0

我正在使用带有用于 Oauth2 的 keycloak 适配器的 Spring Boot 2.6.3,在带有文件上传或多部分文件上传的端点上,所有部分都是空的,并且控制器在没有使用 KeycloakWebSecurityConfigurerAdapter 的项目上接收 null 作为 MultipartFile 文件值,它可以解决盒子。

有趣的是,如果我手动调用 ((HttpServletRequest) request).getParts(); 在调用控制器之前的最后一个过滤器中,部件设置正常。

对此有任何线索吗?

我的安全配置

  @KeycloakConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    private final String swaggerUrl;
    private final CorsFilter corsFilter;
    private final CustomSecurityConfig customSecurityConfig;


    @Autowired
    public SecurityConfig(
            @Value("${springdoc.swagger-ui.url:#{null}}") String swaggerUrl,
            CorsFilter corsFilter,
            CustomSecurityConfig customSecurityConfig) {
        this.swaggerUrl = swaggerUrl;
        this.corsFilter = corsFilter;
        this.customSecurityConfig = customSecurityConfig;
    }

    @Bean
    public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean(KeycloakAuthenticationProcessingFilter filter) {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        KeycloakAuthenticationProvider keycloakProvider = keycloakAuthenticationProvider();
        keycloakProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
        auth.authenticationProvider(keycloakProvider);
    }

    @Override
    public void configure(WebSecurity web) {
        if (Objects.nonNull(swaggerUrl)) {
            web.ignoring().antMatchers(
                    "/**/swagger-ui.html",
                    "/**/swagger-ui/**",
                    "/**/api-docs/**",
                    "/**" + swaggerUrl,
                    "/error");
        }
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.addFilterBefore(corsFilter, ChannelProcessingFilter.class).csrf().disable();
        http.requestMatcher(new NegatedRequestMatcher(new AntPathRequestMatcher("/actuator/**")));
        http.headers().frameOptions().disable()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("/public/**", "/resources/**", "/resources/public/**").permitAll()
                .antMatchers(OPTIONS, "/**").permitAll();

        if (Objects.nonNull(swaggerUrl)) {
            http.authorizeRequests()
                    .antMatchers(
                            "/**/swagger-ui.html",
                            "/**/swagger-ui/**",
                            "/**/v3/api-docs/**",
                            "/**" + swaggerUrl,
                            "/error")
                    .permitAll();
        }

        customSecurityConfig.configureEndpointSecurity(http);

    }
}
4

0 回答 0