Servlets 直接使用access_令牌时，KeyClope授权失败（403-禁止）

我的

localhost:8080

上运行着一个docker Keyclope，我的

localhost:8081

上运行着一个tomcat服务器，其中一个servlet运行着

/dummy

，我得到了一个

Hello World

现在，我已经为keydape创建了一个过滤器，并将其添加到

war

中，并重新部署了servlet。正如所料，我得到了一个

403-禁止

Type Status Report
Description The server understood the request but refuses to authorize it.

在KeyClope管理控制台中，我有一个客户机虚拟机和一个用户演示（realm也是演示）

以下是应用程序中的
keydape.json
：

{
  "realm": "demo",
  "auth-server-url": "http://localhost:8080/auth",
  "ssl-required": "external",
  "resource": "dummy",
  "public-client": true
}

因此，首先我要：

POST http://localhost:8080/auth/realms/demo/protocol/openid-connect
/token?client_id=dummy&username=demo&password=demodemo&grant_type=password
Accept: */*
Cache-Control: no-cache

然后我收到这样的消息：

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPcHNsOVltbmdEbmlCWGZheUsxNy1lbEJkZVNqTHlWdjI3QXpLMmVNYTRzIn0.eyJqdGkiOiJlYTc5ZjUzZC0zM2IzLTQ2OGYtOTkzMS03NmFjMGFiOWNmMTUiLCJleHAiOjE1MjY0NjkxMzQsIm5iZiI6MCwiaWF0IjoxNTI2NDY4ODM0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImR1bW15Iiwic3ViIjoiOTUyZjAxNjYtODg4Zi00ZTE0LWFiOTYtZTRmMDcxNmViOTMxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZHVtbXkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJmYWNkNGM2Yi0wMmYzLTQ0NGMtODMxYy1kNjk4ZmVhMzc5YTciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiJiNGU0MGEyMS1lMTA1LTRmMTgtOTc2My00Mzk4YzI5NDg3MWEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiZHVtbXkvKiJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiZGVtbyBkZW1vbnN0cmF0aW9uIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGVtbyIsImdpdmVuX25hbWUiOiJkZW1vIiwiZmFtaWx5X25hbWUiOiJkZW1vbnN0cmF0aW9uIiwiZW1haWwiOiJkZW1vQGRlbW8uZGUifQ.jLGZV3N40Tl8IVPy1jWiC2tNJsRZ4MQQNL2cl6qgAarzh5HDSQIlbWkcAQZ1zM2SOA3QBs1kXYEBAtPzDP1hClc8j_tAKqVBjUJTQQsb_IloYSOrAXGiubiqsjF_lcjLQXaKrYuDPDjMUGi6mgHNeWNoAePH8RPdl0G6DXhIoRvrycoj1iQ1KD07VX-5QDWaUo-T-MVRjy6EKAQsg4xSdHRXDuYTz1in4Kx7oSQMruWjwS0AbcMhFq7B-u8o_Z5KXZAhzvZ7fnUv-hU4Bn-6gg-j_Xuq1591kcB7iRoINtLMfH_2poKoyj-sbVxqc1NBG32_brgdaGk00kwB6joQsQ",
