成分:
- 钥匙披风:11
- Hawkbit-mysql
运行:
- 码头工人(码头工人组成)
嗨,我使用 Keycloak 11 将 OpenId 集成到 Hawkbit。这适用于管理 API,但不适用于管理 UI。
我按照文档中的说明添加了 application.properties。使用的流是authorization_codeHawkbit 所期望的。
码头工人组成
这是我的环境。我的撰写文件的 vars:
- spring.security.oauth2.client.registration.oidc.client-id=hawkbit-client
- spring.security.oauth2.client.registration.oidc.client-secret= XXX
- spring.security.oauth2.client.registration.oidc.scope=openid,profile
- spring.security.oauth2.client.provider.oidc.issuer-uri=http://keycloak:8080/auth/realms/master
- spring.security.oauth2.client.provider.oidc.authorization-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
- spring.security.oauth2.client.provider.oidc.token-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/token
- spring.security.oauth2.client.provider.oidc.user-info-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/userinfo
- spring.security.oauth2.client.provider.oidc.jwk-set-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/certs
- spring.security.oauth2.client.registration.oidc.authorization-grant-type=authorization_code
另外,我在我的compose中更改了hawkbit的端口
端口:
- 8081:8080
钥匙披风:
我的客户使用direct access grant和standard flow。我的用户具有客户角色READ_TARGET和SYSTEM_ADMIN
日志:
我启用了更细粒度的日志,并且 Keycloak 和 Hawkbit 之间存在通信。但是当我使用管理 UI 执行登录时,它会失败。
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@ff9b1cf2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 10.0.2.2; SessionId: node01o0pnlb0ekeez180l4o6axsvmt0; Granted Authorities: ROLE_ANONYMOUS'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 13 of 16 in additional filter chain; firing Filter: 'OAuth2AuthorizationCodeGrantFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 14 of 16 in additional filter chain; firing Filter: 'SessionManagementFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 15 of 16 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 16 of 16 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/UI/UIDL/'; against '/UI/login/**'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/UI/UIDL/'; against '/UI/UIDL/**'
2021-01-15 09:18:09.608 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /UI/UIDL/?v-uiId=0; Attributes: [permitAll]
2021-01-15 09:18:09.608 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@ff9b1cf2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 10.0.2.2; SessionId: node01o0pnlb0ekeez180l4o6axsvmt0; Granted Authorities: ROLE_ANONYMOUS
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6de64288, returned: 1
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 reached end of additional filter chain; proceeding with original chain
2021-01-15 09:18:09.719 DEBUG 1 --- [tp1234905692-18] o.s.s.authentication.ProviderManager : Authentication attempt using org.eclipse.hawkbit.autoconfigure.security.InMemoryUserManagementAutoConfiguration$TenantDaoAuthenticationProvider
2021-01-15 09:18:10.076 DEBUG 1 --- [tp1234905692-18] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@694b6660
2021-01-15 09:18:10.078 DEBUG 1 --- [tp1234905692-18] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2021-01-15 09:18:10.081 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2021-01-15 09:18:10.082 DEBUG 1 --- [tp1234905692-18] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public void org.eclipse.hawkbit.repository.jpa.JpaSystemManagement.forEachTenant(java.util.function.Consumer); target is of class [org.eclipse.hawkbit.repository.jpa.JpaSystemManagement]; Attributes: [[authorize: 'hasAuthority('ROLE_SYSTEM_CODE')', filter: 'null', filterTarget: 'null']]
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Previously Authenticated: org.eclipse.hawkbit.security.SystemSecurityContext$SystemCodeAuthentication@2233a89d
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@3e6c0950, returned: 1
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Authorization successful
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : RunAsManager did not change Authentication object
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public void org.eclipse.hawkbit.repository.jpa.JpaSystemManagement.forEachTenant(java.util.function.Consumer); target is of class [org.eclipse.hawkbit.repository.jpa.JpaSystemManagement]; Attributes: [[authorize: 'hasAuthority('ROLE_SYSTEM_CODE')', filter: 'null', filterTarget: 'null']]
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Previously Authenticated: org.eclipse.hawkbit.security.SystemSecurityContext$SystemCodeAuthentication@73f49ea6
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@3e6c0950, returned: 1
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Authorization successful
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : RunAsManager did not change Authentication object
我的想法:
我对发生的事情感到很困惑,因为在 hawkbit 和 keycloak 中都没有抛出异常。Keycloak 确实,也启用了细粒度日志,甚至不记录身份验证请求。令人困惑的是,即使启用了 oauth,我仍然可以使用标准用户登录admin admin。我不认为 keycloak 有问题,因为根据日志创建了连接并使用了通过知名端点的配置。
问题:
- 我还需要在 Keycloak 中配置什么吗?
- 是否有其他环境变量可以使用?
- 我已经看到 hawkbit 项目
Spring boot 2.1.4.RELEASE用作父项。(虽然今天有一个更新到 2.4 的拉取请求。版本中是否存在已知问题?