[英]Spring Security and Keycloak fails with a custom authentication provider
我們已經在 Spring Security (Spring Boot 2) 中使用 Keycloak 有一段時間了,現在我們正嘗試添加一個自定義的 API-Key 身份驗證機制,我們檢查名為api-key
的標頭並將該值發送到遠程服務驗證,如果有效,則完全跳過Keycloak 檢查。 這適用於所有請求和端點。
我有自己的AuthenticationProvider
和AbstractAuthenticationProcessingFilter
,但現在所有對服務器的請求都會拋出 403,甚至是有效的 Keycloak 請求。 奇怪的是,我的新代碼甚至都沒有被執行,因為沒有記錄或斷點命中的跡象。 我已經通讀了多重身份驗證文檔並查看了幾個SO 帖子,但仍然無法使其正常工作。
這是我的自定義AuthenticationProvider
:
public class ApiKeyAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
log.info("API-KEY: Provider.authenticate()");
ApiKeyAuthenticationToken auth = (ApiKeyAuthenticationToken) authentication;
String apiKey = auth.getCredentials().toString();
// Always returns TRUE at the moment to test bypassing Keycloak
boolean isApiKeyValid = RemoteApiKeyService.verify(apiKey);
if (isApiKeyValid) {
log.info("API-KEY: auth successful");
auth.setAuthenticated(true);
} else {
log.warn("API-KEY: auth failed");
throw new BadCredentialsException("Api-Key Authentication Failed");
}
return auth;
}
@Override
public boolean supports(Class<?> authentication) {
log.info("API-KEY: Provider.supports(): " + authentication.getSimpleName());
return authentication.isAssignableFrom(ApiKeyAuthenticationToken.class);
}
}
我的代幣:
public class ApiKeyAuthenticationToken extends AbstractAuthenticationToken {
private final String token;
public ApiKeyAuthenticationToken(String token) {
super(null);
this.token = token;
}
@Override
public Object getCredentials() {
return token;
}
@Override
public Object getPrincipal() {
return null;
}
}
這是過濾器:
public class ApiKeyFilter extends AbstractAuthenticationProcessingFilter {
public ApiKeyFilter() {
super("/*");
log.info("API-KEY filter.init()");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
log.info("API-KEY filter.attemptAuthentication()");
String apiKeyHeader = request.getHeader("api-key");
if (apiKeyHeader != null) {
return new ApiKeyAuthenticationToken(apiKeyHeader);
}
return null;
}
}
最后,我如何使用多個提供程序將所有內容與我的安全配置聯系在一起:
@Slf4j
@Configuration
@EnableWebSecurity
@SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
public class SecurityConf {
@Configuration
@Order(1) //Order is 1 -> First the special case
public static class ApiKeySecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.csrf().disable().authorizeRequests()
.antMatchers("/**").authenticated();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// our custom authentication provider
auth.authenticationProvider(new ApiKeyAuthenticationProvider());
}
}
@Configuration
@Order(2) // processed after our API Key bean config
public static class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider provider = keycloakAuthenticationProvider();
provider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(provider);
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.csrf().disable().authorizeRequests();
http.headers().frameOptions().disable();
}
// necessary due to http://www.keycloak.org/docs/latest/securing_apps/index.html#avoid-double-filter-bean-registration
@Bean
public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(KeycloakAuthenticationProcessingFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
// necessary due to http://www.keycloak.org/docs/latest/securing_apps/index.html#avoid-double-filter-bean-registration
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
// necessary due to http://www.keycloak.org/docs/latest/securing_apps/index.html#avoid-double-filter-bean-registration
@Bean
public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
KeycloakAuthenticatedActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
// necessary due to http://www.keycloak.org/docs/latest/securing_apps/index.html#avoid-double-filter-bean-registration
@Bean
public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
KeycloakSecurityContextRequestFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
@Scope(value = "singleton")
public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
final KeycloakDeployment keycloakDeployment = KeycloakDeploymentBuilder.build(
KeycloakClient.default_client.toAdapterConfig()
);
return new KeycloakSpringBootConfigResolver() {
@Override
public KeycloakDeployment resolve(HttpFacade.Request request) {
return keycloakDeployment;
}
};
}
}
}
知道什么配置錯誤嗎? 我的代碼甚至都沒有運行但破壞了 Keycloak 的事實很有趣。
以此為例,並在您的代碼中進行相應的嘗試
@Override
protected void configure(HttpSecurity http) throws Exception {
AuthenticationProvider rememberMeAuthenticationProvider = rememberMeAuthenticationProvider();
TokenBasedRememberMeServices tokenBasedRememberMeServices = tokenBasedRememberMeServices();
List<AuthenticationProvider> authenticationProviders = new ArrayList<AuthenticationProvider>(2);
authenticationProviders.add(rememberMeAuthenticationProvider);
authenticationProviders.add(customAuthenticationProvider);
AuthenticationManager authenticationManager = authenticationManager(authenticationProviders);
http
.csrf().disable()
.headers().disable()
.addFilter(new RememberMeAuthenticationFilter(authenticationManager, tokenBasedRememberMeServices))
.rememberMe().rememberMeServices(tokenBasedRememberMeServices)
.and()
.authorizeRequests()
.antMatchers("/js/**", "/css/**", "/img/**", "/login", "/processLogin").permitAll()
.antMatchers("/index.jsp", "/index.html", "/index").hasRole("USER")
.antMatchers("/admin", "/admin.html", "/admin.jsp", "/js/saic/jswe/admin/**").hasRole("ADMIN")
.and()
.formLogin().loginProcessingUrl("/processLogin").loginPage("/login").usernameParameter("username").passwordParameter("password").permitAll()
.and()
.exceptionHandling().accessDeniedPage("/login")
.and()
.logout().permitAll();
}
注意:這里的關鍵點是在配置文件中添加令牌和過濾器,如上所述。 抱歉沒有發布直接答案,因為我有這個,它會給你一個廣闊的工作領域或一個想法去工作以使代碼正常運行
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.