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPcHNsOVltbmdEbmlCWGZheUsxNy1lbEJkZVNqTHlWdjI3QXpLMmVNYTRzIn0.eyJqdGkiOiJkODhiNDdiNi1mNDhjLTQyNmUtYTQwMi00NGQ2MDEyYmY0YjEiLCJleHAiOjE1MjY0NzA2MzQsIm5iZiI6MCwiaWF0IjoxNTI2NDY4ODM0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImR1bW15Iiwic3ViIjoiOTUyZjAxNjYtODg4Zi00ZTE0LWFiOTYtZTRmMDcxNmViOTMxIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImR1bW15IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZmFjZDRjNmItMDJmMy00NDRjLTgzMWMtZDY5OGZlYTM3OWE3IiwiY2xpZW50X3Nlc3Npb24iOiJiNGU0MGEyMS1lMTA1LTRmMTgtOTc2My00Mzk4YzI5NDg3MWEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.GpHscNZem8-VpOBBBhxeY2ZUkz7YQ6ID--YkZI5tcJAf7BnyJ9gGpI2LMNhfD84qLrP9SeLNqJSWDsXkcSxKjyzb8XT9PJVVKnY_Bz7b-sJ0UVx9FXnI1_bnAEcU7Rvyl0EdVGJXZOSbLCRS7xXXn_GqnnZtoG2sQXPtz4fgIIBROCWkbnKZvHpeBqauuhvORwoB-lqpfdLkmhnomYIfZr6o2GfovkCHYC5-revnzLx7wygczri09sxFOXmNB_VdTU20OA7hmnhi_uE7BGewxuTBspeZ2ieZBLUzka-yFUSzxW2UQPTGvJEj2Czc7iBrw7eTmO_x6VTma--QcNP0ZA",
  "token_type": "bearer",
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPcHNsOVltbmdEbmlCWGZheUsxNy1lbEJkZVNqTHlWdjI3QXpLMmVNYTRzIn0.eyJqdGkiOiIxYzlmZWE1ZS1hZmE0LTRjNDktYjRhOS1lNDM2NjE2NDMxZDkiLCJleHAiOjE1MjY0NjkxMzQsIm5iZiI6MCwiaWF0IjoxNTI2NDY4ODM0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImR1bW15Iiwic3ViIjoiOTUyZjAxNjYtODg4Zi00ZTE0LWFiOTYtZTRmMDcxNmViOTMxIiwidHlwIjoiSUQiLCJhenAiOiJkdW1teSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImZhY2Q0YzZiLTAyZjMtNDQ0Yy04MzFjLWQ2OThmZWEzNzlhNyIsImFjciI6IjEiLCJuYW1lIjoiZGVtbyBkZW1vbnN0cmF0aW9uIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGVtbyIsImdpdmVuX25hbWUiOiJkZW1vIiwiZmFtaWx5X25hbWUiOiJkZW1vbnN0cmF0aW9uIiwiZW1haWwiOiJkZW1vQGRlbW8uZGUifQ.ahjp3mrEf8aKSK7Du9xv17Nh47HvxuhfPj--eg5cx9scXpPwi0fSJ9vOvMGisWj1fkfV8A7-bmRqU6_gDVdnAoO3rs6YLx-qP3JHwu21lKhk8EfBEUNIqzNTYc-u0kNtlFpxdlTd0QKQ4wtljxQGSTQgOjBs-04DlYT7DxhG5sjO1PPy20Y51R-pe-UKTMLjAFlb5q4FAEtwXfJxT4bhEmAGDsGmWKLGoo9s3hUoB-etQkyctoV2ZMwO8acVhrX5lmEZp9zqkrRVFqpenvO2Jn1iGR54UrK9AQ5Gq9slJmKGSOIYKfJK_MOO1NycSaph13QlpQ9hy1txqRUTykyNvw",
  "not-before-policy": 0,
  "session_state": "facd4c6b-02f3-444c-831c-d698fea379a7"
}

