Keycloak 得到 401 错误,但是 spring security 不处理这个错误 [英] Keycloak get 401 error, but spring security does not handle this error
问题描述
问题如下.我通过 Keycloak Bearer Spring security 实现了这样的登录
The problem is as follows. I implemented the login through Keycloak Bearer Spring security like this
公共类 KeycloakSecurityConfiguration 扩展 KeycloakWebSecurityConfigurerAdapter {
public class KeycloakSecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Override
public void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
.and()
.csrf().disable()
.addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
.addFilterBefore(keycloakAuthenticationProcessingFilter(), X509AuthenticationFilter.class)
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and()
.authorizeRequests().antMatchers(Constants.API_BASE_PATH + "/**").authenticated();
}
}
,当我将授权请求标头发送为空时,keycloak 会抛出错误 401.我无法像这样通过 @ExceptionHandler 捕获:
, when I send the Authorization request header empty, keycloak throws error 401. Which I cannot catch through @ExceptionHandler like this :
@ExceptionHandler(RuntimeException.class)受保护的 ResponseEntity keycloakAuthenticationExceptionn(RuntimeException ex) {返回 buildResponseEntity(new ErrorResponseWrapper(BAD_REQUEST,newMessageResponse(ex.getLocalizedMessage()),ex,ErrorCode.NOT_AUTHORIZED));}.
@ExceptionHandler(RuntimeException.class) protected ResponseEntity keycloakAuthenticationExceptionn(RuntimeException ex) { return buildResponseEntity(new ErrorResponseWrapper(BAD_REQUEST,new MessageResponse(ex.getLocalizedMessage()),ex,ErrorCode.NOT_AUTHORIZED)); } .
推荐答案
KeyCloak 有一个 KeycloakAuthenticationFailureHandler 来处理身份验证失败.我能够通过创建自定义 KeycloakAuthenticationFailureHandler 然后在覆盖我的自定义类的同时解决类似的问题KeycloakAuthenticationProcessingFilter.
KeyCloak has a KeycloakAuthenticationFailureHandler that handles authentication failures. I was able to solve a similar problem by creating a Custom KeycloakAuthenticationFailureHandler then set my Custom class while overriding the KeycloakAuthenticationProcessingFilter.
@Bean
@Override
protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception {
KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(this.authenticationManagerBean());
filter.setSessionAuthenticationStrategy(this.sessionAuthenticationStrategy());
filter.setAuthenticationFailureHandler(new CustomKeycloakAuthenticationFailureHandler());
return filter;
}
在我的自定义类中...
Inside my Custom Class...
public class CustomKeycloakAuthenticationFailureHandler implements AuthenticationFailureHandler {
public CustomKeycloakAuthenticationFailureHandler() {}
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
if (!response.isCommitted()) {
if (KeycloakCookieBasedRedirect.getRedirectUrlFromCookie(request) != null) {
response.addCookie(KeycloakCookieBasedRedirect.createCookieFromRedirectUrl((String)null));
}
//response.sendError(401, "Unable to authenticate using the Authorization header");
response.setContentType("application/json");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.getOutputStream().println("{ \"error\": \"" + exception.getMessage() + "\" }");
} else if (200 <= response.getStatus() && response.getStatus() < 300) {
throw new RuntimeException("Success response was committed while authentication failed!", exception);
}
}
}
我可以使用响应 OutputStream 来自定义我对客户端的响应.我评论了默认的 KeyCloak response.sendError 行.
I am able to use the response OutputStream to customize my response to the client. I commented the default KeyCloak response.sendError line.
看起来 KeyCloak 在内部处理异常.
It looks like KeyCloak handles the exceptions internally.
这个方案也解决了header:WWW-Authenticate的问题在响应中没有重复.
This solution also solves the issue where the header: WWW-Authenticate is not duplicated in the response.
为 KeyCloak 故障排除打开 DEBUG 帮助:logging.level.org.keycloak=DEBUG
Turning on DEBUG for KeyCloak troubleshooting HELPS: logging.level.org.keycloak=DEBUG
希望这会有所帮助.
这篇关于Keycloak 得到 401 错误,但是 spring security 不处理这个错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!