Java Docker Compose中存在钥匙斗篷的Spring引导问题
我在docker compose里找不到Key斗篷。我有一个基本的SpringBootRESTAPI,它使用SpringSecurity中新的OAuth堆栈作为资源服务器。我已经设置了KeyClope身份验证服务器,以便在第一次启动时导入一个领域。我正在尝试使用客户端凭据流。当API在本地运行时,它可以正常工作,但是当我在docker compose中运行它时,它会失败,甚至在它到达端点之前就出现了401未经授权的错误。据我所知,这可能是一个cors错误,因为飞行前的请求是触发401的原因,但我使用的配置都不起作用。当我尝试使用curl访问时,响应表明它是无效的令牌。我也研究过一些常见的问题,比如时区漂移等等,但似乎也不是罪魁祸首。我已经更新了我的Java Docker Compose中存在钥匙斗篷的Spring引导问题,java,spring,spring-boot,docker-compose,keycloak,Java,Spring,Spring Boot,Docker Compose,Keycloak,我在docker compose里找不到Key斗篷。我有一个基本的SpringBootRESTAPI,它使用SpringSecurity中新的OAuth堆栈作为资源服务器。我已经设置了KeyClope身份验证服务器,以便在第一次启动时导入一个领域。我正在尝试使用客户端凭据流。当API在本地运行时,它可以正常工作,但是当我在docker compose中运行它时,它会失败,甚至在它到达端点之前就出现了401未经授权的错误。据我所知,这可能是一个cors错误,因为飞行前的请求是触发401的原因,但我
etc/hostsisskeydove:8081.authorizeRequests().anyRequest().authorized()和().oauth2ResourceServer().jwt()version: "3.8"
services:
mariadb:
image: mariadb:10.5.3
environment:
MYSQL_ROOT_PASSWORD: root_password
MYSQL_DATABASE: keycloak
MYSQL_USER: some_user
MYSQL_PASSWORD: password
container_name: mariadb-10.5.3
networks:
- app
volumes:
- "auth:/var/lib/mysql"
auth:
build:
context: ./auth/
args:
- JAVA_VERSION=14
image: auth:1.0.0.1
container_name: auth-1.0.0.1
ports:
- "8081:8081"
environment:
KEYCLOAK_DB_PROTOCOL: mysql
KEYCLOAK_DB_HOST: mariadb
KEYCLOAK_DB_PORT: 3306
KEYCLOAK_DB_NAME: keycloak
KEYCLOAK_DB_USERNAME: some_user
KEYCLOAK_DB_PASSWORD: password
KEYCLOAK_DB_DRIVER: org.mariadb.jdbc.Driver
KEYCLOAK_CONTEXT_PATH: /auth
depends_on:
- mariadb
entrypoint:
["./wait-for-it.sh", "mariadb:3306", "--", "java", "-jar", "/app.jar"]
networks:
- app
api:
build:
context: ./api/
args:
- JAVA_VERSION=14
image: api:1.0.0.1
container_name: api-1.0.0.1
ports:
- "8080:8080"
environment:
KEYCLOAK_HOST: keycloak
KEYCLOAK_PORT: 8081
KEYCLOAK_CONTEXT_PATH: /auth
KEYCLOAK_REALM: api
ELASTICSEARCH_HOST: elasticsearch
ELASTICSEARCH_PORT: 9200
depends_on:
- elasticsearch
- auth
entrypoint:
[
"./wait-for-it.sh",
"elasticsearch:9200",
"--",
"java",
"-jar",
"/app.jar",
]
networks:
- app
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.7.1
container_name: elasticsearch-7.7.1
environment:
discovery.type: single-node
ports:
- "9200:9200"
- "9300:9300"
networks:
- app
- elk
kibana:
image: docker.elastic.co/kibana/kibana-oss:7.7.1
container_name: kibana-7.7.1
depends_on:
- elasticsearch
ports:
- "5601:5601"
networks:
- elk
logstash:
build:
context: ./elk/logstash/
image: logstash:7.7.1
container_name: logstash-7.7.1
depends_on:
- elasticsearch
environment:
PIPELINE_WORKERS: 1
networks:
- elk
networks:
elk:
name: elk
app:
name: app
volumes:
auth:
name: auth
@配置
@EnableGlobalMethodSecurity(prespenabled=true)//启用预授权注释
公共类SecurityConfig扩展了WebSecurity配置适配器{
@凌驾
受保护的无效配置(HttpSecurity http)引发异常{
http.cors()和()
.授权请求()
.anyRequest()
.authenticated()
.及()
.oauth2ResourceServer()
.jwt();
}
}
spring.security.oauth2.resourceserver.jwt.issuer uri=http://\${keydove\u HOST:localhost}:\${keydove\u PORT}/\${keydove\u CONTEXT\u PATH:auth}/realms/\${keydove\u REALM
spring.security.oauth2.resourceserver.jwt.jwk set uri=http://\${keydove\u HOST:localhost}:\${keydove\u PORT}/\${keydove\u CONTEXT\u PATH:auth}/realms/\${keydove\u REALM}/protocol openid connect/certs
keycloak:
cors: true
server:
contextPath: ${KEYCLOAK_CONTEXT_PATH:/auth}
adminUser:
username: admin
password: admin
realmImportFile:
- api-realm.json
@RestController
@RequestMapping("/")
public class Controller {
@Autowired
IDocumentRepository documentRepository;
@GetMapping("/{id}")
@PreAuthorize("@authorizationService.checkClientIDMatchesID(#token, #id)")
public Iterable<Documents> getAll(@AuthenticationPrincipal Jwt token, @PathVariable("id") String id) {
return documentRepository.findById(id);
}
}
我在jwt.io上对其进行了解码,它说签名未经验证,公钥似乎无法使其生效。服务器端是否有任何错误跟踪?我添加了屏幕截图。这里没有太多的信息,但我在使用JWT签名/auth/realms/master/protocol/openid connect/token时添加了另一个编辑,我想这就是token端点。您是如何与api和api进行通信的keycloak@Gurkanİlleez我读了链接,但它似乎没有解决这个问题。API使用来自Spring Security的oauth2ResourceServer方法,允许它充当依赖方。它读取
spring.security.oauth2.resourceserver.jwt.issuer urispring.security.oauth2.resourceserver.jwt.jwk set uri@Service
public class AuthorizationService {
private static final Logger logger = LoggerFactory.getLogger(AuthorizationService.class);
public boolean checkClientIDMatchesID(Jwt token, String id)
{
if (id == null || token == null || token.getClaimAsBoolean("clientId") == null) return false;
return ((String)token.getClaim("clientId")).equalsIgnoreCase(id);
}
}