当前位置: 文江博客 话题详情

春季安全 /钥匙巡带:使用多个领域确保相同的请求路径

发布于 2025-02-13 04:07:49 字数 1084 浏览 0 评论 0 原文

我希望在两个不同领域(例如人类用户和S2S用户)中的用户访问相同的休息端点。我能找到的所有多租户示例(例如)建议实施 keycloakconfigresolver 根据请求路径选择一个领域。例如:

public class PathBasedKeycloakConfigResolver implements KeycloakConfigResolver {
    private final KeycloakDeployment realm1Deployment;
    private final KeycloakDeployment realm2Deployment;

    public PathBasedKeycloakConfigResolver() throws IOException {
        realm1Deployment = buildDeployment("realm1.json");
        realm2Deployment = buildDeployment("realm2.json");
    }

    @Override
    public KeycloakDeployment resolve(HttpFacade.Request request) {
        String path = request.getRelativePath();
        return path.startsWith("clients/") ? realm1Deployment : realm2Deployment;
    }

    private static KeycloakDeployment buildDeployment(String path) throws IOException {
        return KeycloakDeploymentBuilder.build(new ClasspathResource(path).getInputStream());
    }
}

但这要求我每个请求路径选择一个领域。

我想要不同的功能,我想尝试对多个领域的请求进行身份验证,并首先选择成功。我觉得这将是支持单个URI多个领域的逻辑方式,但我愿意为实现这一目标提供建议。

原文

I'd like users in two different realms (eg human users and S2S users) to access the same rest endpoint. All of multi-tenancy examples I can find (eg keycloak multi-tenancy docs) suggest implementing a KeycloakConfigResolver to pick a single realm based on the request path. Eg:

public class PathBasedKeycloakConfigResolver implements KeycloakConfigResolver {
    private final KeycloakDeployment realm1Deployment;
    private final KeycloakDeployment realm2Deployment;

    public PathBasedKeycloakConfigResolver() throws IOException {
        realm1Deployment = buildDeployment("realm1.json");
        realm2Deployment = buildDeployment("realm2.json");
    }

    @Override
    public KeycloakDeployment resolve(HttpFacade.Request request) {
        String path = request.getRelativePath();
        return path.startsWith("clients/") ? realm1Deployment : realm2Deployment;
    }

    private static KeycloakDeployment buildDeployment(String path) throws IOException {
        return KeycloakDeploymentBuilder.build(new ClasspathResource(path).getInputStream());
    }
}

But this requires me to pick a single realm per request path.

I want different functionality, I'd like to try authenticating the request against multiple realms and pick the first the succeeds. I feel this would be the logical way to support multiple realms for a single URI but I'm open to suggestions for achieving this.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

一曲琵琶半遮面シ 2025-02-20 04:07:50

由于KeyCloak提供了OAuth2功能,因此您不一定需要使用KeyCloak适配器(因此,其中许多都在不弃用,因此,甚至,请参见

如何使用多个发行人为弹簧安全配置JWT身份验证的一个示例,如您所在:

JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver
    ("https://idp.example.org/issuerOne", "https://idp.example.org/issuerTwo");

http
    .authorizeHttpRequests(authorize -> authorize
        .anyRequest().authenticated()
    )
    .oauth2ResourceServer(oauth2 -> oauth2
        .authenticationManagerResolver(authenticationManagerResolver)
    );

在您的情况下,单独的发行人URL将是您各自领域的发行人URL。此示例直接从,它还包含有关如何与XML配置,您是否希望使用它。

当然,远离适配器,如果您已经使用了它可能并不容易,但是由于适配器从长远来看,因此可能值得尽早评估这样做

Since Keycloak provides OAuth2 functionality, you do not necessarily need to use the keycloak adapters (a lot of them are being deprecated because of this, even, see here). Instead you can just rely on the built in functionality of Spring Security.

An example of how to configure JWT Authentication for Spring Security with multiple issuers looks like this:

JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver
    ("https://idp.example.org/issuerOne", "https://idp.example.org/issuerTwo");

http
    .authorizeHttpRequests(authorize -> authorize
        .anyRequest().authenticated()
    )
    .oauth2ResourceServer(oauth2 -> oauth2
        .authenticationManagerResolver(authenticationManagerResolver)
    );

The separate issuer URLs in your case would be the issuer URLs of your respective realms. This example is taken directly from the Spring Security documentation, it also contains samples on how to achieve the same with XML configuration, should you prefer to use that.

Of course, migrating away from the adapter, if you're already using it might not be easy, but since the adapter is going away in the long term anyways, it might be worth evaluating doing so as early as possible

回复 原文
忆悲凉 2025-02-20 04:07:50

KeyCloak适配器的折旧宣布在那里

您应该看看。它可以与您需要的尽可能多的发行人进行操作,并解决了很多KeyCloak Spring-boot适配器的限制:

  • 与WebMVC(Servlets)和WebFlux(反应性)应用程序兼容(反应性)应用程序
  • Spring 3 Ready(不扩展Web execurityConfigurerAdapter)
  • 无粘附力到KeyCloak(使用任何OpenID授权服务器)
  • 进行安全单元测试

基本教程在这里。

The Keycloak adapters deprecation is announced there.

You should have a look at this OpenID adapter I wrote. It works out of the box with as many issuers as you need and solves quite a few of keycloak spring-boot adapter limitations:

  • compatible with webmvc (servlets) and webflux (reactive) apps
  • spring boot 3 ready (does not extend WebSecurityConfigurerAdapter)
  • no adherence to Keycloak (works with any OpenID authorization-server)
  • tooling for security unit testing

Basic tutorial here.

回复 原文
~没有更多了~

关于作者

淡淡的优雅

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

李珊平

文章 0 评论 0

Quxin

文章 0 评论 0

范无咎

文章 0 评论 0

github_ZOJ2N8YxBm

文章 0 评论 0

若言

文章 0 评论 0

南…巷孤猫

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文