问题:
Docker应用程序的KeyClope服务器身份验证错误行为
张宝
我有两个Docker集装箱:
- RedHat密钥斗篷服务器(https://keycloak.some.domain.com)
在我的Spring启动应用程序中,我定义了一个安全页面:http://localhost:8081/api/sample.json
现在,当我点击该endpoint时,我被重定向到正确的登录页面,如果我提交了正确的登录/密码凭据,我将得到以下403错误(禁止)页面:
但是,如果我直接运行Springboot应用程序,而不使用docker包装,如下所示:
java -jar app.jar
然后,当我击中相同的保护endpoint,我被重定向到正确的登录页面,如果我提交正确的登录/密码凭据,在这种情况下,我得到正确的,预期的页面/响应!!!(这是同一个应用程序!!!)
在这种情况下,我已经启动了dockerated Springboot应用程序,进入容器内部:
docker exec -it app bash
然后像这样植入猞猁:
apt-get install lynx
从那里,我确实击中了本地受保护的endpoint:
山猫http://localhost:8081/api/sample.json
但是我得到了完全相同的错误页面(403)错误。所以,我相信问题是docker包装,而不是应用程序。这很关键,因为这意味着keycloak和任何dockerated应用程序之间的这种行为将是相似的。:(
作为结论,如果我执行docker run-d-p 8081:8081 springboot-app-Image,除了针对keycloak(容器内外)的身份验证过程之外,一切都工作得很好。
从Springstart应用程序日志中,我可以看到这个错误跟踪时,我击中dockeratedendpoint:
2020-03-17 15:29:19.503 INFO 1 --- [ main] com.example.app.MainApp : Started MainApp in 13.257 seconds (JVM running for 14.845)
2020-03-17 15:29:30.139 DEBUG 1 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/api/sample2.json
2020-03-17 15:29:30.169 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Using provider 'secret' for authentication of client 'login-app'
2020-03-17 15:29:30.176 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret
2020-03-17 15:29:30.179 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt
2020-03-17 15:29:30.182 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret-jwt
2020-03-17 15:29:30.184 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret
2020-03-17 15:29:30.185 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt
2020-03-17 15:29:30.188 DEBUG 1 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret-jwt
2020-03-17 15:29:30.457 DEBUG 1 --- [nio-8081-exec-1] o.keycloak.adapters.KeycloakDeployment : resolveUrls
2020-03-17 15:29:30.461 DEBUG 1 --- [nio-8081-exec-1] o.k.adapters.KeycloakDeploymentBuilder : Use authServerUrl: https://keycloak.some.domain.com/auth, tokenUrl: https://keycloak.ci.ultrasist.net/auth/realms/SpringBootKeycloak/protocol/openid-connect/token, relativeUrls: NEVER
2020-03-17 15:29:30.479 DEBUG 1 --- [nio-8081-exec-1] .k.a.t.AbstractAuthenticatedActionsValve : AuthenticatedActionsValve.invoke /api/sample2.json
2020-03-17 15:29:30.481 DEBUG 1 --- [nio-8081-exec-1] o.k.a.AuthenticatedActionsHandler : AuthenticatedActionsValve.invoke http://localhost:8081/api/sample2.json
2020-03-17 15:29:30.483 DEBUG 1 --- [nio-8081-exec-1] o.k.a.AuthenticatedActionsHandler : Policy enforcement is disabled.
2020-03-17 15:29:30.494 INFO 1 --- [nio-8081-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2020-03-17 15:29:30.495 INFO 1 --- [nio-8081-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2020-03-17 15:29:30.526 INFO 1 --- [nio-8081-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 29 ms
2020-03-17 15:29:30.592 DEBUG 1 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/api/sample2.json
2020-03-17 15:29:30.694 DEBUG 1 --- [nio-8081-exec-1] o.k.a.s.management.HttpSessionManager : Session created: E9F1974D7E734867356A0366CC0AC52A
2020-03-17 15:29:30.705 DEBUG 1 --- [nio-8081-exec-1] k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login URI /sso/login
2020-03-17 15:29:30.731 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/sso/login
2020-03-17 15:29:30.735 DEBUG 1 --- [nio-8081-exec-3] .k.a.t.AbstractAuthenticatedActionsValve : AuthenticatedActionsValve.invoke /sso/login
2020-03-17 15:29:30.737 DEBUG 1 --- [nio-8081-exec-3] o.k.a.AuthenticatedActionsHandler : AuthenticatedActionsValve.invoke http://localhost:8081/sso/login
2020-03-17 15:29:30.739 DEBUG 1 --- [nio-8081-exec-3] o.k.a.AuthenticatedActionsHandler : Policy enforcement is disabled.
