req; 
      HttpServletResponse response = (HttpServletResponse) res; 
      String method = request.getMethod(); 
      // this origin value could just as easily have come from a database 
      response.setHeader("Access-Control-Allow-Origin", origin); 
      response.setHeader("Access-Control-Allow-Methods", 
        "POST,GET,PUT,DELETE"); 
      response.setHeader("Access-Control-Max-Age", Long.toString(60 * 60)); 
      response.setHeader("Access-Control-Allow-Credentials", "true"); 
      response.setHeader(
        "Access-Control-Allow-Headers", 
        "Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization"); 
      if ("OPTIONS".equals(method)) { 
       response.setStatus(HttpStatus.OK.value()); 
      } 
      else { 
       chain.doFilter(req, res); 
      } 
     } 

     public void init(FilterConfig filterConfig) { 
     } 

     public void destroy() { 
     } 
    }); 
}

來源

2017-03-28 08:46:38

相關問題

 相關問題