Spring boot KeyClope springboot适配器不允许设置KeyClope.policy-enforcer-config.user-managed-access属性
我试图用springboot适配器保护我的应用程序。在深入挖掘源代码之后,我发现实现中似乎存在一些bug 在KeyDopperAdapterPolicyEnforcer类中,检索用户权限的方法getPermissionTicket包含以下内容:Spring boot KeyClope springboot适配器不允许设置KeyClope.policy-enforcer-config.user-managed-access属性,spring-boot,oauth-2.0,authorization,keycloak,Spring Boot,Oauth 2.0,Authorization,Keycloak,我试图用springboot适配器保护我的应用程序。在深入挖掘源代码之后,我发现实现中似乎存在一些bug 在KeyDopperAdapterPolicyEnforcer类中,检索用户权限的方法getPermissionTicket包含以下内容: private String getPermissionTicket(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AuthzClient authzClie
private String getPermissionTicket(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AuthzClient authzClient, OIDCHttpFacade httpFacade) {
if (getEnforcerConfig().getUserManagedAccess() != null) {
ProtectionResource protection = authzClient.protection();
PermissionResource permission = protection.permission();
PermissionRequest permissionRequest = new PermissionRequest();
permissionRequest.setResourceId(pathConfig.getId());
permissionRequest.setScopes(new HashSet<>(methodConfig.getScopes()));
Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);
if (!claims.isEmpty()) {
permissionRequest.setClaims(claims);
}
return permission.create(permissionRequest).getTicket();
}
return null;
}
但不提供任何jackson转换器来将字符串传递到UserManagedAccessConfig
如果没有这个config属性集,适配器只会拒绝每个请求。这个问题有什么解决办法吗?是的,我只是用一个bean而不是属性文件。大概是这样的:
@SpringBootApplication(exclude = SecurityAutoConfiguration.class)
@EnableTransactionManagement
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
@Bean
@Primary
public KeycloakSpringBootProperties properties() {
final KeycloakSpringBootProperties props = new KeycloakSpringBootProperties();
final PolicyEnforcerConfig policyEnforcerConfig = new PolicyEnforcerConfig();
policyEnforcerConfig.setEnforcementMode(EnforcementMode.ENFORCING);
policyEnforcerConfig.setUserManagedAccess(new UserManagedAccessConfig());
props.setPolicyEnforcerConfig(policyEnforcerConfig);
return props;
}
}
@斯堪的纳夫的答案不支持应用程序属性中定义的
keydape.policy enforcer config.*
属性。如中所建议的,有如下的“脏”解决方法,可以保留策略实施器配置属性,只需添加UserManagedAccessConfig对象
public class KeycloakUMAConfigResolver extends KeycloakSpringBootConfigResolver {
public KeycloakUMAConfigResolver() throws Exception {
}
public void configureUMAConfig() {
try {
Field f = KeycloakSpringBootConfigResolver.class.getDeclaredField("adapterConfig");
f.setAccessible(true);
KeycloakSpringBootProperties properties = (KeycloakSpringBootProperties) f.get(this);
properties.getPolicyEnforcerConfig()
.setUserManagedAccess(new PolicyEnforcerConfig.UserManagedAccessConfig());
} catch (NoSuchFieldException | SecurityException | IllegalArgumentException | IllegalAccessException e) {
e.printStackTrace();
}
}
}
然后在安全配置中创建这个配置解析器bean
@Bean
public KeycloakSpringBootConfigResolver KeycloakConfigResolver() throws Exception {
return new KeycloakUMAConfigResolver();
}
@Bean
@Qualifier("dummy bean")
public Object dummyBeam(KeycloakUMAConfigResolver configResolver) {
configResolver.configureUMAConfig();
return new Object();
}
注意:尝试在构造函数中设置UserManagedAccessConfig失败,因为在构造函数内的对象初始化期间adapterConfig字段不可用。因此使用了一个虚拟bean定义,然后调用
configureUMAConfig
方法。你有没有弄明白这个问题?我也有同样的问题
@Bean
public KeycloakSpringBootConfigResolver KeycloakConfigResolver() throws Exception {
return new KeycloakUMAConfigResolver();
}
@Bean
@Qualifier("dummy bean")
public Object dummyBeam(KeycloakUMAConfigResolver configResolver) {
configResolver.configureUMAConfig();
return new Object();
}