同样，这很顺利，但当我执行以下请求时：

GET http://localhost:8081/dummy
Accept: */*
Cache-Control: no-cache
Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPcHNsOVltbmdEbmlCWGZheUsxNy1lbEJkZVNqTHlWdjI3QXpLMmVNYTRzIn0.eyJqdGkiOiJlYTc5ZjUzZC0zM2IzLTQ2OGYtOTkzMS03NmFjMGFiOWNmMTUiLCJleHAiOjE1MjY0NjkxMzQsIm5iZiI6MCwiaWF0IjoxNTI2NDY4ODM0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImR1bW15Iiwic3ViIjoiOTUyZjAxNjYtODg4Zi00ZTE0LWFiOTYtZTRmMDcxNmViOTMxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZHVtbXkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJmYWNkNGM2Yi0wMmYzLTQ0NGMtODMxYy1kNjk4ZmVhMzc5YTciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiJiNGU0MGEyMS1lMTA1LTRmMTgtOTc2My00Mzk4YzI5NDg3MWEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiZHVtbXkvKiJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiZGVtbyBkZW1vbnN0cmF0aW9uIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGVtbyIsImdpdmVuX25hbWUiOiJkZW1vIiwiZmFtaWx5X25hbWUiOiJkZW1vbnN0cmF0aW9uIiwiZW1haWwiOiJkZW1vQGRlbW8uZGUifQ.jLGZV3N40Tl8IVPy1jWiC2tNJsRZ4MQQNL2cl6qgAarzh5HDSQIlbWkcAQZ1zM2SOA3QBs1kXYEBAtPzDP1hClc8j_tAKqVBjUJTQQsb_IloYSOrAXGiubiqsjF_lcjLQXaKrYuDPDjMUGi6mgHNeWNoAePH8RPdl0G6DXhIoRvrycoj1iQ1KD07VX-5QDWaUo-T-MVRjy6EKAQsg4xSdHRXDuYTz1in4Kx7oSQMruWjwS0AbcMhFq7B-u8o_Z5KXZAhzvZ7fnUv-hU4Bn-6gg-j_Xuq1591kcB7iRoINtLMfH_2poKoyj-sbVxqc1NBG32_brgdaGk00kwB6joQsQ

我仍然得到一个
403

我做错了什么

我希望从一开始就能再次看到
Hello World
文本


编辑：添加
web.xml
：

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0"
>
    <!-- This is only here because Maven requires it to make a war. -->
    <module-name>dummy</module-name>

    <servlet>
        <servlet-name>dummy</servlet-name>
        <servlet-class>com.dummy.HelloWorld</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>dummy</servlet-name>
        <url-pattern>/dummy</url-pattern>
    </servlet-mapping>

    <filter>
        <filter-name>Keycloak Filter</filter-name>
        <filter-class>com.dummy.security.keycloak.OIDCFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Keycloak Filter</filter-name>
        <url-pattern>/keycloak/*</url-pattern>
        <url-pattern>/dummy/*</url-pattern>
        <url-pattern>/protected/*</url-pattern>
    </filter-mapping>
</web-app>


笨蛋
笨蛋
com.dummy.HelloWorld
笨蛋
/假人
钥匙斗篷过滤器
com.dummy.security.keydeport.OIDCFilter
钥匙斗篷过滤器
/钥匙斗篷/*
/假人/*
/保护/*

至于KeyClope版本，我使用的是
2.5.5-Final
，请发布您的过滤器配置和客户端配置（您使用的是哪种适配器？哪种版本？）。403还表示禁止您访问资源，不，您没有经过身份验证：我更新了答案和过滤器我使用Java Servlet过滤器适配器：我将身份验证更新为authorization
Bearer
首字母大写，但这可能不会导致您出现该问题。为什么你用
com.dummy.security.keydove.OIDCFilter
而不是
org.keydove.adapters.servlet.keydove-OIDCFilter
？我也尝试了
Bearer
仍然没有变化，这个过滤器只是
org.keydove.adapters.servlet.keydove-OIDCFilter
的一个扩展，现在它只是检查一些事情，嗯，如果有什么奇怪的事情发生，我会调查一下。现在，谢谢你的提示。@XtremeBiker最后，扩展过滤器是问题所在，过滤器必须访问我的本地主机上不可用的某些资源，这样它才能发回
403
（我知道这里
404
更好，但现在它只是用于测试）。现在，我删除了该部分（出于测试目的），即使我没有提供access_令牌，我也可以始终看到该页面。这正常吗？我不应该得到一个
401
？