Keycloak:无法使用Spring安全适配器对用户进行身份验证

Question

在下面的问题上，我将感谢您的帮助。我尝试配置Spring Security Adapter (版本2.3.0.Final)：https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html

我认为Keycloak使用静态客户端注册，因为当我尝试在Keycloak中没有客户端配置的情况下进行连接时，会得到以下结果：

16:15:43,174 WARN  [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=st_1, userId=null, ipAddress=192.168.111.33, error=client_not_found

请注意，我成功地使用了mod-auth-openidc和mitreid客户端。

我不确定什么是“有效重定向URI”，我已经在IDP中配置了以下值：http://192.168.110.2:8081/app/sso/login

现在，客户端重定向到使用此URL http://192.168.110.2:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=10%2Fc0079a4b-e896-4400-9357-77fdacde9a56&login=true&scope=openid的Keycloak IDP

我对用户进行身份验证，IDP使用以下URL将URL返回给客户端：http://192.168.110.2:8081/app/sso/login?state=14%2F9a4376fa-06e2-4188-a616-a182363dab3a&code=JzKXHOm7jRp5pkfT6GT6rRPZ5HOcZyGEB5uA-fjrk1I.7d91a145-76a5-4bc4-960f-f4a67f242fba

不幸的是，我有一个无休止的循环。当我调试KeycloakAuthenticationProcessingFilter时，我看到AuthOutcome获得值NOT_ATTEMPTED，并导致额外重定向到IDP。我错过了什么？keycloak.json

{
  "realm" : "master",
  "resource" : "st_1",
  "auth-server-url" : "http://192.168.110.2:8080/auth",
  "ssl-required" : "none",
  "use-resource-role-mappings" : false,
  "enable-cors" : true,
  "cors-max-age" : 1000,
  "cors-allowed-methods" : "POST, PUT, DELETE, GET",
  "bearer-only" : false,
  "enable-basic-auth" : false,
  "expose-token" : true,
  "credentials" : {
    "secret" : "bc644880-5544-4110-8e05-5bbd2a95b3e2"
  },

  "connection-pool-size" : 20,
  "disable-trust-manager": true,
  "allow-any-hostname" : true,
  "token-minimum-time-to-live" : 10

}

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>

<!--
  - Sample namespace-based configuration
  -
  -->


<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">




    <sec:global-method-security pre-post-annotations="enabled">
        <!-- AspectJ pointcut expression that locates our "post" method and applies security that way
        <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
        -->
    </sec:global-method-security>

    <context:component-scan base-package="org.keycloak.adapters.springsecurity" />





    <sec:http use-expressions="true" disable-url-rewriting="false" entry-point-ref="keycloakAuthenticationEntryPoint">
        <sec:intercept-url pattern="/**" access="isAuthenticated()"/>
        <sec:csrf disabled="true"/>
        <sec:headers disabled="true"/>
        <sec:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" />
        <sec:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
        <sec:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />

    </sec:http>


    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="keycloakAuthenticationProvider" />
    </sec:authentication-manager>

    <bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean">
        <constructor-arg value="/WEB-INF/keycloak/keycloak.json" />
    </bean>

    <bean id="keycloakAuthenticationEntryPoint" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" />
    <bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" />
    <bean id="keycloakPreAuthActionsFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" />
    <bean id="keycloakAuthenticationProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
        <constructor-arg name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="keycloakLogoutHandler" class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
        <constructor-arg ref="adapterDeploymentContext" />
    </bean>

    <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <constructor-arg name="logoutSuccessUrl" value="/" />
        <constructor-arg name="handlers">
            <list>
                <ref bean="keycloakLogoutHandler" />
                <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
            </list>
        </constructor-arg>
        <property name="logoutRequestMatcher">
            <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                <constructor-arg name="pattern" value="/sso/logout**" />
                <constructor-arg name="httpMethod" value="GET" />
            </bean>
        </property>
    </bean>




</beans>

Answer 1

我自己动手吧。医生错了。将keycloakAuthenticationEntryPoint更改为

   <beans:bean id="keycloakAuthenticationEntryPoint"
                class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint">
        <beans:constructor-arg name="adapterDeploymentContext" ref="adapterDeploymentContext"/>
    </beans:bean>