Spring Security整合KeyCloak保護Rest API

時間  2019-11-09
標籤 spring security 整合 keycloak 保護 rest api 欄目 Spring 简体版
原文   原文鏈接

今天咱們嘗試Spring Security整合Keycloak,並決定創建一個很是簡單的Spring Boot微服務,使用Keycloak做爲個人身份驗證源,使用Spring Security處理身份驗證和受權。html

設置Keycloak

  • 首先咱們須要一個Keycloak實例,讓咱們啓動Jboss提供的Docker容器:
docker run -d \
  --name springboot-security-keycloak-integration \
  -e KEYCLOAK_USER=admin \
  -e KEYCLOAK_PASSWORD=admin \
  -p 9001:8080 \
  jboss/keycloak
複製代碼
  • 在此以後,咱們只需登陸到容器並導航到bin文件夾。
docker exec -it springboot-security-keycloak-integration /bin/bash
cd keycloak/bin
複製代碼
  • 首先,咱們須要從CLI客戶端登陸keycloak服務器,以後咱們再也不須要身份驗證:
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password admin
複製代碼

配置realm

  • 首先,咱們須要建立一個realm:
./kcadm.sh create realms -s realm=springboot-security-keycloak-integration -s enabled=true

Created new realm with id 'springboot-security-keycloak-integration'
複製代碼
  • 以後,咱們須要建立2個客戶端,這將爲咱們的應用程序提供身份驗證。首先咱們建立一個cURL客戶端,這樣咱們就能夠經過命令行命令登陸:
./kcadm.sh create clients -r springboot-security-keycloak-integration -s clientId=curl -s enabled=true -s publicClient=true -s baseUrl=http://localhost:8080 -s adminUrl=http://localhost:8080 -s directAccessGrantsEnabled=true

Created new client with id '8f0481cd-3bbb-4659-850f-6088466a4d89'
複製代碼

重要的是要注意2個選項:publicClient=truedirectAccessGrantsEnabled=true。第一個使這個客戶端公開,這意味着咱們的cURL客戶端能夠在不提供任何祕密的狀況下啓動登陸。第二個使咱們可以使用用戶名和密碼直接登陸。java

  • 其次,咱們建立了一個由REST服務使用的客戶端:
./kcadm.sh create clients -r springboot-security-keycloak-integration -s clientId=springboot-security-keycloak-integration-client -s enabled=true -s baseUrl=http://localhost:8080 -s bearerOnly=true

Created new client with id 'ab9d404e-6d5b-40ac-9bc3-9e2e26b68213'
複製代碼

這裏的重要配置是bearerOnly=true。這告訴Keycloak客戶端永遠不會啓動登陸過程,可是當它收到Bearer令牌時,它將檢查所述令牌的有效性。git

咱們應該注意保留這些ID,由於咱們將在接下來的步驟中使用它們。github

  • 咱們有兩個客戶端,接下來是爲spring-security-keycloak-example-app客戶建立角色

Admin Role:web

./kcadm.sh create clients/ab9d404e-6d5b-40ac-9bc3-9e2e26b68213/roles -r springboot-security-keycloak-integration -s name=admin -s 'description=Admin role'

Created new role with id 'admin'
複製代碼

User Role:spring

./kcadm.sh create clients/ab9d404e-6d5b-40ac-9bc3-9e2e26b68213/roles -r springboot-security-keycloak-integration -s name=user -s 'description=User role'

Created new role with id 'user'
複製代碼

注意client後的id是咱們建立客戶端輸出的iddocker

  • 最後,咱們應該獲取客戶端的配置,以便稍後提供給咱們的應用程序:
./kcadm.sh  get clients/ab9d404e-6d5b-40ac-9bc3-9e2e26b68213/installation/providers/keycloak-oidc-keycloak-json -r springboot-security-keycloak-integration
複製代碼