2020-03-17 15:29:30.757 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/sso/login
2020-03-17 15:29:30.764 DEBUG 1 --- [nio-8081-exec-3] f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
2020-03-17 15:29:30.766 DEBUG 1 --- [nio-8081-exec-3] f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
2020-03-17 15:29:30.795 DEBUG 1 --- [nio-8081-exec-3] o.k.a.s.token.SpringSecurityTokenStore : Checking if org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@1273c136 is cached
2020-03-17 15:29:30.800 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.OAuthRequestAuthenticator : there was no code
2020-03-17 15:29:30.805 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.OAuthRequestAuthenticator : redirecting to auth server
2020-03-17 15:29:30.809 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.OAuthRequestAuthenticator : callback uri: http://localhost:8081/sso/login
2020-03-17 15:29:30.822 DEBUG 1 --- [nio-8081-exec-3] f.KeycloakAuthenticationProcessingFilter : Auth outcome: NOT_ATTEMPTED
2020-03-17 15:29:30.824 DEBUG 1 --- [nio-8081-exec-3] o.k.adapters.OAuthRequestAuthenticator : Sending redirect to login page: https://keycloak.some.domain.com/auth/realms/SpringBootKeycloak/protocol/openid-connect/auth?response_type=code&client_id=login-app&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fsso%2Flogin&state=412c7a6f-720f-4eea-b825-209c76d3a3db&login=true&scope=openid
2020-03-17 15:29:34.680 DEBUG 1 --- [nio-8081-exec-4] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/sso/login?state=412c7a6f-720f-4eea-b825-209c76d3a3db&session_state=802e466d-7b1e-4180-8870-cdae07b2fbae&code=7d93b2cf-d72b-4e83-b219-19d48897c9b7.802e466d-7b1e-4180-8870-cdae07b2fbae.35bc9442-2e19-485a-afad-adc1e62b4c52
2020-03-17 15:29:34.687 DEBUG 1 --- [nio-8081-exec-4] .k.a.t.AbstractAuthenticatedActionsValve : AuthenticatedActionsValve.invoke /sso/login
2020-03-17 15:29:34.688 DEBUG 1 --- [nio-8081-exec-4] o.k.a.AuthenticatedActionsHandler : AuthenticatedActionsValve.invoke http://localhost:8081/sso/login?state=412c7a6f-720f-4eea-b825-209c76d3a3db&session_state=802e466d-7b1e-4180-8870-cdae07b2fbae&code=7d93b2cf-d72b-4e83-b219-19d48897c9b7.802e466d-7b1e-4180-8870-cdae07b2fbae.35bc9442-2e19-485a-afad-adc1e62b4c52
2020-03-17 15:29:34.691 DEBUG 1 --- [nio-8081-exec-4] o.k.a.AuthenticatedActionsHandler : Policy enforcement is disabled.
2020-03-17 15:29:34.694 DEBUG 1 --- [nio-8081-exec-4] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/sso/login?state=412c7a6f-720f-4eea-b825-209c76d3a3db&session_state=802e466d-7b1e-4180-8870-cdae07b2fbae&code=7d93b2cf-d72b-4e83-b219-19d48897c9b7.802e466d-7b1e-4180-8870-cdae07b2fbae.35bc9442-2e19-485a-afad-adc1e62b4c52
2020-03-17 15:29:34.701 DEBUG 1 --- [nio-8081-exec-4] f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
2020-03-17 15:29:34.703 DEBUG 1 --- [nio-8081-exec-4] f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
2020-03-17 15:29:34.711 DEBUG 1 --- [nio-8081-exec-4] o.k.a.s.token.SpringSecurityTokenStore : Checking if org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@4c5ab508 is cached
2020-03-17 15:29:34.712 DEBUG 1 --- [nio-8081-exec-4] o.k.adapters.OAuthRequestAuthenticator : there was a code, resolving
2020-03-17 15:29:34.712 DEBUG 1 --- [nio-8081-exec-4] o.k.adapters.OAuthRequestAuthenticator : checking state cookie for after code
2020-03-17 15:29:34.715 DEBUG 1 --- [nio-8081-exec-4] o.k.adapters.OAuthRequestAuthenticator : ** reseting application state cookie
2020-03-17 15:29:35.365 ERROR 1 --- [nio-8081-exec-4] o.k.adapters.OAuthRequestAuthenticator : failed to turn code into token
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_65]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[na:1.8.0_65]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_65]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_65]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[na:1.8.0_65]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_65]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_65]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_65]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[na:1.8.0_65]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_65]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_65]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_65]
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:570) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.keycloak.adapters.SniSSLSocketFactory.createLayeredSocket(SniSSLSocketFactory.java:114) ~[keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) ~[keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.8.jar!/:4.5.8]
at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111) ~[keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:335) [keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:280) [keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139) [keycloak-adapter-core-4.8.3.Final.jar!/:4.8.3.Final]
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:149) [keycloak-spring-security-adapter-4.8.3.Final.jar!/:4.8.3.Final]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:86) [keycloak-spring-security-adapter-4.8.3.Final.jar!/:4.8.3.Final]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:92) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67) [spring-boot-container-bundle-4.8.3.Final.jar!/:4.8.3.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181) [spring-boot-container-bundle-4.8.3.Final.jar!/:4.8.3.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_65]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_65]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.17.jar!/:9.0.17]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_65]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_65]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_65]
at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_65]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_65]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_65]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_65]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_65]
... 87 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) ~[na:1.8.0_65]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[na:1.8.0_65]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_65]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_65]
... 93 common frames omitted
2020-03-17 15:29:35.373 DEBUG 1 --- [nio-8081-exec-4] f.KeycloakAuthenticationProcessingFilter : Auth outcome: FAILED
2020-03-17 15:29:35.377 DEBUG 1 --- [nio-8081-exec-4] f.KeycloakAuthenticationProcessingFilter : Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:157) ~[keycloak-spring-security-adapter-4.8.3.Final.jar!/:4.8.3.Final]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.1.5.RELEASE.jar!/:5.1.5.RELEASE]在最后的错误跟踪中,我能够看到一些关于SSL握手错误,以及其他错误信息说:
无效的授权标头,请参阅WWW-Authenticate标头以了解详细信息
但是为什么在没有docker容器的情况下直接运行java应用程序时不出现此错误?
