如何在Spring Boot应用程序中使用Keycloak策略执行器
Keycloak策略执行器不使用示例Sprint引导应用程序。
我正在使用Keycloak Version6.0.1,并试图集成一个示例Sprint boot应用程序(Sprint boot Version2.1.3)。我的目标是在Keycloak中设置策略和权限,并在我的示例Spring Boot应用程序中使用Keycloak策略强制器,以便使用在Keycloak中定义的适当权限自动执行所有授权决策,并且在示例应用程序中不需要任何代码。
public class JPAUserResource {
@Autowired
private UserRepository userRepo;
@GetMapping(path = "/jpausers")
public List<JPAUser> retrieveAllUsers() {
return userRepo.findAll();
}
}
我的application.properties文件包含以下内容:
server.port=38080
spring.jpa.show-sql=true
spring.h2.console.enabled=true
logging.level.org.springframework.security=DEBUG
logging.level.org.keycloak.adapters.authorization=DEBUG
#Keycloak Configuration
keycloak.auth-server-url=http://192.168.154.190:18180/auth
keycloak.realm=master
keycloak.resource=login-app
keycloak.principal-attribute=preferred_username
keycloak.credentials.secret=195925d6-b258-407d-a65d-f1fd12d7a876
keycloak.policy-enforcer-config.enforcement-mode=enforcing
keycloak.realm-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjyYRe6LxBxO9hVtr4ScsMCBp3aPE9qbJLptPIMQCZR6JhVhOxA1kxhRmVYHXR5pdwiQWU8MriRhAY1JGniG6GNS1+BL+JaUiaGxov4rpD2SIMdrs8YjjSoD3Z8wvsMAopzWG48i9T/ppNaqKTkDZHbHAXOYJn+lymQ4EqpQrJ1Uh+SUA8XcLvWUQ12ty9BieujudWhnAgQ4zxyJY3I8sZwjaRIxndzSlyPJo45lWzXkpqcl92eU/Max7LRM4WKqsUvu86DgqlXbJcz8T+GUeF30ONQDSLX9rwNIT4ZiCVMT7x6YfKXZW6jxC0UiXxZuT23xk8A9iCP4rC9xo1NfGTwIDAQAB
keycloak.policy-enforcer-config.paths[0].path=/jpausers
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET
我的Keycloak授权设置如下:
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "Default Resource",
"type": "urn:login-app:resources:default",
"ownerManagedAccess": false,
"attributes": {},
"_id": "501febc8-f3e1-411f-aecf-376b4786c24e",
"uris": [
"/*"
]
},
{
"name": "jpausers",
"ownerManagedAccess": false,
"displayName": "jpausers",
"attributes": {},
"_id": "a8f691db-39ef-4b2c-80fb-37224e270f1e",
"uris": [
"/jpausers"
],
"scopes": [
{
"name": "GET"
},
{
"name": "POST"
}
]
}
],
"policies": [
{
"id": "94518189-3794-451c-9996-eec22543d802",
"name": "Default Policy",
"description": "A policy that grants access only for users within this realm",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {
"code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
}
},
{
"id": "0242cf72-365d-49ae-8d5b-4ced24736f24",
"name": "test_jpa",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"jpa\",\"required\":false}]"
}
},
{
"id": "5c34e2b4-a56a-45f9-a1cc-94788bcb41b0",
"name": "test_perm1",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"jpausers\"]",
"applyPolicies": "[\"test_jpa\"]"
}
}
],
"scopes": [
{
"id": "4ee351e6-7095-453a-a4f4-badbc9ec1ba0",
"name": "GET",
"displayName": "GET"
},
{
"id": "9119aab2-75a0-49d1-a076-8d9210c3e457",
"name": "POST",
"displayName": "POST"
}
]
}
当我向我的Rest API'/jpausers'发送请求时,它会失败,控制台上会出现以下消息:
*19:17:52.044 [http-nio-38080-exec-1] INFO o.k.a.authorization.PolicyEnforcer - Paths provided in configuration.
19:17:52.045 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Trying to find resource with uri [/jpausers] for path [/jpausers].
19:17:52.151 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Initialization complete. Path configurations:
19:17:52.151 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - PathConfig{name='null', type='null', path='/jpausers', scopes=[], id='a8f691db-39ef-4b2c-80fb-37224e270f1e', enforcerMode='ENFORCING'}
19:17:52.154 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Policy enforcement is enabled. Enforcing policy decisions for path [http://192.168.109.97:38080/jpausers].
19:17:52.156 [http-nio-38080-exec-1] DEBUG o.k.a.a.KeycloakAdapterPolicyEnforcer - Sending challenge
19:17:52.157 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Policy enforcement result for path [http://192.168.109.97:38080/jpausers] is : DENIED
19:17:52.157 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Returning authorization context with permissions:*
有人能帮忙解决这个问题吗?我怎么解决这个?我必须让UMA让政策执行者工作吗?
共有1个答案
通过快速查看,我可以看到您在application.properties中的映射还没有完成,您还没有将HTTP方法映射到您在KeyCloak中配置的范围。像这样的东西
keycloak.policy-enforcer-config.paths[0].path=/jpausers
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET
keycloak.policy-enforcer-config.paths[0].methods[0].scopes[0]=GET
-
我有Kafka Streams java应用程序启动并运行。我试图使用KSQL创建简单的查询,并使用Kafka流来实现复杂的解决方案。我希望将KSQL和Kafka流作为Java应用程序运行。 我打算通过https://github.com/confluentinc/ksql/blob/master/ksqldb-examples/src/main/java/io/confluent/ksql/em
-
我设置我的类,以便使用Laravel授权和策略功能。但是,在为我的方法定义中间件时,我一直遇到这个错误(类App\Policies\StatusPolicy不存在)。这就是我所拥有的: AuthServiceProvider。php ontroller.php 状态策略。php(由php artisan生成):策略状态策略--model=Status
-
我试图在我的基于微服务的Spring启动应用程序中实现普罗米修斯,部署在weblogic服务器上。作为POC的一部分,我已经将配置作为一场战争的一部分。为了启用它,我在下面设置了配置- 应用属性 格拉德尔- 但执行器请求被现有的拦截器阻止。它要求在特定于我们项目的标题中传递值。通过postman(http:localhost:8080/abc/activator/prometheus),我可以测试
-
我试图在SpringMVC中运行SpringBoot应用程序,在SpringMVCPOM中添加SpringBoot应用程序依赖项,并扫描SpringBoot包,但我面临以下问题
-
首先我在使用 keycloak-authz-client-3.3.0.final Spring boot 1.5.8.发布 spring-boot-starter-security 我一直在玩Keycloak spring adapter,探索示例,因为我们想在我们的项目中采用它。 我可以使用以下教程轻松地让它在角色中运行:https://dzone.com/articles/elyly-secu
-
我正在开发一个使用Keycloak作为身份验证服务的Node.js web应用程序。我已经有两个客户机:用于web应用程序(app-web)的client和用于API(app-api)的。在app-api上,我使用资源、范围、策略和权限来控制访问。 为了检查权限,我使用模块(npm keycloak-connect)中的。当我尝试检查权限时,服务器总是返回响应。但是,如果我将app-api从更改为