注意client後的id是咱們建立客戶端輸出的idexpress

應該返回相似於此的內容:apache

{
  "realm" : "springboot-security-keycloak-integration",
  "bearer-only" : true,
  "auth-server-url" : "http://localhost:8080/auth",
  "ssl-required" : "external",
  "resource" : "springboot-security-keycloak-integration-client",
  "verify-token-audience" : true,
  "use-resource-role-mappings" : true,
  "confidential-port" : 0
}
複製代碼

配置用戶

出於演示目的,咱們建立2個具備2個不一樣角色的用戶,以便咱們驗證受權是否有效。json

  • 首先,讓咱們建立一個具備admin角色的用戶:

建立admin用戶:

./kcadm.sh create users -r springboot-security-keycloak-integration -s username=admin -s enabled=true

Created new user with id '50c11a76-a8ff-42b1-80cb-d82cb3e7616d'
複製代碼

設置admin密碼:

./kcadm.sh update users/50c11a76-a8ff-42b1-80cb-d82cb3e7616d/reset-password -r springboot-security-keycloak-integration -s type=password -s value=admin -s temporary=false -n
複製代碼

value: 用戶密碼

追加到admin角色中

./kcadm.sh add-roles -r springboot-security-keycloak-integration --uusername=admin --cclientid springboot-security-keycloak-integration-client --rolename admin
複製代碼

注意:從不在生產中使用此方法,它僅用於演示目的!

  • 而後咱們建立另外一個用戶,此次有角色user:

建立user用戶:

./kcadm.sh create users -r springboot-security-keycloak-integration -s username=user -s enabled=true

Created new user with id '624434c8-bce4-4b5b-b81f-e77304785803'
複製代碼

設置user密碼:

./kcadm.sh update users/624434c8-bce4-4b5b-b81f-e77304785803/reset-password -r springboot-security-keycloak-integration -s type=password -s value=admin -s temporary=false -n
複製代碼

追加到user角色中:

./kcadm.sh add-roles -r springboot-security-keycloak-integration --uusername=user --cclientid springboot-security-keycloak-integration-client --rolename user
複製代碼

Rest服務

咱們已經配置了Keycloak並準備使用,咱們只須要一個應用程序來使用它!因此咱們建立一個簡單的Spring Boot應用程序。我會在這裏使用maven構建項目:

<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>
    <groupId>com.edurt.sski</groupId>
    <artifactId>springboot-security-keycloak-integration</artifactId>
    <packaging>jar</packaging>
    <version>1.0.0</version>

    <name>springboot security keycloak integration</name>
    <description>SpringBoot Security KeyCloak Integration is a open source springboot, spring security, keycloak
        integration example.
    </description>

    <properties>
        <!-- dependency config -->
        <dependency.lombox.version>1.16.16</dependency.lombox.version>
        <dependency.springboot.common.version>1.5.6.RELEASE</dependency.springboot.common.version>
        <dependency.keycloak.version>3.1.0.Final</dependency.keycloak.version>
        <!-- plugin config -->
        <plugin.maven.compiler.version>3.3</plugin.maven.compiler.version>
        <plugin.maven.javadoc.version>2.10.4</plugin.maven.javadoc.version>
        <!-- environment config -->
        <environment.compile.java.version>1.8</environment.compile.java.version>
        <!-- reporting config -->
        <reporting.maven.jxr.version>2.5</reporting.maven.jxr.version>
    </properties>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-dependencies</artifactId>
                <version>${dependency.springboot.common.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>
        <!-- lombok -->
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <version>${dependency.lombox.version}</version>
        </dependency>
        <!-- springboot -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <!-- keycloak -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-spring-boot-starter</artifactId>
            <version>${dependency.keycloak.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-spring-security-adapter</artifactId>
            <version>${dependency.keycloak.version}</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>${plugin.maven.compiler.version}</version>
                <configuration>
                    <source>${environment.compile.java.version}</source>
                    <target>${environment.compile.java.version}</target>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-javadoc-plugin</artifactId>
                <version>${plugin.maven.javadoc.version}</version>
                <configuration>
                    <aggregate>true</aggregate>
                    <!-- custom tags -->
                    <tags>
                        <tag>
                            <name>Description</name>
                            <placement>test</placement>
                            <head>description</head>
                        </tag>
                    </tags>
                    <!-- close jdoclint check document -->
                    <additionalparam>-Xdoclint:none</additionalparam>
                </configuration>
            </plugin>
        </plugins>
    </build>

