Spring Boot Keycloak认证后重定向到路径”/”,而不是我期望的路径。

huangapple go评论75阅读模式
英文:

Springboot Keycloak after authentication redirects to path "/" instead of my desired path

问题

我正在尝试将Keycloak身份验证设置到我的Spring Boot应用程序端点,我已配置了SecurityFilterChain。每当我访问路径api时,它会重定向到Keycloak登录界面,成功登录后显示一个白标签错误页面,无法弄清楚我配置错误或者我漏掉了什么。

当跳转到白标签错误页面时,它会记录将SecurityContextHolder设置为OAuth2AuthenticationToken [Principal=Name: [user1]...重定向到/。以下是我用于安全配置的filterChain(SecurityFilterChain)的实现。

@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http
        .cors { cors ->
            cors.configurationSource(corsConfigurationSource())
        }
        .authorizeHttpRequests { authz ->
            authz
                .requestMatchers(HttpMethod.GET, "/auth/**").authenticated()
                .requestMatchers(HttpMethod.GET,"/noauth").permitAll()
                .anyRequest().permitAll()
        }
        .oauth2ResourceServer{
            it
                .jwt()
        }
        .sessionManagement{
            it
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        }
        .httpBasic().disable()
        .oauth2Login()

    return http.build()
}

希望这能帮助您找到问题所在。

英文:

I am trying to setup Keycloak authentication to my Spring-boot application endpoints, I have configured the SecurityFilterChain, Whenever I hit the path api it redirects to Keycloak login interface and after successfully completing login it shows an Whitelabel Error Page, can't figure out what I have configured wrong or what am I missing.

When landing on white label error page, it logs Set SecurityContextHolder to OAuth2AuthenticationToken [Principal=Name: [user1]...... and Redirecting to /. Below is my implementation of filterChain(SecurityFilterChain) for Security configuration.

@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http
        .cors { cors ->
            cors.configurationSource(corsConfigurationSource())
        }
        .authorizeHttpRequests { authz ->
            authz
                .requestMatchers(HttpMethod.GET, "/auth/**").authenticated()
                .requestMatchers(HttpMethod.GET,"/noauth").permitAll()
                .anyRequest().permitAll()
        }
        .oauth2ResourceServer{
            it
                .jwt()
        }

        .sessionManagement{
            it
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        }
        .httpBasic().disable()
        .oauth2Login()

    return http.build()
}

答案1

得分: 1

我强烈建议你了解一些OAuth2背景知识。你可能还会在我写的教程(链接在同一页上)中找到一些有用的技巧,这些教程涵盖了相当多的客户端和资源服务器配置用例。

在OAuth2中,登录是客户端的责任(而不是资源服务器),并且需要会话。

在这里,你将OAuth2客户端和OAuth2资源服务器配置混合在同一个安全过滤器链中。这是不一致的。

如果你的应用是一个REST API,你希望用JWT访问令牌进行安全保护,请移除与登录相关的任何内容(再次强调,这是客户端的责任)。你也可以禁用CSRF保护,就像你禁用了会话一样。使用Postman或其他OAuth2 REST客户端进行登录,然后查询你的API。

如果你想在你的应用程序内部使用OAuth2登录(也许你有使用Thymeleaf等服务器端渲染的UI),那么你的应用程序是一个客户端,将通过会话进行安全保护(而不是JWT)。启用会话并移除与资源服务器相关的部分。

如果你两者都希望(有时使用会话进行授权,有时使用访问令牌进行授权),那么定义两个不同的SecurityFilterChain bean,具有不同的@Order,在第一个bean中使用securityMatcher来限制应该应用到哪些请求上。

英文:

I strongly advise that you get some more OAuth2 background. You might also find usefull tips in the tutorials I wrote (linked on the same page), which cover quite a few client and resource-server configuration use cases.

In OAuth2, login is the responsability of clients (not resource server) and requires sessions.

Here, you are mixing OAuth2 client and OAuth2 resource server configuration in the same security filter-chain. This isn't consistent.

If your app is a REST API you want to be secured with JWT access tokens, remove anything related to login (again, this is the responsability of the client). You may also disable CSRF protection as you disabled sessions. Use Postman or whatever OAuth2 REST client to login and then query your API.

If you want OAuth2 login inside your app (maybe you have server side rendered UI with Thymeleaf or something), then your app is a client and will be secured with sessions (not JWTs). Enable sessions and remove the part with resource server.

If you want both (access authorized with sessions in some cases and with access tokens in others), then define two distinct SecurityFilterChain beans, with dintinct @Order and a securityMatcher in the first in @Order to restrict to which requests it should be applied.

huangapple
  • 本文由 发表于 2023年4月13日 18:00:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/76004122.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定