我找到了一些参考文献,但它们对我的问题没有用:
- 容器中的KeyClope安全应用程序
这是我的KeyClope Spring boot配置类,它是代码的一部分,在docker容器之外但在docker容器内不能完美工作:
@KeycloakConfiguration
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
@Bean
@Primary
public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.cors().and().csrf().disable();
http.authorizeRequests()
.antMatchers("/api/sample*").hasRole("user")
.antMatchers("/ui/second*").hasRole("user")
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.permitAll();
}
}
这是keycloak的配置:
如果检测到不良行为,这是我的Dockerfile:
FROM openjdk:8
COPY app.jar /deploy/app.jar
WORKDIR /deploy
CMD java -jar app.jar
它是通过以下方式建立的:
docker build . -t example
它是这样执行的:
docker run -d -p 8081:8081 example
你可以看到,在最后一种情况下,安全系统工作不正常。
现在,我必须说,从直接的角度来看,它非常有效:
java -jar app.jar
所以,我明显的问题(对于jboss、RedHat或任何有足够智慧的人来说)是,我如何在容器化的Springboot应用程序中使Keyclope服务器工作?
共有1个答案
微生阳平
最后,经过几周的测试,我找到了答案:坏的docker映像是使用jdk 1.8.0_65-b17完成的,对我有效的是1.8.0_232-b09:
所以,当我用这个新映像测试密钥斗篷服务器时,一切都按预期进行。
也许有一天,这可以帮助有同样问题或类似问题的人。
类似资料:
-
我正在尝试在一个microservice中配置一个microservice,但我正在尝试在另一个microservice中配置一个microservice如何进行身份验证。这就是我试图归档的体系结构: 我已经设法让用户授权工作并保护了微服务A,现在我正在尝试授权来自微服务B的请求,但我不确定如何做到这一点,我是否应该为微服务B在KeyCape中创建一个专用用户,或者在realm中创建客户端,或者其
-
连接到服务器时出错:fatal:用户“postgres”的密码身份验证失败 fatal:用户“postgres”的密码身份验证失败
-
问题内容: 我正在尝试制作一个服务器应用程序,以定期从自己的GA帐户提取Google Analytics(分析)数据。请注意,它是访问我自己的数据的个人服务器端应用程序,即 没有最终用户访问此应用程序。 因此,我在Google API控制台中将我的应用程序注册为 服务应用程序 ,这给了我一个 客户端ID 和一个 私钥 。据我了解,服务应用程序不使用 应用程序密钥 和 重定向URL, 因为此服务器到
-
问题内容: 我刚刚开始使用docker。我正在按照此处指定的说明进行操作https://docs.docker.com/windows/step_one/ 我在Windows 10和ran上安装了docker(1.10.2)。但是,当本教程未提及任何内容时,出现了身份验证错误。 这是我收到的消息。 我在google&这里搜索,但找不到与此错误消息相似的内容。 谢谢! 问题答案: 当您运行任何其他d
-
我的webapp是用。NET核心并部署在Azure中。我已启用Azure应用程序服务身份验证,并将其配置为使用Azure Active Directory。当我访问webapp时,我确实会被重定向到正确的登录页面。登录后,我可以浏览到endpoint。对我进行身份验证,并查看是否存在针对我的用户的声明。我还可以验证下面的请求标头是否存在值: X-MS-TOKEN-AAD-ID-TOKEN X-MS
-
问题内容: 以下是我从GoLang获得的MongoDB连接拨号。但是它返回一个紧急消息“ SASL身份验证步骤服务器返回错误:身份验证失败。 ”。我的用户名,密码,hostAddrs和dbName是正确的。我在这里想念什么? 问题答案: 我遇到类似的错误并添加了参数,并且在我们连接到远程MongoDB时可以正常工作 在您的代码中使用以下类似格式: