KeyCloak - Spring 启动仅获取请求工作

KeyCloak - Spring boot only get requests work

我有一个非常奇怪的问题 - 我试图从教程中启用 KeyCloak,但我看到它只在 get 方法上工作。我的配置非常简单:

protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeRequests()
        .anyRequest().hasRole("admin");
    super.configure(http);
}

我在解析器上添加了一些调试:

@Override
protected void configure(AuthenticationManagerBuilder auth) {
    KeycloakAuthenticationProvider keycloakAuthenticationProvider = new KeycloakAuthenticationProvider() {
        @Override
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            log.debug("Auth successes.");
            final KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication;
            log.debug("User id:" + token.getAccount().getPrincipal().getName());
            log.debug("User roles:" + String.join(",", token.getAccount().getRoles()));
            return super.authenticate(authentication);
        }
    };
    keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
    auth.authenticationProvider(keycloakAuthenticationProvider);
}

当我将 GET 请求发送到 http://localhost:8080/admin/test 时出现问题,一切正常:

DEBUG 2021-08-18 15:26:55,704 [http-nio-8080-exec-3][][] c.j.b.i.c.SecurityConfiguration 'Auth successes.'
DEBUG 2021-08-18 15:26:55,704 [http-nio-8080-exec-3][][] c.j.b.i.c.SecurityConfiguration 'User id:e53fa4a8-e7c3-46a0-9685-175fede5098e'
DEBUG 2021-08-18 15:26:55,704 [http-nio-8080-exec-3][][] c.j.b.i.c.SecurityConfiguration 'User roles:default-roles-springbootkeycloak,offline_access,admin,uma_authorization'
WARN  2021-08-18 15:26:56,093 [http-nio-8080-exec-3][][] o.a.c.util.SessionIdGeneratorBase 'Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [384] milliseconds.'
DEBUG 2021-08-18 15:26:56,102 [http-nio-8080-exec-3][50168e1c-0481-416e-a202-a24fafab58c7][] c.j.b.i.c.SecurityConfiguration 'Auth successes.'
DEBUG 2021-08-18 15:26:56,103 [http-nio-8080-exec-3][50168e1c-0481-416e-a202-a24fafab58c7][] c.j.b.i.c.SecurityConfiguration 'User id:e53fa4a8-e7c3-46a0-9685-175fede5098e'
DEBUG 2021-08-18 15:26:56,103 [http-nio-8080-exec-3][50168e1c-0481-416e-a202-a24fafab58c7][] c.j.b.i.c.SecurityConfiguration 'User roles:default-roles-springbootkeycloak,offline_access,admin,

我得到了正确的响应,没有任何问题,但是当我对 POST / DELETE / PUT 提出完全相同的请求时,我也得到了理论上角色没问题的日志:

DEBUG 2021-08-18 15:28:45,876 [http-nio-8080-exec-4][][] c.j.b.i.c.SecurityConfiguration 'Auth successes.'
DEBUG 2021-08-18 15:28:45,876 [http-nio-8080-exec-4][][] c.j.b.i.c.SecurityConfiguration 'User id:e53fa4a8-e7c3-46a0-9685-175fede5098e'
DEBUG 2021-08-18 15:28:45,877 [http-nio-8080-exec-4][][] c.j.b.i.c.SecurityConfiguration 'User roles:default-roles-springbootkeycloak,offline_access,admin,uma_authorization'

但作为回应我有:

{
    "timestamp": 1629293325879,
    "status": 403,
    "error": "Forbidden",
    "message": "Forbidden",
    "path": "/admin/test"
}

我认为是csrf的问题。您在禁用 csrf 后呼叫 super.configure(http)。但是在超级调用中(如果你使用的是KeycloakWebSecurityConfigurerAdapter)csrf将再次启用。

 http
   csrf().requireCsrfProtectionMatcher(keycloakCsrfRequestMatcher())
   ...

并且 keycloakCsrfRequestMatcher 默认阻止所有 Post 和删除方法。实际上它只允许以下方法:

^(GET|HEAD|TRACE|OPTIONS)$

https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakCsrfRequestMatcher.java

所以快速的解决方案是将 super 调用放在开头。

protected void configure(HttpSecurity http) throws Exception {
  super.configure(http);    
  http.csrf().disable().authorizeRequests()
        .anyRequest().hasRole("admin");
    
}