    <reporting>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jxr-plugin</artifactId>
                <version>${reporting.maven.jxr.version}</version>
            </plugin>
        </plugins>
    </reporting>

</project>
複製代碼

添加全部必需的依賴項:

  • spring-security 用於保護應用程序
  • keycloak-spring-boot-starter 使用Keycloak和Spring Boot
  • keycloak-spring-security-adapter 與Spring Security集成

一個簡單的應用類:

/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * <p> * http://www.apache.org/licenses/LICENSE-2.0 * <p> * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */
package com.edurt.sski;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

/** * <p> SpringBootSecurityKeyCloakIntegration </p> * <p> Description : SpringBootSecurityKeyCloakIntegration </p> * <p> Author : qianmoQ </p> * <p> Version : 1.0 </p> * <p> Create Time : 2019-02-18 14:45 </p> * <p> Author Email: <a href="mailTo:shichengoooo@163.com">qianmoQ</a> </p> */
@SpringBootApplication
public class SpringBootSecurityKeyCloakIntegration {

    public static void main(String[] args) {
        SpringApplication.run(SpringBootSecurityKeyCloakIntegration.class, args);
    }

}
複製代碼

Rest API接口:

/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * <p> * http://www.apache.org/licenses/LICENSE-2.0 * <p> * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */
package com.edurt.sski.controller;

import org.springframework.security.access.annotation.Secured;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

/** * <p> HelloController </p> * <p> Description : HelloController </p> * <p> Author : qianmoQ </p> * <p> Version : 1.0 </p> * <p> Create Time : 2019-02-18 14:50 </p> * <p> Author Email: <a href="mailTo:shichengoooo@163.com">qianmoQ</a> </p> */
@RestController
public class HelloController {

    @GetMapping(value = "/admin")
    @Secured("ROLE_ADMIN")
    public String admin() {
        return "Admin";
    }

    @GetMapping("/user")
    @Secured("ROLE_USER")
    public String user() {
        return "User";
    }

}
複製代碼

最後是keycloak配置:

/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * <p> * http://www.apache.org/licenses/LICENSE-2.0 * <p> * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */
package com.edurt.sski.config;

import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

/** * <p> KeycloakSecurityConfigurer </p> * <p> Description : KeycloakSecurityConfigurer </p> * <p> Author : qianmoQ </p> * <p> Version : 1.0 </p> * <p> Create Time : 2019-02-18 14:51 </p> * <p> Author Email: <a href="mailTo:shichengoooo@163.com">qianmoQ</a> </p> */
@Configuration
@EnableWebSecurity
public class KeycloakSecurityConfigurer extends KeycloakWebSecurityConfigurerAdapter {

    @Bean
    public GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
        SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
        mapper.setConvertToUpperCase(true);
        return mapper;
    }

    @Override
    protected KeycloakAuthenticationProvider keycloakAuthenticationProvider() {
        final KeycloakAuthenticationProvider provider = super.keycloakAuthenticationProvider();
        provider.setGrantedAuthoritiesMapper(grantedAuthoritiesMapper());
        return provider;
    }

    @Override
    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(keycloakAuthenticationProvider());
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        super.configure(http);
        http
                .authorizeRequests()
                .antMatchers("/admin").hasRole("ADMIN")
                .antMatchers("/user").hasRole("USER")
                .anyRequest().permitAll();
    }

