Springboot中结合Keycloak和Spring security 开启细粒度权限控制

最新推荐文章于 2024-09-02 12:19:57 发布
最新推荐文章于 2024-09-02 12:19:57 发布
阅读量2.6k 收藏 3
点赞数
分类专栏: WebServer 文章标签: keycloak spring boot
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/austindev/article/details/112235700
版权

Springboot中结合Keycloak和Spring security 开启细粒度权限控制

背景说明

Keycloak作为开源轻量级的统一账号管理系统,可以帮助我们快速搭建一个完整,安全的支持单点登录,开放平台,鉴权及授权的集中式账号管理系统。

加上Keycloak的Authorization Services,提供给我们灵活强大的细粒度权限控制,而不再局限在角色访问控制。

这篇文章重点在于,如何在springboot中集成spring security,以及keycloak,以及配置相关访问权限配置。

而 Keycloak服务的搭建,领域的配置,Authorization Services的配置则不在这里涉及。

引入依赖:Spring Security Adapter

Keycloak官方文档,提供了 Keycloak Java适配器的相关配置说明,集成Springboot说明,以及 Spring security中的集成,这篇文章主要参考
https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_security_adapter
可以作为官方文档的一个实践。

<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-security-adapter</artifactId>
    <version>12.0.1</version>
</dependency>

<dependency>
     <groupId>org.keycloak</groupId>
     <artifactId>keycloak-authz-client</artifactId>
     <version>12.0.1</version>
 </dependency>

结合spring security则必须加上 spring security的依赖

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

keycloak.json配置

keycloak的配置可以放在 application.yaml中,也可以单独放在自己的keycloak.json中;

放在不同位置,只需要在下面的配置文件中添加对应的resolver即可;

在这里,我们放在单独的keycloak.json中

{
    "realm": "kulchao-mall",
    "auth-server-url": "http://127.0.0.1:8018/auth",
    "ssl-required": "none",
    "resource": "mall_system",
    "bearer-only": true,
    "credentials": {
        "secret": "a9e0d2ce-25a4-4e10-b8bf-577f28468a42"
    },
    "policy-enforcer": {
        "paths": [
            {
                "name": "commodity",
                "path": "/",
                "methods": [
                    {
                        "method": "GET",
                        "scopes": ["view"]
                    },
                    {
                        "method": "POST",
                        "scopes": ["edit"]
                    }
                ]
            }
        ]
    }
}

KeycloakSecurityConfig配置

完成上述步骤后,就需要参照Spring Security的使用,配置下SecurityConfig,形式如下:

@EnableWebSecurity(debug = true)
@KeycloakConfiguration
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
...
}

下面一步步讲解其中需要注意的地方:

配置如何读取keycloak

我们这里把keycloak的配置放在了单独的keycloak.json文件,对应的就需要配置一下读取该文件信息:

    @Bean
    public KeycloakConfigResolver keycloakConfigResolver() {
       return new KeycloakConfigResolver() {

           private KeycloakDeployment keycloakDeployment;

           @Override
           public KeycloakDeployment resolve(HttpFacade.Request facade) {
               if (keycloakDeployment != null) {
                   return keycloakDeployment;
               }

               String path = "/keycloak.json";
               InputStream configInputStream = getClass().getResourceAsStream(path);

               if (configInputStream == null) {
                   throw new RuntimeException("Could not load Keycloak deployment info: " + path);
               } else {
                   keycloakDeployment = KeycloakDeploymentBuilder.build(configInputStream);
               }

               return keycloakDeployment;
           }
       };
   }

具体如何起作用,查看下源码都是很清楚,不再赘述;

配置会话鉴权策略

SessionAuthenticationStrategy 主要用于会话相关的防护,比如:固定会话攻击等.
这里需要我们配一下具体的策略,相应的说明如下:

  • public or confidential 应用设置为 RegisterSessionAuthenticationStrategy
  • bearer-only应用设置为 NullAuthenticatedSessionStrategy

对应的配置如下:

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
//        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
        return new NullAuthenticatedSessionStrategy();
    }

避免重复注册过滤器

由于KeycloakSpringBoot中会进行提前注册相关的过滤器,然后在Spring Security中也进行相关过滤器的添加,会导致重复注册;

我们只需要在 securityconfig中添加FilterRegistrationBean,则对应的@ConditionalOnMissingBean注解条件不成立,就可以避免上述情况的发生.

