受Keycloak保护的WildFly REST服务返回401未经授权 [英] Keycloak-secured WildFly REST service returns 401 Unauthorized
问题描述
我正在使用WildFly应用程序服务器,该服务器在本地计算机上托管简单的Frontend-Backend组合.前端通过Keycloak JS适配器进行保护,后端被禁止使用Keycloak WildFly适配器.
I'm using a WildFly application server that hosts a simple Frontend-Backend combination on my local machine. The Frontend is secured through the Keycloak JS adapter and the Backend is supposted to using the Keycloak WildFly adapter.
我已经正确放置了keycloak.json(在WEB-INF文件夹中),并且我的web.xml看起来像这样:
I have the keycloak.json properly in place (in the WEB-INF folder), and my web.xml looks like this:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>restservice</module-name>
<display-name>RESTful Service</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Brokerservice</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>default</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>AuthInterface</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>default</role-name>
</security-role>
</web-app>
部署进行得很顺利,我可以访问并登录到该部署中托管的Frontend,但是当我尝试从后端请求某些内容时,我会收到401 Unauthorized.承载令牌有效,并按照Keycloak文档的指示发送给服务.同时,控制台读取
The deployment goes smoothly and I can access, and log in to, the Frontend hosted in that deployment, but when I try to request something from my Backend, I am returned a 401 Unauthorized. The bearer token is valid and sent to the service as instructed by Keycloak's docs. Meanwhile, the console reads
Error when sending request to retrieve realm keys: org.keycloak.adapters.HttpClientAdapterException: IO error
完整的服务器日志可在此处获得.由于此问题仅与我的本地REST服务有关(我可以从公司网络中的其他受Keycloak保护的服务中连接和检索数据),因此我怀疑这与我的WildFly配置有关.当前,它是全新安装,仅通过命令行添加并启用了Keycloak适配器.
The full server log is available here. Since this issue only occrus with my local REST service (I can connect and retrieve data from other Keycloak-secured services in my company's network), I suspect that this is an issue with my WildFly configuration. Currently, it is a clean install with only the Keycloak adapter added and enabled via command line.
感谢任何帮助.
推荐答案
我的朋友们,我找到了答案!我确实是一个本地配置问题,但不是在WildFly中,而是在我的Java Keystore中.公司SSL证书必须添加到cacerts密钥库中,该密钥库是与JAVA_HOME变量关联的Java发行版的一部分(在我的情况下为jdk1.8.0_181).具体来说,您可以使用以下命令进行设置:
My friends, I found the soltuion! I truly was a local configuration issue, but not in WildFly but in my Java Keystore. The corporate SSL certificate has to be added to the cacerts Keystore that is part of the Java distribution associated with the JAVA_HOME variable (in my case, jdk1.8.0_181). Specifically, you can use this command to set it up:
keytool -import -keystore "C:\Program Files\Java\jdk1.8.0_181\jre\lib\security\cacerts" -alias [alias] -storepass [password] -file [path/to/your/certificate]
请注意,如果找不到"keytool",请导航至JDK的bin并从此处执行命令.执行原点在这里无效.
Note that if "keytool" cannot be found, navigate to the JDK's bin and execute the command from there. Execution origin has no effect here.
这篇关于受Keycloak保护的WildFly REST服务返回401未经授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
