春季安全休息api没有安全keycouak

Question

我已经整合了keycloak与传统的春季应用程序。我已将keycloak spring安全适配器添加到我的pom.xml文件并添加了安全配置。完成所有工作后，我可以在没有令牌的情况下访问其余的api。我如何解决这个问题？

@Configuration 
@EnableWebSecurity 
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class) 
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter 
{ 
    /** 
    * Registers the KeycloakAuthenticationProvider with the authentication manager. 
    */ 
    @Autowired 
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
     auth.authenticationProvider(keycloakAuthenticationProvider()); 
    } 

    /** 
    * Defines the session authentication strategy. 
    */ 
    @Bean 
    @Override 
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { 
     return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception 
    { 
     super.configure(http); 
     http 
       .authorizeRequests() 
       .antMatchers("/school-admin*").hasRole("ADMIN") 
       .anyRequest().permitAll(); 
    } 
} 

keycloak.json

{ 
    "realm": "appscook", 
    "bearer-only": true, 
    "auth-server-url": "http://localhost:8080/auth", 
    "ssl-required": "external", 
    "resource": "ssd-backend" 
} 

阿比

@RequestMapping(value="/hello",method=RequestMethod.GET) 
    @ResponseBody 
    public String getStandards(){ 
     return "hello"; 
    } 

Answer 1

“/你好” 不匹配 “”/学校管理员*”在你的配置方法指定。

Answer 2

请问ry，以下配置功能。

@Override 
protected void configure(HttpSecurity http) throws Exception { 
     super.configure(http); 
     http.authorizeRequests() 
      .anyRequest().fullyAuthenticated(); 
} 

您也可以使用，@PreAuthorize（ “hasRole（ '管理员'）”）上的控制器的功能注释，用下面的Spring配置;

@EnableGlobalMethodSecurity(prePostEnabled = true) 
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter