1.测试目标
- Spring Boot写的Restful API前后端分离的情况下与KeyCloak集成
- 普通的Spring 项目,前后端未分离的情况与KeyCloak集成
2.建立测试用KeyCloak配置
可以登录KeyCloak管理后台(安装配置可参考https://www.jianshu.com/p/de1e415ddc27)。本次测试用脚本进行,假设初始化系统的超管账户密码均为root。kcadm.sh脚本位于KeyCloak目录的./bin目录下。
- 登录root账户,后续脚本不用登录
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user root --password root
- 创建realm
realmName='springboot-integration'
#删除存在的realm,这样下面的client/user/roles都会删除
./kcadm.sh delete realms/$realmName -r $realmName
#创建
realmId=$(./kcadm.sh create realms -s realm=$realmName -s enabled=true 2>&1 | awk -F "'" '{print $2}')
- 创建springboot-security client,用于API访问更换token以及sso登录验证。
#创建换token的公开认证用client
openClientName='springboot-security'
#为了调试方便,直接指定secret code
openSecret='d0b8122f-8dfb-46b7-b68a-f5cc4e25d000'
openClient=$(./kcadm.sh create clients -r $realmId -s clientId=$openClientName -s enabled=true -s publicClient=true -s 'redirectUris=["http://localhost:9090/*","http://127.0.0.1:9090/*"]' -s baseUrl=http://localhost:9090 -s adminUrl=http://localhost:9090 -s clientAuthenticatorType=client-secret -s secret=$openSecret -s directAccessGrantsEnabled=true 2>&1 | awk -F "'" '{print $2}')
- 创建springboot-rest-api client,保护的API用
#创建受保护的client
restClientName='springboot-rest-api'
#为了调试方便,直接指定secret code
restSecret='6e32611b-8e10-4afe-ac0b-0f64c4022390'
restClient=$(./kcadm.sh create clients -r $realmId -s clientId=$restClientName -s enabled=true -s baseUrl=http://localhost:9091 -s bearerOnly=true -s secret=$restSecret 2>&1 | awk -F "'" '{print $2}')
- 查看受保护的client配置,参照配置springboot的application.yml文件
#查看受保护的client配置
echo "35.restClient: "$restClient" 的配置情况: "
./kcadm.sh get clients/$restClient/installation/providers/keycloak-oidc-keycloak-json -r $realmId
- 创建roles,位于realm,也可以创建位于client的roles
#给realm创建roles
echo "17.给"$realmId"创建两个角色 "
./kcadm.sh create roles -r $realmId -s name=user -s "description=$realmId user role"
./kcadm.sh create roles -r $realmId -s name=admin -s "description=$realmId admin role"
#显示realm的roles清单
echo "25.realm: "$realmId" 的roles: "
./kcadm.sh get roles -r $realmId
- 创建账户,一个admin,加入admin role;一个user加入user role.
#创建管理员账号,归realm
adminId=$(./kcadm.sh create users -r $realmId -s username=admin -s firstName=wu -s lastName=Wang -s [email protected] -s enabled=true 2>&1 | awk -F "'" '{print $2}')
#设置密码
./kcadm.sh update users/$adminId/reset-password -r $realmId -s type=password -s value=123456 -s temporary=false -n
#设置为realm的角色
./kcadm.sh add-roles --uusername admin --rolename admin -r $realmId
#创建普通用户账号,归realm
userId=$(./kcadm.sh create users -r $realmId -s username=user -s firstName=san -s lastName=Zhang -s [email protected] -s enabled=true 2>&1 | awk -F "'" '{print $2}')
#设置密码
./kcadm.sh update users/$userId/reset-password -r $realmId -s type=password -s value=123456 -s temporary=false -n
#设置为realm的角色
./kcadm.sh add-roles --uusername user --rolename user -r $realmId
- 获得访问token测试
#获得访问token
export adminToken=$(curl -ss --data "grant_type=password&client_id=$openClientName&client_secret=$openSecret&username=admin&password=123456" http://localhost:8080/auth/realms/$realmId/protocol/openid-connect/token | jq -r .access_token)
export userToken=$(curl -ss --data "grant_type=password&client_id=$openClientName&client_secret=$openSecret&username=user&password=123456" http://localhost:8080/auth/realms/$realmId/protocol/openid-connect/token | jq -r .access_token)
- 测试API.(API应用开发完成并启动后)
echo "\n\nAPI访问测试: "
echo "\n『adminToken+admin』 result : "
curl -H "Authorization: bearer $adminToken" http://localhost:9091/admin
echo "\n\n『adminToken+user』 result : "
curl -H "Authorization: bearer $adminToken" http://localhost:9091/user
echo "\n\n『userToken+admin』 result : "
