对于未经身份验证的请求,Keylock Sprringboot返回403,而不是401 [英] Keyclock springboot returns 403 instead of 401 for unauthenticated requests
本文介绍了对于未经身份验证的请求,Keylock Sprringboot返回403,而不是401的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
使用此配置时,我收到403空响应。
keycloak:
realm: ${KEYCLOAK_REALM}
auth-server-url: ${KEYCLOAK_AUTH_SERVER_URL}
ssl-required: external
resource: ${KEYCLOAK_CLIENT_ID}
credentials.secret: ${KEYCLOAK_CLIENT_SECRET}
use-resource-role-mappings: true
cors: true
public-client: false
bearer-only: true
policy-enforcer-config:
lazy-load-paths: true
http-method-as-scope: true
path-cache-config:
max-entries: 1000
lifespan: 1000
paths:
- name: Insecure Resource
path: /
enforcement-mode: DISABLED
- name: Swagger UI
path: /swagger-ui/*
enforcement-mode: DISABLED
- name: Swagger Resources
path: /swagger-resources/*
enforcement-mode: DISABLED
- name: Swagger api Resources
path: /api-docs
enforcement-mode: DISABLED
securityConstraints:
- authRoles:
- '*'
securityCollections:
- name: protected
patterns:
- '/v1/*'
- '/intranet/*'
如果我像这样删除策略执行器
keycloak:
realm: ${KEYCLOAK_REALM}
auth-server-url: ${KEYCLOAK_AUTH_SERVER_URL}
ssl-required: external
resource: ${KEYCLOAK_CLIENT_ID}
credentials.secret: ${KEYCLOAK_CLIENT_SECRET}
use-resource-role-mappings: true
cors: true
public-client: false
bearer-only: true
# policy-enforcer-config:
# lazy-load-paths: true
# http-method-as-scope: true
# path-cache-config:
# max-entries: 1000
# lifespan: 1000
# paths:
# - name: Insecure Resource
# path: /
# enforcement-mode: DISABLED
# - name: Swagger UI
# path: /swagger-ui/*
# enforcement-mode: DISABLED
# - name: Swagger Resources
# path: /swagger-resources/*
# enforcement-mode: DISABLED
# - name: Swagger api Resources
# path: /api-docs
# enforcement-mode: DISABLED
securityConstraints:
- authRoles:
- '*'
securityCollections:
- name: protected
patterns:
- '/v1/*'
- '/intranet/*'
返回401
{
"timestamp": "2021-10-05T11:25:33.116+0000",
"status": 401,
"error": "Unauthorized",
"message": "No message available",
"path": "/v1/approve-documents"
}
策略强制执行适用于所有请求,即使其未经过身份验证或未通过身份验证也是如此。如果令牌无效或丢失,如何返回401。
完整代码https://github.com/prajintst/keyclock-permissions
推荐答案
根据密钥罩架构图,策略强制检查在认证/认证之前进行。因此,您无法使用策略强制实现预期的输出。
我建议您使用策略evaluator/provider或使用基于角色的授权来实现此目的。
这篇关于对于未经身份验证的请求,Keylock Sprringboot返回403,而不是401的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文