我正在嘗試使用像keycloak這樣的開源用戶管理服務。構建一個angularJs應用程序,該應用程序將向通過keycloak保護的REST端點發送HTTP請求。我在後端使用了spring啓動。我可以調用端點並獲得不可能的結果,因爲它應該阻止來自未經授權來源的請求。keycloak(彈簧啓動)未驗證REST端點
這是兩個鏈接,我跟着
2. Github link to keycloak example
控制器,它包括REST端點,用戶將調用。與CORS
@RequestMapping(value = "/api/getSample")
public test welcome() {
return new test("sample");
}
@RequestMapping(value = "/check/test")
public test welcome2() {
return new test("test");
}
春季啓動應用程序
@SpringBootApplication
public class Application
{
public static void main(String[] args)
{
SpringApplication.run(Application.class, args);
}
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/api/*", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
}
應用程序屬性文件
server.port = 8090
keycloak.realm = demo
keycloak.auth-server-url = http://localhost:8080/auth
keycloak.ssl-required = external
keycloak.resource = tutorial-backend
keycloak.bearer-only = true
keycloak.credentials.secret = 111-1111-111-111
keycloak.use-resource-role-mappings = true
keycloak.cors= true
keycloak.securityConstraints[0].securityCollections[0].name = spring secured api
keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api
keycloak.securityConstraints[0].securityCollections[1].name = insecure stuff
keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[1].patterns[0] = /check
有兩種測試用例
製作REST調用無需登錄。在這種情況下我能夠取回結果。這不應該是這樣,我得到應該阻止(得到401錯誤)。
登錄時進行REST調用。我可以調用api/getSample,這是正確的行爲。然而,當我打電話檢查/測試,我得到
XMLHttpRequest cannot load http://localhost:8090/check/test. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access. The response had HTTP status code 403.
ofcourse I have have – krs8888