curl -H "Authorization: bearer $userToken" http://localhost:9091/admin
echo "\n\n『userToken+user』 result : "
curl -H "Authorization: bearer $userToken" http://localhost:9091/user
3.编码--父项目
管理spingboot及keycloak版本,非必须
- pom.xml
4.0.0
org.springframework.boot
spring-boot-starter-parent
2.2.5.RELEASE
com.dimaidt.springboot-keycloak
springboot-keycloak
0.0.1-SNAPSHOT
springboot-keycloak
Demo project for Spring Boot
pom
api-demo
web-demo
1.8
9.0.0
org.keycloak
keycloak-spring-boot-starter
${keycloak.version}
org.keycloak
keycloak-spring-security-adapter
${keycloak.version}
4.编码--子项目1:api-demo
- pom.xml
4.0.0
com.dimaidt.springboot-keycloak
springboot-keycloak
0.0.1-SNAPSHOT
com.dimaidt.springboot-keycloak
api-demo
0.0.1-SNAPSHOT
api-demo
Demo project for Spring Boot
1.8
org.springframework.boot
spring-boot-starter-web
org.springframework.boot
spring-boot-starter-security
org.keycloak
keycloak-spring-boot-starter
org.springframework.boot
spring-boot-starter-test
test
org.junit.vintage
junit-vintage-engine
org.springframework.boot
spring-boot-maven-plugin
- application.yml文件内容
server:
port: 9091
keycloak:
realm: springboot-integration
resource: springboot-rest-api
bearer-only: true
credentials:
secret: 6e32611b-8e10-4afe-ac0b-0f64c4022390
auth-server-url: http://localhost:8080/auth
ssl-required: external
confidential-port: 0
logging:
level:
org:
springframework:
security: DEBUG
- src目录结构
src
├── main
│ ├── java
│ │ └── com
│ │ └── dimaidt
│ │ └── springbootkeycloak
│ │ └── apidemo
│ │ ├── ApiDemoApplication.java
│ │ ├── config
│ │ │ ├── KeycloakConfig.java
│ │ │ └── KeycloakSecurityConfig.java
│ │ └── controller
│ │ └── APIController.java
│ └── resources
│ └── application.yml
└── test
└── java
└── com
└── dimaidt
└── springbootkeycloak
└── apidemo
└── ApiDemoApplicationTests.java
5.编码--子项目2:web-demo
- pom.xml
4.0.0
com.dimaidt.springboot-keycloak
springboot-keycloak
0.0.1-SNAPSHOT
com.dimaidt.springboot-keycloak
web-demo
0.0.1-SNAPSHOT
web-demo
Demo project for Spring Boot
1.8
org.springframework.boot
spring-boot-starter-web
org.springframework.boot
spring-boot-starter-thymeleaf
org.keycloak
keycloak-spring-boot-starter
org.springframework.boot
spring-boot-starter-security
org.keycloak
keycloak-spring-boot-starter
org.projectlombok
lombok
true
org.springframework.boot
spring-boot-starter-test
test
org.junit.vintage
junit-vintage-engine
org.springframework.boot
spring-boot-maven-plugin
- application.yml文件内容
server:
port: 9090
keycloak:
realm: springboot-integration
resource: springboot-security
auth-server-url: http://localhost:8080/auth
ssl-required: external
confidential-port: 0
public-client: true
principal-attribute: preferred_username
logging:
level:
org:
springframework:
security: DEBUG
- src目录结构
src
├── main
│ ├── java
│ │ └── com
│ │ └── dimaidt
│ │ └── springbootkeycloak
│ │ └── webdemo
│ │ ├── WebDemoApplication.java
│ │ ├── config
│ │ │ ├── KeycloakConfig.java
│ │ │ └── SecurityConfig.java
│ │ ├── controller
│ │ │ └── LibraryController.java
│ │ ├── model
│ │ │ └── Book.java
│ │ └── repository
│ │ └── BookRepository.java
│ └── resources
│ ├── application.yml
│ ├── static
│ │ ├── css
│ │ │ └── style.css
│ │ └── images
│ │ └── public-library-bookshelves-books.jpg
│ └── templates
│ ├── books.html
│ ├── index.html
│ └── manager.html
└── test
└── java
└── com
└── dimaidt
└── springbootkeycloak
└── webdemo
└── WebDemoApplicationTests.java
详细说明请参考参考链接,本次测试的脚本及代码均有参考其内容,在此同时向原作者致敬。
6.附件
- 源代码
https://gitee.com/dgatiger/springboot-keycloak
https://github.com/dgatiger/springboot-keycloak
- 参考
https://my.oschina.net/shicheng2014/blog/3011456
https://www.lanhusoft.com/Article/740.html
https://www.lanhusoft.com/article/741.html