@Bean
    @SuppressWarnings("unchecked")
    public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(KeycloakAuthenticationProcessingFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    @SuppressWarnings("unchecked")
    public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(KeycloakPreAuthActionsFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    @SuppressWarnings("unchecked")
    public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(KeycloakAuthenticatedActionsFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    @SuppressWarnings("unchecked")
    public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(KeycloakSecurityContextRequestFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    // avoid double registration
    @Bean
    @Override
    @ConditionalOnMissingBean(HttpSessionManager.class)
    protected HttpSessionManager httpSessionManager() {
        return new HttpSessionManager();
    }

完整的配置如下

/*
 * To change this license header, choose License Headers in Project Properties.
 * To change this template file, choose Tools | Templates
 * and open the template in the editor.
 */
import java.io.InputStream;
import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
import org.keycloak.adapters.springsecurity.management.HttpSessionManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

/**
 *
 * @author admin
 */
@EnableWebSecurity(debug = true)
@KeycloakConfiguration
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    private final static Logger LOGGER = LoggerFactory.getLogger(KeycloakSecurityConfig.class);

    /**
     * Registers the KeycloakAuthenticationProvider with the authentication
     * manager.
     *
     * @param auth
     */
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        KeycloakAuthenticationProvider keyCloakAuthProvider = keycloakAuthenticationProvider();
        keyCloakAuthProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
        auth.authenticationProvider(keyCloakAuthProvider);
    }

    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
//        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
        return new NullAuthenticatedSessionStrategy();
    }

    @Override
    protected AuthenticationEntryPoint authenticationEntryPoint() {
        return (request, response, authException) -> {
            LOGGER.warn("401 Unauthorized while processing " + request.getRequestURI(), authException);
            response.sendError(401, "Unauthorized");
        };
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.cors().and()
                .csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
                .and();
        http.authorizeRequests().anyRequest().authenticated().and();
    }

    /**
     * Overrides default keycloak config resolver behaviour
     * (/WEB-INF/keycloak.json) by a simple mechanism.
     * <p>
     * This example loads other-keycloak.json when the parameter use.other is
     * set to true, e.g.: {@code ./gradlew bootRun -Duse.other=true}
     *
     * @return keycloak config resolver
     */
    @Bean
    public KeycloakConfigResolver keycloakConfigResolver() {
        return new KeycloakConfigResolver() {

            private KeycloakDeployment keycloakDeployment;

            @Override
            public KeycloakDeployment resolve(HttpFacade.Request facade) {
                if (keycloakDeployment != null) {
                    return keycloakDeployment;
                }

                String path = "/keycloak.json";
                InputStream configInputStream = getClass().getResourceAsStream(path);

                if (configInputStream == null) {
                    throw new RuntimeException("Could not load Keycloak deployment info: " + path);
                } else {
                    keycloakDeployment = KeycloakDeploymentBuilder.build(configInputStream);
                }

                return keycloakDeployment;
            }
        };
    }

    // avoids double registration of keycloak filters
    @Bean
    @SuppressWarnings("unchecked")
    public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(KeycloakAuthenticationProcessingFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    @SuppressWarnings("unchecked")
    public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(KeycloakPreAuthActionsFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    @SuppressWarnings("unchecked")
    public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(KeycloakAuthenticatedActionsFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    @SuppressWarnings("unchecked")
    public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(KeycloakSecurityContextRequestFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    // avoid double registration
    @Bean
    @Override
    @ConditionalOnMissingBean(HttpSessionManager.class)
    protected HttpSessionManager httpSessionManager() {
        return new HttpSessionManager();
    }

}

Policy Enforcers相关配置

参考官方文档

只要policy-enforcer有定义,就会开启 PEP流程

{
 "policy-enforcer": {}
}

paths主要配置如下:

  • name: 资源名称,需要跟资源服务上的资源名称对应起来.定义了该属性值,则uris匹配规则失效
  • path: 资源路径;在不配置name的情况下,根据path匹配对应的资源;
  • methods-method: 请求方法
  • methods-scopes: 需要的scopes数组
  • methods-scopes-enforcement-mode: 表明上面的scopes是只需要一个满足(ANY)还是都需要满足(ALL)
  • enforcement-mode: enforcement执行的模式是强制还是关闭
austindev
关注
专栏目录
Java - Generating equals/hashCode implementation but without a call to superclass, even though this
良月柒
05-14 289
方法,以确保遵循Java对象的通用约定。这个约定规定,相等的对象必须具有相等的哈希码。方法首先检查引用是否相等,然后检查是否是同一类型的对象,并执行其他比较逻辑。方法的调用,可能会导致不符合预期的行为,尤其是在与集合类一起使用时。方法包含对父类方法的调用,以遵循Java的通用约定。这个提示的意思是,尽管你的类没有显式地继承。因此,如果遇到这个提示,你应该确保在生成的。方法根据对象的字段生成哈希码。如果生成的方法没有包含对父类。方法时,通常应该调用父类的。方法却没有调用父类的。方法时可能会遇到的。
springboot mybatis 整合druid
laow的博客
07-26 473
springboot mybatis整合druid 添加依赖 <!-- 事务管理aop、jdbc依赖 --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-aop</artifactId> </dependency&
spring boot整合keycloak
qq_73992333的博客
09-02 1226
要求:spring boot是3.3.1以上的版本(如果你希望用spring boot的更低的版本,只需要修改spring boot项目里面的api,主要是修改Security Config,可以让chatgpt帮你修改)// 从 userRequest 获取 OIDC ID Token,这里假设它已经包含在 access token response 的附加参数。我用的是docker(docker运行和把keycloak下载到本地运行都可以,如果发现有问题,一般不会出现在这里)
Lombok:Generating equals/hashCode implementation but without a call to superclass......
不管风吹浪打,胜似闲庭信步
05-27 2799
Generating equals/hashCode implementation but without a call to superclass, even though this class does not extend java.lang.Object. If this is intentional, add '(callSuper=false)' to your type.
Generating equals/hashCode implementation but without a call to superclass
qq_42449963的博客
07-03 1万+
警告信息 Generating equals/hashCode implementation but without a call to superclass, even though this class does not extend java.lang.Object. If this is intentional, add ‘(callSuper=false)’ to your type. 百度翻译结果: 生成equals/hashCode实现,但不调用超类,即使该类不扩展java.lang.O
【错误警告】Generating equals/hashCode implementation but without a call to superclass
橘足轻重的博客
06-08 3649
小问题也要注意,尽量修复,免得墨菲定律引起错误。
通用权限管理系统+springboot+mybatis plus+spring security+jwt+redis+mysql
05-30
后端使用SpringBoot框架进行业务逻辑开发,利用Spring Security实现权限控制。数据库采用MySQL进行数据存储,使用MyBatis进行数据访问。 权限控制模块设计包括用户、角色和权限三个主要模块。用户模块用于管理用户...
keycloak-springsecurity5-sample:Spring Security 5 OAuth2 ClientOIDC与Keycloak示例的集成
01-31
keycloak-springsecurity5样本 Spring Security 5带来了新的OAuth2 / OIDC客户端,而不是旧的Spring Security OAuth子项目的旧客户端支持。 核心项目的新OAuth2伞形模块将替换旧的Spring Security OAuth,Spring...
SpringBoot2+MybatisPlus+SpringSecurity+jwt+redis+Vue的前后端分离的商城系统
04-30
基于当前流行技术组合的前后端分离商城系统:SpringBoot2+MybatisPlus+SpringSecurity+jwt+redis+Vue的前后端分离的商城系统, 包含商城、sku、运费模板、素材库、小程序直播、拼团、砍价、商户管理、 秒杀、优惠券...
springboot springsecurity动态权限控制
09-18
在这个“springboot springsecurity动态权限控制”的主题,我们将深入探讨如何在Spring Boot项目集成Spring Security,实现动态权限控制,让菜单权限的管理更加灵活和高效。 首先,我们需要理解Spring Security...
基于SpringBoot2.x和SpringSecurity5.x的鱼快权限管理脚手架设计源码
最新发布
10-02
本设计源码是一个基于SpringBoot 2.x和SpringSecurity 5.x构建的鱼快权限管理脚手架,共包含439个文件,其Java源文件135个、HTML文件96个、GIF文件81个、JavaScript文件33个、CSS文件23个、PNG文件19个、XML文件16...
IDEA使用lombok时warn:Generating equals/hashCode implementation but without a call to superclass
热门推荐
INGNIGHT的专栏
03-22 1万+
Generating equals/hashCode implementation but without a call to superclass 1、lombok 警告,没有注入父类的字段 当我们给一个继承了父类的子类上使用@Data @ToString @EqualsAndHashCode 注解时,IDE 会警告 Generating equals/hashCode implemen...
Generating equals/hashCode implementation but without a call to superclass, even though this class
qq_38849191的博客
10-16 1810
实体类加入 @Data 后编译出现警告 java: Generating equals/hashCode implementation but without a call to superclass, even though this class does not extend java.lang.Object. If this is intentional, add '@EqualsAndHashCode(callSuper=false)' to your type. 解决方法: 在实体类加入 @
Redis 缓存系列:springboot整合redis(一)
一天不写代码难受的博客
09-17 690
创建springboot项目 既然上面已经创建了springboot项目,pom文件里面也导入了redis的依赖 <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-redis</artifactId> </dependency&g
Lombok,@Data - Generating equals/hashCode implementation but without a call to superclass
xybz1993的博客
04-24 431
简而言之参考。
Generating equals/hashCode implementation but without a call to superclass, even though this class d
cf
06-09 5959
1.lombok注解@Data使用在继承类上时出现警告 2.解决方法: 2.1在pom内加入 : <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> ...
Lombok - Generating equals/hashCode implementation but without a call to superclass
陆氪和他的那些代码
06-29 2589
1、Lombok 警告,没有注入父类的字段 当我们给一个继承了父类的子类上使用@Data @ToString @EqualsAndHashCode 注解时,IDE 会警告 Generating equals/hashCode implementation but without a call to superclass 意思是,该注解在实现 ToString EqualsAndHashCode 方法时,不会考虑父类的属性,通过反编译的源码也是可以看到他是没有对父类的字段进行比较的。 2、解.
lombok警告:Generating equals/hashCode implementation but without a call to superclass.....
uioy4的博客
08-12 1193
lombok警告:Generating equals/hashCode implementation but without a call to superclass.....产生原因解决 转载-原文连接 开发的时候遇到了这个警告 产生原因 当我们给一个继承了父类的子类上使用@Data @ToString @EqualsAndHashCode 注解时,IDE 会警告 其意思是,该注解在实现 ToString EqualsAndHashCode 方法时,不会考虑父类的属性,通过反编译的源码也是可以看到他是没
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值