    @Bean
    KeycloakConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Bean
    public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean( final KeycloakAuthenticationProcessingFilter filter) {
        final FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean( final KeycloakPreAuthActionsFilter filter) {
        final FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

}
複製代碼

KeycloakSecurityConfigurer類擴展 KeycloakWebSecurityConfigurerAdapter,這是Keycloak提供的類,它提供與Spring Security的集成。

而後咱們經過添加SimpleAuthorityMapper配置身份驗證管理器,它負責轉換來自Keycloak的角色名稱以匹配Spring Security的約定。基本上Spring Security指望以ROLE_前綴開頭的角色,ROLE_ADMIN能夠像Keycloak同樣命名咱們的角色,或者咱們能夠將它們命名爲admin,而後使用此映射器將其轉換爲大寫並添加必要的ROLE_前綴:

@Bean
public GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
  SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
  mapper.setConvertToUpperCase(true);
  return mapper;
}

@Override
protected KeycloakAuthenticationProvider keycloakAuthenticationProvider() {
  final KeycloakAuthenticationProvider provider = super.keycloakAuthenticationProvider();
  provider.setGrantedAuthoritiesMapper(grantedAuthoritiesMapper());
  return provider;
}

@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
  auth.authenticationProvider(keycloakAuthenticationProvider());
}
複製代碼

咱們還須要爲Keycloak設置會話策略,可是當咱們建立無狀態REST服務時,咱們並不真的想要有會話,所以咱們使用NullAuthenticatedSessionStrategy:

@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
  return new NullAuthenticatedSessionStrategy();
}
複製代碼

一般,Keycloak Spring Security集成從keycloak.json文件中解析keycloak配置,可是咱們但願有適當的Spring Boot配置,所以咱們使用Spring Boot覆蓋配置解析器:

@Bean
KeycloakConfigResolver keycloakConfigResolver() {
  return new KeycloakSpringBootConfigResolver();
}
複製代碼

而後咱們配置Spring Security來受權全部請求:

@Override
protected void configure(final HttpSecurity http) throws Exception {
  super.configure(http);
  http
      .authorizeRequests()
      .anyRequest().permitAll();
}
複製代碼

最後,根據文檔,咱們阻止雙重註冊Keycloak的過濾器:

@Bean
public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean( final KeycloakAuthenticationProcessingFilter filter) {
  final FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
  registrationBean.setEnabled(false);
  return registrationBean;
}

@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean( final KeycloakPreAuthActionsFilter filter) {
  final FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
  registrationBean.setEnabled(false);
  return registrationBean;
}
複製代碼

最後,咱們須要application.properties使用以前下載的值配置咱們的應用程序 :

server.port=9002
keycloak.realm=springboot-security-keycloak-integration
keycloak.bearer-only=true
keycloak.auth-server-url=http://localhost:9001/auth
keycloak.ssl-required=external
keycloak.resource=springboot-security-keycloak-integration-client
keycloak.use-resource-role-mappings=true
keycloak.principal-attribute=preferred_username
複製代碼

使用應用程序

  • 使用curl咱們建立的客戶端進行身份驗證,以獲取訪問令牌:
export TOKEN=`curl -ss --data "grant_type=password&client_id=curl&username=admin&password=admin" http://localhost:9001/auth/realms/springboot-security-keycloak-integration/protocol/openid-connect/token | jq -r .access_token`
複製代碼

這將收到的訪問令牌存儲在TOKEN變量中。

如今咱們能夠檢查咱們的管理員是否能夠訪問本身的/admin接口

curl -H "Authorization: bearer $TOKEN" http://localhost:9002/admin

Admin
複製代碼

但它沒法訪問/user接口:

$ curl -H "Authorization: bearer $TOKEN" http://localhost:9002/user

{"timestamp":1498728302626,"status":403,"error":"Forbidden","message":"Access is denied","path":"/user"}
複製代碼

對於user用戶也是如此,user用戶沒法訪問admin接口。

源碼地址:GitHub

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程