Keycloak安全的Spring Boot应用程序:尝试配置公共可用页面 [英] Keycloak secured Spring Boot Application: Try to configure publicly available pages
问题描述
我们有一个Keycloak服务器,用于保护我们的Spring Boot应用程序.到目前为止,一切正常.但是,我们现在需要一个忘记密码页面,该页面必须无需登录即可访问.我们无法做到这一点.
我们正在实现KeycloakWebSecurityConfigurerAdapter并覆盖configure(HttpSecurity)方法.实现看起来像这样:
We have a Keycloak server that is securing our Spring Boot application. That works fine so far. However we now need a forgot password page, which has to be reachable without login of course. We are not able to accomplish this.
We are implementing a KeycloakWebSecurityConfigurerAdapter and overriding the configure(HttpSecurity) method. Implementation looks like this:
super.configure(http);
http.csrf().disable()
.exceptionHandling()
.accessDeniedPage("/accessDenied");
http.anonymous.disable();
http.authorizeRequests();
仅使用该代码,实际上除根页面外,每个页面都可以自由访问.一旦我们添加对antMatcher()或anyRequest()方法的调用,后跟permitAll()或fullyAuthenticated()的调用,只是为了实现允许和不允许的页面之间的区别,所有页面都是安全的/不允许的.我们进行了很多次尝试,试图在这里和其他任何地方寻求帮助,但没有找到解决方案.当前实现的示例是:
With that code only, indeed every page is freely accessible, except the root page. As soon as we add calls to antMatcher() or anyRequest() method followed by permitAll() or fullyAuthenticated(), just to achieve the differentiation in allowed and disallowed pages, all pages are secured/disallowed. We played around a lot and tried to find help here and anywhere else but found no solution. Current implemented example is:
http.authorizeRequests().antMatchers(HttpMethod.GET, "/public/forgotPassword").permitAll()
.anyRequest().fullyAuthenticated();
如上所述,结果是每个页面都需要身份验证,也需要public/forgotPassword页面. 有谁知道可能是什么问题?
The result is, as stated, that every pages needs authentication, also the public/forgotPassword page. Does anyone have an idea about what the problem might be?
提前谢谢!
推荐答案
我已经实现了 springboot.keycloak.mre 1 以简化的方式演示 我从事的上一个项目类似地实现了您所要求的 .
I've implemented this springboot.keycloak.mre1 to demonstrate — in a stripped-down way — how a previous project I worked on similarly implemented what I think you're requesting.
简而言之,解决方案的要点是……
In a nutshell, the gist of the solution is…
…
public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests().antMatchers("/login", "/login.html")
.permitAll().antMatchers("/dashboard", "/dashboard.html")
.authenticated();
}
…
}
构建和运行 MRE 的步骤很简单.但是,如果您在构建或运行过程中遇到困难,请告诉我是否可以提供任何帮助.
The steps to build and run the MRE are straightforward. But if you get stuck building or running it, let me know if I can help you in any way.
如果我完全误解了您的要求,请随时克隆和修改项目,使其更像您的用例.如果您随后上传修改,并在 ,我将进行调查并与您联系.
And if I've completely misinterpreted what you've requested, then please feel free to clone and modify the project to be more like your use case. If you then upload your modifications, and elaborate on the specifics of your use case in the repo's Issues area, I will investigate and get back to you.
1
这篇关于Keycloak安全的Spring Boot应用程序:尝试配置公共可用页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
