Java 是否可以在不同于授权的头上验证KeyClope令牌?
我正在实现keydepeat,到目前为止效果非常好。我根据文档做了一个基本配置,看起来有点像这样:Java 是否可以在不同于授权的头上验证KeyClope令牌?,java,authentication,keycloak,Java,Authentication,Keycloak,我正在实现keydepeat,到目前为止效果非常好。我根据文档做了一个基本配置,看起来有点像这样: @Primary public class AuthConfig extends KeycloakWebSecurityConfigurerAdapter { @Primary @Bean public KeycloakConfigResolver KeycloakConfigResolver() { return new KeycloakSpringBootConfigResolver
@Primary
public class AuthConfig extends KeycloakWebSecurityConfigurerAdapter {
@Primary
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
public SimpleAuthorityMapper grantedAuthority() {
SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
return mapper;
}
@Primary
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthority());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Primary
@Bean
public AuthenticationProvider authenticationProvider() {
return keycloakAuthenticationProvider();
}
@Primary
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
return registrationBean;
}
@Primary
@Bean
public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
KeycloakAuthenticatedActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Primary
@Bean
public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
KeycloakSecurityContextRequestFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
return registrationBean;
}
@Primary
@Bean
@Override
@ConditionalOnMissingBean(HttpSessionManager.class)
protected HttpSessionManager httpSessionManager() {
return new HttpSessionManager();
}
public foo getUser(Principal userPrincipal) {
...
}
可能有重复的配置,但关键是在对api到api令牌进行身份验证时(这就是为什么我将其设置为不创建会话)和对用户令牌进行身份验证时,该配置工作正常
因此,当我发送用户令牌时,我可以执行如下操作:
@Primary
public class AuthConfig extends KeycloakWebSecurityConfigurerAdapter {
@Primary
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
public SimpleAuthorityMapper grantedAuthority() {
SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
return mapper;
}
@Primary
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthority());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Primary
@Bean
public AuthenticationProvider authenticationProvider() {
return keycloakAuthenticationProvider();
}
@Primary
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
return registrationBean;
}
@Primary
@Bean
public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
KeycloakAuthenticatedActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Primary
@Bean
public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
KeycloakSecurityContextRequestFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
return registrationBean;
}
@Primary
@Bean
@Override
@ConditionalOnMissingBean(HttpSessionManager.class)
protected HttpSessionManager httpSessionManager() {
return new HttpSessionManager();
}
public foo getUser(Principal userPrincipal) {
...
}
然后我将能够访问令牌的用户所有者,并从JWT令牌获取信息
我的问题是,所有这些都是在发送头身份验证时发生的,此时我需要在验证用户时发送一个不同于身份验证的头,这样我就可以接收API令牌和用户令牌,并决定(根据JWT信息和其他逻辑)稍后调用另一个服务时将使用哪个令牌
是否可以为我的用户令牌创建我自己的keydepot“session”,然后从中创建UserPrincipal
有什么想法吗?你把你要完成的任务和你想要构建它的方式搞混了。您说您希望接收2个令牌,而不是在身份验证标头中同时接收这两个令牌,但这就是“您希望的方式”。请详细说明你需要完成什么。我怀疑您可以在只接收一个令牌的情况下执行此操作。如果您的后端正在通过keydove执行身份验证,那么它肯定可以访问id令牌(包含用户名、电子邮件等),在大多数keydove适配器集成中,id令牌已经映射了用户主体的一些内容。如果没有,则使用keydeposecuritycontext
或keydeposecuritycontext
的实例。