堆栈内存溢出
  简体   繁体   English

使用 keycloak - JWT 令牌保护 Spring Boot 服务

[英]Securing Spring Boot service with keycloak - JWT token

 原文  2017-08-08 08:07:25       spring-boot/ jwt/ keycloak/ bearer-token/ keycloak-services

问题描述

So, I'm using keycloak to secure my services.所以,我使用 keycloak 来保护我的服务。 Client app gets access token from keycloak server and uses it to secure access to Spring boot app.客户端应用程序从 keycloak 服务器获取访问令牌,并使用它来保护对 Spring boot 应用程序的访问。 I've configured my Spring Boot application with keycloak properties using bearer-only access type:我已经使用仅持有者访问类型使用 keycloak 属性配置了我的 Spring Boot 应用程序:

keycloak.realm = master
keycloak.realmKey = ...
keycloak.auth-server-url = http://localhost:8080/auth
keycloak.ssl-required = external
keycloak.resource = boot-app
keycloak.bearer-only = true
keycloak.cors = true

Spring boot keycloak starter: Spring Boot keycloak 启动器:

<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>

And configuring KeycloakWebSecurityConfigurerAdapter:并配置 KeycloakWebSecurityConfigurerAdapter:

@Configuration
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter
{
  /**
   * Registers the KeycloakAuthenticationProvider with the authentication manager.
   */
  @Autowired
  public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception
  {
    final KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
    keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
    auth.authenticationProvider(keycloakAuthenticationProvider);
  }

  @Bean
  public KeycloakConfigResolver keycloakConfigResolver()
  {
    return new KeycloakSpringBootConfigResolver();
  }

  /**
   * Defines the session authentication strategy.
   */
  @Bean
  @Override
  protected SessionAuthenticationStrategy sessionAuthenticationStrategy()
  {
    return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
  }

  @Override
  protected void configure(final HttpSecurity http) throws Exception
  {
    super.configure(http);
    http
        .authorizeRequests()
        .antMatchers(
            "/v2/api-docs",
            "/configuration/ui",
            "/swagger-resources",
            "/configuration/security",
            "/swagger-ui.html",
            "/webjars/**",
            "/swagger-resources/configuration/ui",
            "/swagge‌​r-ui.html",
            "/swagger-resources/configuration/security").permitAll()
        .antMatchers("/*").hasRole("user")
        .anyRequest().authenticated();
  }
}

Now, everything works fine.现在,一切正常。 My question is: Bearer token is JWT token, all you need to decode it (and verify access) is public key, which is我的问题是:不记名令牌是 JWT 令牌,您需要对其进行解码(并验证访问)的是公钥,即

keycloak.realmKey

Why would you need other settings, specificaly:为什么需要其他设置,特别是:

keycloak.auth-server-url

Isn't public key everything you need?公钥不是你需要的一切吗?

Thanks in advance提前致谢

2 个解决方案

解决方案1
 5 已采纳  2017-08-08 08:48:41

Indeed for a bearer-only you could wonder why the KC URL is needed but since a few KC versions the realmKey is not mandatory anymore since we are use key rotation.实际上,对于bearer-only您可能想知道为什么需要 KC URL,但由于一些 KC 版本, realmKey不再是强制性的,因为我们使用密钥轮换。 It means that your app will retrieve dynamically the public key from the KC server using the auth-server-url property.这意味着您的应用程序将使用auth-server-url属性从 KC 服务器动态检索公钥。

解决方案2
 1  2020-07-19 20:58:13

If you have a spring-boot application, latest spring-security will handle it neatly.如果你有一个 spring-boot 应用程序,最新的 spring-security 会很好地处理它。 All you need is to define jwks-uri in the application properties and the required dependencies.您只需要在应用程序属性和所需的依赖项中定义 jwks-uri。

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:8780/auth/realms/my-realm/protocol/openid-connect/certs

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-resource-server</artifactId>
        <version>5.3.3.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-jose</artifactId>
        <version>5.3.3.RELEASE</version>
    </dependency>

Note that, you can also use issuer uri instead of jwks, if you want请注意,如果需要,您也可以使用 issuer uri 而不是 jwks

spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8780/auth/realms/my-realm

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 Keycloak 保护 Spring Boot REST 服务时的 NullPointer - NullPointer when securing Spring Boot REST Service with Keycloak Keycloak - 保护 Spring Boot 应用程序 - Keycloak - securing a Spring Boot application 我的 spring 启动没有使用 Keycloak 验证 JWT 令牌? - My spring boot does not validate JWT token with the Keycloak? 在Spring Boot中使用令牌保护API - Securing a api with an token in Spring Boot 在 Spring 引导中扩展 Keycloak 令牌 - Extend Keycloak token in Spring boot 在 Spring 引导中无状态地使用 Keycloak 和 JWT - Use Keycloak and JWT Statelessly in Spring Boot 在Spring Boot中使用Keycloak实现JWT,JWE和JWS(签名的JWT) - Implementing JWT, JWE and JWS (signed JWT) with Keycloak in Spring Boot 保护Spring Boot API Rest服务 - Securing a Spring boot api rest service 带有 spring 启动 CODE_TO_TOKEN_ERROR 的 Keycloak - Keycloak with spring boot CODE_TO_TOKEN_ERROR 如何在 Spring Boot 中验证 jwt 令牌? - How to verify jwt token in spring boot?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM