在spring-boot中禁用特定URL的Keycloak身份验证 [英] Disable Keycloak authentication for a specific url in spring-boot

查看:564
本文介绍了在spring-boot中禁用特定URL的Keycloak身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

spring-boot服务的前端在第3方仪表板中呈现.该仪表板还具有我们要使用的通用搜索栏.现在,一旦实现了Keycloak身份验证,我们就开始专门在此搜索栏中遇到问题.所有其他API都可以正常工作,因为它们只能从我的前端调用,但是搜索API会被第三方仪表板调用.

Front end of my spring-boot service gets rendered in a 3rd party dashboard. That dashboard also has a generic search bar which we want to use. Now, once we implemented Keycloak authentication, we started facing problems specifically in this search bar. All the other API's works fine because they are called from my front end only, But search API gets called by the 3rd party dashboard.

很奇怪,第3方使用Http OPTION方法调用了我的方法,但是我的端点已注册为GET.

Weirdly, 3rd party calls my method using Http OPTION method, but my endpoint is registered as GET.

对于临时修复,我们正尝试仅在搜索API上禁用身份验证,并且似乎根本不起作用.我的配置器是:

For an interim fix, we are trying to disable the auth on search API only and does not seems to work at all. My configurer is:

@KeycloakConfiguration
@Profile("!local") // in local profile InsecureLocalConfigurer must be included instead
public class KeycloakSecurityConfigurer extends KeycloakWebSecurityConfigurerAdapter {


    /**
     * Enable Keycloak configuration over Spring Boot config instead of {@code keycloak.json} file.
     *
     * @see <a href="https://www.keycloak.org/docs/latest/securing_apps/index.html#spring-boot-integration">
     * Spring Boot Integration</a>
     */
    @Bean
    @Nonnull
    public KeycloakConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    /**
     * Registers the KeycloakAuthenticationProvider with the authentication manager.
     */
    @Autowired
    public void configureGlobal(@Nonnull final AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(keycloakAuthenticationProvider());
    }

    /**
     * Accept only bearer token authentication.
     *
     * @see <a href="https://www.keycloak.org/docs/latest/securing_apps/index.html#spring-security-configuration">
     *     Spring Security Configuration</a>
     * @see NullAuthenticatedSessionStrategy
     * @return {@link NullAuthenticatedSessionStrategy} instance.
     */
    @Override
    @Nonnull
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    /**
     * All request are checked regarding valid token, except <code>/health</code> check.
     * If configuration property <code>rca.security.enable</code> is set to <code>false</code>false
     * (default is true) then all requests are permitted without authentication.
     *
     * <p>
     * <b>CSRF security is disabled</b> since our app is not multipart web form app.
     * See more at: <ul>
     *
     * <li><a href="https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html#boot-features-security-csrf">
     * Cross Site Request Forgery Protection</a></li>
     * <li><a href="https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html">
     * Cross Site Request Forgery (CSRF)</a></li>
     * </ul>
     *
     * @param http the {@link HttpSecurity} to modify
     * @throws Exception if an error occurs
     */
    @Override
    protected void configure(@Nonnull final HttpSecurity http) throws Exception {
        super.configure(http);

        http.csrf().disable();

        http
                .cors()
                .and()
                .authorizeRequests()
                .antMatchers("/health", "/error").permitAll()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .anyRequest().authenticated();
    }

    /**
     * Avoid double {@link KeycloakAuthenticationProcessingFilter} bean registration.
     *
     * <p>
     * This will set {@link AbstractAuthenticationProcessingFilter#continueChainBeforeSuccessfulAuthentication} to
     * {@code false}, meaning that <b>after success authentication by this Keycloak filter -
     * further filters will be skipped</b>. See
     * {@link KeycloakAuthenticationProcessingFilter#KeycloakAuthenticationProcessingFilter(
     * org.springframework.security.authentication.AuthenticationManager,
     * org.springframework.security.web.util.matcher.RequestMatcher) KeycloakAuthenticationProcessingFilter constructor}
     *
     * @param filter {@link KeycloakAuthenticationProcessingFilter} auth processing filter
     * @return disabled {@link FilterRegistrationBean}
     * @see <a href="https://www.keycloak.org/docs/latest/securing_apps/index.html#avoid-double-filter-bean-registration">
     * Avoid double Filter bean registration</a>
     */
    @Bean
    @Nonnull
    public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(
            @Nonnull final KeycloakAuthenticationProcessingFilter filter) {

        final FilterRegistrationBean<KeycloakAuthenticationProcessingFilter> registrationBean =
                new FilterRegistrationBean<>(filter);

