最近團(tuán)隊的各項目接入keycloak統(tǒng)一管理用戶的登錄認(rèn)證惕味，鑒權(quán)由各項目獨立實現(xiàn)

1盐碱、在keycloak中配置client

keycloak管理界面點擊client把兔，創(chuàng)建client，填寫clientID

有效的重定向URI配置指向工單系統(tǒng)的UI首頁地址

啟用隱式流

web起源設(shè)為 *

2瓮顽、加入keycloak依賴和json文件

pom.xml

<!-- KeyCloak -->
<keycloak.version>4.4.0.Final</keycloak.version>
<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-security-adapter</artifactId>
    <version>${keycloak.version}</version>
</dependency>
<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-boot-starter</artifactId>
    <version>${keycloak.version}</version>
</dependency>

keycloak.json文件县好，放在resources目錄下

{
  "realm": "realm",
  "auth-server-url": "http://xxx.xxx:8180/auth",
  "ssl-required": "external",
  "resource": "myclient",
  "public-client": true,
  "confidential-port": 0
}

application.properties文件

#keycloak
keycloak.realm=realm
keycloak.resource=myclient
keycloak.auth-server-url=http://xxx.xxx.xxx.xxx:8180/auth
keycloak.ssl-required=external

3、添加springsecurity+keycloak配置文件

不廢話趣倾，直接上代碼

@KeycloakConfiguration
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    private SecurityAuthenticationProvider authenticationProvider;

    @Autowired
    private KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter;

    @Autowired
    private KeycloakPreAuthActionsFilter keycloakPreAuthActionsFilter;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider);
    }

    @Bean
    public KeycloakConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Bean
    public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(
            KeycloakAuthenticationProcessingFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(true);
        return registrationBean;
    }

    @Bean
    public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
            KeycloakPreAuthActionsFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(true);
        return registrationBean;
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable()
                .cors().and()
                .sessionManagement().disable()
                .authorizeRequests()
                .anyRequest().permitAll();
        http
                //.addFilterBefore(mySecurityInterceptor, FilterSecurityInterceptor.class)
                .addFilterBefore(keycloakAuthenticationProcessingFilter, FilterSecurityInterceptor.class)
                .addFilterBefore(keycloakPreAuthActionsFilter, KeycloakAuthenticationProcessingFilter.class);
    }

}

4聘惦、自定義AuthenticationProvider

通過AccessToken中的用戶信息，查詢本系統(tǒng)中該用戶的權(quán)限信息，加入token善绎，具體鑒權(quán)方案各系統(tǒng)各不相同黔漂，自行實現(xiàn)

@Slf4j
@Component
public class SecurityAuthenticationProvider implements AuthenticationProvider {

    @Autowired
    private UserService userService;
    @Autowired
    private RoleService roleService;

    private GrantedAuthoritiesMapper grantedAuthoritiesMapper;

    public void setGrantedAuthoritiesMapper(GrantedAuthoritiesMapper grantedAuthoritiesMapper) {
        this.grantedAuthoritiesMapper = grantedAuthoritiesMapper;
    }

    /**
     * 驗證Authentication，建立系統(tǒng)使用者信息principal(token)
     */
    @Override
    public Authentication authenticate(Authentication authentication) throws RuntimeException {
        //從token中獲取用戶信息
        KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication;
        AccessToken accessToken = getAccessToken((token));
        String userId = accessToken.getSubject();
        //查詢用戶是否存在禀酱，若不存在則存入數(shù)據(jù)庫
        userService.checkUser(accessToken, userId);
        //根據(jù)userId查詢本系統(tǒng)用戶權(quán)限炬守，放入token中
        List<GrantedAuthority> grantedAuthorities = roleService.getGrantedAuthorities(userId);
        KeycloakAuthenticationToken authenticationToken = new KeycloakAuthenticationToken(token.getAccount(), token.isInteractive(), mapAuthorities(grantedAuthorities));
        return authenticationToken;
    }

    private AccessToken getAccessToken(KeycloakAuthenticationToken principal) {
        KeycloakAuthenticationToken token = principal;
        KeycloakPrincipal keycloakPrincipal = (KeycloakPrincipal)token.getPrincipal();
        KeycloakSecurityContext context = keycloakPrincipal.getKeycloakSecurityContext();
        return context.getToken();
    }

    private Collection<? extends GrantedAuthority> mapAuthorities(
            Collection<? extends GrantedAuthority> authorities) {
        return grantedAuthoritiesMapper != null
                ? grantedAuthoritiesMapper.mapAuthorities(authorities)
                : authorities;
    }

    @Override
    public boolean supports(Class<?> aClass) {
        return KeycloakAuthenticationToken.class.isAssignableFrom(aClass);
    }

}