本篇文章给大家谈谈使用Docker映像的KeycloakSSL设置,以及dockerssl访问的知识点,同时本文还将给你拓展DockerKeycloakMysql卷不保留数据、Docker(1.9.1
本篇文章给大家谈谈使用Docker映像的Keycloak SSL设置,以及docker ssl访问的知识点,同时本文还将给你拓展Docker Keycloak Mysql 卷不保留数据、Docker(1.9.1)在Mac OS X上下载的Docker映像的位置、Docker(Spring Boot或Thorntail)和Keycloak、java – Docker(Spring Boot或Thorntail)和Keycloak等相关知识,希望对各位有所帮助,不要忘了收藏本站喔。
本文目录一览:- 使用Docker映像的Keycloak SSL设置(docker ssl访问)
- Docker Keycloak Mysql 卷不保留数据
- Docker(1.9.1)在Mac OS X上下载的Docker映像的位置
- Docker(Spring Boot或Thorntail)和Keycloak
- java – Docker(Spring Boot或Thorntail)和Keycloak
使用Docker映像的Keycloak SSL设置(docker ssl访问)
我正在尝试使用docker映像(https://hub.docker.com/r/jboss/keycloak/版本4.5.0-Final)部署keycloak,并面临设置SSL的问题。
根据文档
Keycloak映像允许您同时指定私钥和用于服务HTTPS的证书。在这种情况下,您需要提供两个文件:
tls.crt- 证书 tls.key- 私钥这些文件需要挂载在/ etc / x509 /
https目录中。该映像将自动将它们转换为Java密钥库,并重新配置Wildfly以使用它。
我按照给定的步骤进行操作,并为卷安装设置提供了一个包含必要文件(tls.crt和tls.key)的文件夹,但是我面临SSL握手问题,
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
错误,尝试访问浏览器时阻止了它的加载。
我使用过letencrypt来生成pem文件,并使用openssl来创建.crt和.key文件。还尝试过仅使用openssl创建这些文件以缩小问题范围,并且行为相同(如果这很重要,请提供一些其他信息)
默认情况下,当我仅指定端口绑定 -p 8443:8443 而未指定证书卷挂载 / etc / x509 / https时
,keycloak服务器会生成一个自签名证书,并且在浏览器中查看应用程序时看不到问题
我猜这可能是证书创建问题,而不是密钥遮罩特有的问题,但是,不确定如何使它起作用。任何帮助表示赞赏
答案1
小编典典我还遇到了ERR_SSL_VERSION_OR_CIPHER_MISMATCH使用jboss / keycloak
Docker映像和letsencrypt提供的免费证书时出错的问题。即使考虑了其他评论的建议。现在,我有了一个有效的(并且非常简单)的设置,它可能也对您有所帮助。
1)生成letencrypt证书
首先,我sub.example.com使用certbot
为域生成了letencrypt证书。你可以找到详细的说明和替代方法获得的证书https://certbot.eff.org/在和用户指南https://certbot.eff.org/docs/using.html。
$ sudo certbot certonly --standaloneSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator standalone, Installer NonePlease enter in your domain name(s) (comma and/or space separated) (Enter ''c'' to cancel): sub.example.comObtaining a new certificatePerforming the following challenges:http-01 challenge for sub.example.comWaiting for verification...Cleaning up challengesIMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sub.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sub.example.com/privkey.pem Your cert will expire on 2020-01-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"2)准备docker-compose环境
我docker-compose过去通过docker运行keycloak。配置和数据文件存储在path中/srv/docker/keycloak/。
- 文件夹
config包含docker-compose.yml - 文件夹
data/certs包含我通过letencrypt生成的证书 - 文件夹
data/keycloack_db被映射到数据库容器以使其数据持久化。
将证书文件放在正确的路径
当我最初使用原始的letcrypt证书进行密钥隐藏时遇到问题时,我尝试了将证书转换为另一种格式的变通方法,如先前答案的注释中所述,该方法也失败了。最终,我意识到我的问题是由对映射的证书文件设置的权限引起的。
因此,对我有用的是仅复制并重命名letencrypt提供的文件 ,然后将它们安装到容器中。
$ cp /etc/letsencrypt/live/sub.example.com/fullchain.pem /srv/docker/keycloak/data/certs/tls.crt$ cp /etc/letsencrypt/live/sub.example.com/privkey.pem /srv/docker/keycloak/data/certs/tls.key$ chmod 755 /srv/docker/keycloak/data/certs/$ chmod 604 /srv/docker/keycloak/data/certs/*docker-compose.yml
就我而言,我需要使用Docker主机的主机网络。这不是最佳做法,您的情况不应该这样做。请在hub.docker.com/r/jboss/keycloak/的文档中找到有关配置参数的信息。
