java - 如何将Spring Security RemoteTokenService与Keycloak一起使用

Question

我设置了一个Keycloak服务器。配置领域和客户端等。
我成功地用“org.keycloak:keycloak-spring-boot-starter”编写了一个Spring Boot服务，并保护了我的RestController。奇迹般有效。

但是，当我尝试使用Spring Security(没有keycloak特定的依赖项)时，我陷入了困境。

这是我的毕业证书:

dependencies {
compile('org.springframework.boot:spring-boot-starter-security')
compile('org.springframework.security.oauth:spring-security-oauth2')

compile('org.springframework.boot:spring-boot-starter-web')
compileOnly('org.projectlombok:lombok')
testCompile('org.springframework.boot:spring-boot-starter-test')
testCompile('org.springframework.security:spring-security-test')

}

这是我的SecurityConfig:

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends 
ResourceServerConfigurerAdapter {

@Override
public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/person/**").hasRole("DEMO_SPRING_SECURITY")
        .anyRequest().authenticated()
        .and().formLogin().disable();
}

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {

    resources.resourceId("demo-client");
    RemoteTokenServices tokenServices = new RemoteTokenServices();
    tokenServices.setCheckTokenEndpointUrl(
        "http://localhost:8280/auth/realms/demo-realm/protocol/openid-connect/token/introspect");
    tokenServices.setClientId("demo-client");
    tokenServices.setClientSecret("80e19056-7770-4a4a-a3c4-06d8ac8792ef");
    resources.tokenServices(tokenServices);
}
}

现在，我尝试访问服务器:

获取访问 token (通过REST客户端)
解码后的JWT看起来像这样:

{
"jti": "78c00562-d80a-4f5a-ab08-61ed10cb575c",
"exp": 1509603570,
"nbf": 0,
"iat": 1509603270,
"iss": "http://localhost:8280/auth/realms/demo-realm",
"aud": "demo-client",
"sub": "6ee90ba4-2854-49c1-9776-9aa95b6ae598",
"typ": "Bearer",
"azp": "demo-client",
"auth_time": 0,
"session_state": "68ce12fb-3b3f-429d-9390-0662f0503bbb",
"acr": "1",
"client_session": "ec0113e1-022a-482a-a26b-e5701e5edec1",
"allowed-origins": [],
"realm_access": {
  "roles": [
    "demo_user_role",
    "uma_authorization"
  ]
},
"resource_access": {
  "account": {
    "roles": [
      "manage-account",
      "manage-account-links",
      "view-profile"
    ]
  }
},
"name": "Jim Panse",
"preferred_username": "demo-user",
"given_name": "Jim",
"family_name": "Panse",
"email": "user@dmoain.com"
}

但是我得到一个AccessDeniedException。

2017-11-02 07:18:05.344 DEBUG 17637 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated:

org.springframework.security.oauth2.provider.OAuth2Authentication@1f3ee7e1: Principal: demo-client; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=BearertokenValue=; Not granted any authorities 2017-11-02 07:18:05.348 DEBUG 17637 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@14032696, returned: -1 2017-11-02 07:18:05.353 DEBUG 17637 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is not anonymous); delegating to AccessDeniedHandler

org.springframework.security.access.AccessDeniedException: Access is denied

我调试了RemoteTokenService，发现Keycloak使用完全相同的访问 token 进行了响应。没关系
但是 DefaultAccessTokenConverter会尝试从不存在的 authorities字段中读取用户角色。并且 OAuth2WebSecurityExpressionHandler评估用户确实具有任何角色。 ->访问被拒绝

所以我的问题是:

使Spring Security与Keycloak访问 token 一起工作需要什么？

Answer 1

通过keycloak管理控制台，您可以为客户“demo-client”创建一个类型为用户领域角色的 token 映射器，其声明名称为“authorities”。
然后，访问 token 在此属性中包含角色名称，并且不需要自定义DefaultAccessTokenConverter。