        registrationBean.setEnabled(false);
        return registrationBean;
    }

    /**
     * Avoid double {@link KeycloakPreAuthActionsFilter} bean registration.
     *
     * @param filter {@link KeycloakPreAuthActionsFilter} filter
     * @return disabled {@link FilterRegistrationBean}
     * @see <a href="https://www.keycloak.org/docs/latest/securing_apps/index.html#avoid-double-filter-bean-registration">
     * Avoid double Filter bean registration</a>
     */
    @Bean
    @Nonnull
    public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
            @Nonnull final KeycloakPreAuthActionsFilter filter) {
        final FilterRegistrationBean<KeycloakPreAuthActionsFilter> registrationBean =
                new FilterRegistrationBean<>(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    /**
     * Avoid double {@link KeycloakAuthenticatedActionsFilter} bean registration.
     *
     * @param filter {@link KeycloakAuthenticatedActionsFilter} filter
     * @return disabled {@link FilterRegistrationBean}
     * @see <a href="https://www.keycloak.org/docs/latest/securing_apps/index.html#avoid-double-filter-bean-registration">
     * Avoid double Filter bean registration</a>
     */
    @Bean
    public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
            @Nonnull final KeycloakAuthenticatedActionsFilter filter) {
        final FilterRegistrationBean<KeycloakAuthenticatedActionsFilter> registrationBean =
                new FilterRegistrationBean<>(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    /**
     * Avoid double {@link KeycloakSecurityContextRequestFilter} bean registration.
     *
     * @param filter {@link KeycloakSecurityContextRequestFilter} filter
     * @return disabled {@link FilterRegistrationBean}
     * @see <a href="https://www.keycloak.org/docs/latest/securing_apps/index.html#avoid-double-filter-bean-registration">
     * Avoid double Filter bean registration</a>
     */
    @Bean
    public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
            @Nonnull final KeycloakSecurityContextRequestFilter filter) {

        final FilterRegistrationBean<KeycloakSecurityContextRequestFilter> registrationBean =
                new FilterRegistrationBean<>(filter);

        registrationBean.setEnabled(false);
        return registrationBean;
    }
}

我尝试了多种方法,但没有一种有效.有时我会开始遇到CORS异常,一旦解决它,它又会再次引发未授权的用户错误.请帮助确定我在做什么错.

I've tried multiple approaches but none of them works. Sometimes I start getting CORS exception, once I fix it, it again starts throwing unauthorised user error. Kindly help in identifying what I am doing wrong.

我还尝试过的东西:

        super.configure(http);
        http.csrf().disable();

        http


           .cors()
            .and()
            .authorizeRequests()
            .antMatchers("/health", "/error").permitAll()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .anyRequest().authenticated();

  • @Override public void configure(final WebSecurity web) { web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**"); }

  • @Override public void configure(final WebSecurity web) { web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**"); }

    `http.csrf().disable();

    ` http.csrf().disable();

    http
        .cors()
        .and()
        .authorizeRequests()
        .antMatchers("/health", "/error").permitAll()
        .antMatchers(HttpMethod.OPTIONS, "/item/search").permitAll()
        .antMatchers(HttpMethod.OPTIONS, "/item/search/").permitAll()
        .antMatchers(HttpMethod.OPTIONS, "/item/search/**").permitAll()
        .antMatchers(HttpMethod.OPTIONS, "/**/search").permitAll()
        .antMatchers(HttpMethod.OPTIONS, "/**/search/").permitAll()
        .antMatchers(HttpMethod.OPTIONS, "/**/search/**").permitAll()
        .anyRequest().authenticated();`

    • 推荐答案

    也许与您无关,但是我的问题是/error路径也应该列入白名单.

    Maybe not related to you, but my issue was that the /error path should be whitelisted as well.

    我的呼叫最终以错误结束的事实导致重定向到/error,并且由于/error是安全的,所以我将重定向到登录名.

    The fact that the my call ended up in error made a redirect to /error and since /error was secure I got the redirect to the login.

    @Override
protected void configure(HttpSecurity http) throws Exception {
    super.configure(http);
    http
        .authorizeRequests()
        .antMatchers("/public/**").permitAll()
        .antMatchers("/secure/**").hasAuthority(...)
        .antMatchers("/error").permitAll()
}

    这篇关于在spring-boot中禁用特定URL的Keycloak身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

    查看全文
    相关文章
    其他开发最新文章
    热门教程
    热门工具
    登录 关闭
    扫码关注1秒登录
    发送“验证码”获取 | 15天全站免登陆