如何在Spring Boot应用程序中使用Keycloak策略执行器

Question

如何在Spring Boot应用程序中使用Keycloak策略执行器

5

Keycloak策略执行器与样本Sprint boot应用程序不兼容。

我正在使用Keycloak 6.0.1版本，并尝试集成一个样本Spring Boot应用程序（Spring Boot版本2.1.3）。我的目标是在Keycloak中设置策略和权限，并在我的样本Spring Boot应用程序中使用Keycloak策略执行器，以便所有授权决定都使用在Keycloak中定义的适当权限自动强制执行，而无需在样本应用程序中编写任何代码。

我的样本Spring Boot应用程序仅从内存列表中打印用户列表：

public class JPAUserResource {

    @Autowired
    private UserRepository userRepo;

    @GetMapping(path = "/jpausers")
    public List<JPAUser> retrieveAllUsers() {
        return userRepo.findAll();
    }
}

我的application.properties文件包含以下内容：

server.port=38080
spring.jpa.show-sql=true
spring.h2.console.enabled=true
logging.level.org.springframework.security=DEBUG
logging.level.org.keycloak.adapters.authorization=DEBUG
#Keycloak Configuration
keycloak.auth-server-url=http://192.168.154.190:18180/auth
keycloak.realm=master
keycloak.resource=login-app
keycloak.principal-attribute=preferred_username
keycloak.credentials.secret=195925d6-b258-407d-a65d-f1fd12d7a876
keycloak.policy-enforcer-config.enforcement-mode=enforcing
keycloak.realm-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjyYRe6LxBxO9hVtr4ScsMCBp3aPE9qbJLptPIMQCZR6JhVhOxA1kxhRmVYHXR5pdwiQWU8MriRhAY1JGniG6GNS1+BL+JaUiaGxov4rpD2SIMdrs8YjjSoD3Z8wvsMAopzWG48i9T/ppNaqKTkDZHbHAXOYJn+lymQ4EqpQrJ1Uh+SUA8XcLvWUQ12ty9BieujudWhnAgQ4zxyJY3I8sZwjaRIxndzSlyPJo45lWzXkpqcl92eU/Max7LRM4WKqsUvu86DgqlXbJcz8T+GUeF30ONQDSLX9rwNIT4ZiCVMT7x6YfKXZW6jxC0UiXxZuT23xk8A9iCP4rC9xo1NfGTwIDAQAB
keycloak.policy-enforcer-config.paths[0].path=/jpausers
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET

我的Keycloak授权设置如下所示：

{
  "allowRemoteResourceManagement": true,
  "policyEnforcementMode": "ENFORCING",
  "resources": [
    {
      "name": "Default Resource",
      "type": "urn:login-app:resources:default",
      "ownerManagedAccess": false,
      "attributes": {},
      "_id": "501febc8-f3e1-411f-aecf-376b4786c24e",
      "uris": [
        "/*"
      ]
    },
    {
      "name": "jpausers",
      "ownerManagedAccess": false,
      "displayName": "jpausers",
      "attributes": {},
      "_id": "a8f691db-39ef-4b2c-80fb-37224e270f1e",
      "uris": [
        "/jpausers"
      ],
      "scopes": [
        {
          "name": "GET"
        },
        {
          "name": "POST"
        }
      ]
    }
  ],
  "policies": [
    {
      "id": "94518189-3794-451c-9996-eec22543d802",
      "name": "Default Policy",
      "description": "A policy that grants access only for users within this realm",
      "type": "js",
      "logic": "POSITIVE",
      "decisionStrategy": "AFFIRMATIVE",
      "config": {
        "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
      }
    },
    {
      "id": "0242cf72-365d-49ae-8d5b-4ced24736f24",
      "name": "test_jpa",
      "type": "role",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "roles": "[{\"id\":\"jpa\",\"required\":false}]"
      }
    },
    {
      "id": "5c34e2b4-a56a-45f9-a1cc-94788bcb41b0",
      "name": "test_perm1",
      "type": "resource",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"jpausers\"]",
        "applyPolicies": "[\"test_jpa\"]"
      }
    }
  ],
  "scopes": [
    {
      "id": "4ee351e6-7095-453a-a4f4-badbc9ec1ba0",
      "name": "GET",
      "displayName": "GET"
    },
    {
      "id": "9119aab2-75a0-49d1-a076-8d9210c3e457",
      "name": "POST",
      "displayName": "POST"
    }
  ]
}

当我向我的Rest API '/jpausers' 发送请求时，控制台会显示以下信息导致请求失败：

*19:17:52.044 [http-nio-38080-exec-1] INFO  o.k.a.authorization.PolicyEnforcer - Paths provided in configuration.
19:17:52.045 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Trying to find resource with uri [/jpausers] for path [/jpausers].
19:17:52.151 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Initialization complete. Path configurations:
19:17:52.151 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - PathConfig{name='null', type='null', path='/jpausers', scopes=[], id='a8f691db-39ef-4b2c-80fb-37224e270f1e', enforcerMode='ENFORCING'}
19:17:52.154 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Policy enforcement is enabled. Enforcing policy decisions for path [http://192.168.109.97:38080/jpausers].
19:17:52.156 [http-nio-38080-exec-1] DEBUG o.k.a.a.KeycloakAdapterPolicyEnforcer - Sending challenge
19:17:52.157 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Policy enforcement result for path [http://192.168.109.97:38080/jpausers] is : DENIED
19:17:52.157 [http-nio-38080-exec-1] DEBUG o.k.a.authorization.PolicyEnforcer - Returning authorization context with permissions:*

UMA授权已禁用。我首先使用密码凭据授予的Openid Connect令牌API检索了访问令牌，然后正在尝试使用访问令牌访问我的Rest API '/jpausers'。

有人可以帮助解决这个问题吗？我该如何解决？我是否需要启用UMA以使策略执行器起作用？

- rajatg

4个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- withoutOne · Answer 1

在Keycloak 19.0.1上对我有效。

keycloak.securityConstraints[0].authRoles[0]=*
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/
keycloak.securityConstraints[0].securityCollections[0].name= test

keycloak.policy-enforcer-config.on-deny-redirect-to=/403

- Adu · Answer 2

我曾经遇到过同样的问题，但是通过在我的应用程序属性yaml文件中设置类似的设置，如下所示，我成功地解决了它：

    keycloak:
      security-constraints:
        - auth-roles: 
          - "*"
      security-collections:
        - name: 
          patterns:
          - /*

- ravthiru · Answer 3

快速浏览后，我发现您在 application.properties 中的映射不完整，您尚未将 HTTP 方法映射到您在 keycloak 中配置的范围。类似这样的一些内容。

keycloak.policy-enforcer-config.paths[0].path=/jpausers
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET 
keycloak.policy-enforcer-config.paths[0].methods[0].scopes[0]=GET

- mehdi mohammadi · Answer 4

我认为你缺少了 keycloak.securityConstraints[0].securityCollections[0].name= jpausers 这个关键配置。