version: ''3.7''networks: default: external: name: hostservices: keycloak: container_name: keycloak_app image: jboss/keycloak depends_on: - mariadb restart: always ports: - "8080:8080" - "8443:8443" volumes: - "/srv/docker/keycloak/data/certs/:/etc/x509/https" # map certificates to container environment: KEYCLOAK_USER: <user> KEYCLOAK_PASSWORD: <pw> KEYCLOAK_HTTP_PORT: 8080 KEYCLOAK_HTTPS_PORT: 8443 KEYCLOAK_HOSTNAME: sub.example.ocm DB_VENDOR: mariadb DB_ADDR: localhost DB_USER: keycloak DB_PASSWORD: <pw> network_mode: host mariadb: container_name: keycloak_db image: mariadb volumes: - "/srv/docker/keycloak/data/keycloak_db:/var/lib/mysql" restart: always environment: MYSQL_ROOT_PASSWORD: <pw> MYSQL_DATABASE: keycloak MYSQL_USER: keycloak MYSQL_PASSWORD: <pw> network_mode: host最终目录设置
这就是我最终文件和文件夹设置的样子。
$ cd /srv/docker/keycloak/$ tree.├── config│ └── docker-compose.yml└── data ├── certs │ ├── tls.crt │ └── tls.key └── keycloak_db启动容器
最后,我能够使用启动我的软件docker-compose。
$ cd /srv/docker/keycloak/config/$ sudo docker-compose up -d我们可以在容器中看到已安装的证书。
$ cd /srv/docker/keycloak/config/$ sudo docker-compose up -d我们可以仔细检查容器中已安装的证书。
## open internal shell of keycloack container$ sudo docker exec -it keycloak_app /bin/bash## open directory of certificates$ cd /etc/x509/https/$ ll-rw----r-- 1 root root 3586 Oct 30 14:21 tls.crt-rw----r-- 1 root root 1708 Oct 30 14:20 tls.key考虑从docker-
compose.yml进行的设置,现在可以在https://sub.example.com:8443上使用keycloak
Docker Keycloak Mysql 卷不保留数据
如何解决Docker Keycloak Mysql 卷不保留数据?
我正在尝试使用 keycloak 和 MysqL 容器来保存访问我网站的用户。我的 docker-compose.yml 文件目前看起来像这样:
version: "3.7"
services:
MysqL:
image: MysqL:5.7.34
container_name: MysqL
ports:
- "3306:3306"
environment:
- MysqL_DATABASE=keycloak
- MysqL_USER=keycloak
- MysqL_PASSWORD=password
- MysqL_ROOT_PASSWORD=root_password
healthcheck:
test: "MysqLadmin ping -u root -p$${MysqL_ROOT_PASSWORD}"
start_period: 10s
volumes:
- ./MysqLdata:/var/log/MysqL
keycloak:
image: jboss/keycloak:14.0.0
container_name: keycloak
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- DB_vendOR=MysqL
- DB_ADDR=MysqL
- DB_USER=keycloak
- DB_PASSWORD=password
- JDBC_ParaMS=useSSL=false
ports:
- "8080:8080"
depends_on:
- MysqL
healthcheck:
test: "curl -f http://localhost:8080/auth || exit 1"
start_period: 20s
volumes:
MysqLdata:
(显然,在进入生产之前,密码会被更改)。
我的问题是,无论我做什么,我都无法让通过 keycloak UI 生成的数据在 docker-compose up 和 down 命令之间持久化。例如,创建一个新用户会进入数据库,但是在重新启动容器后,用户就消失了。检查主机上和容器内的卷文件夹显示空文件夹。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)
Docker(1.9.1)在Mac OS X上下载的Docker映像的位置
如何解决Docker(1.9.1)在Mac OS X上下载的Docker映像的位置?
对于正在使用Docker工具箱(使用docker-machine)的用户,有关MacOSX上boot2docker的答案无效。docker-machineVM被称为“默认”,它存在于/Users/<username>/.docker/machine/machines/default/目录中。
注意:我还向这个问题添加了这个答案:Docker映像存储在主机上的什么位置?但是我也在这里回答,以便为专门寻找Mac OSX和新版本Docker的人找到答案。
解决方法
从Mac OSX中的docker hub下载docker镜像后,它们在哪里?例如,如果我运行以下命令:
docker run hello-world
映像已下载且容器已运行,但是该映像在我的系统上位于何处?
注意:Docker映像存储在主机上的什么位置?这个问题主要有与linux机器有关的答案。Mac OS
X的答案是考虑将boot2docker与docker安装同时使用,这对我来说不是这种情况。
Docker(Spring Boot或Thorntail)和Keycloak
我在docker容器中都运行Spring Boot和Keycloak时遇到问题。
我首先在docker中运行带有MySQL的Keycloak和db。
services:
mysql:
image: mysql:5.7
container_name: mysql
volumes:
- mysql_data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: keycloak
MYSQL_USER: keycloak
MYSQL_PASSWORD: password
networks:
- testNetwork
keycloak:
image: jboss/keycloak
container_name: keycloak
restart: on-failure
volumes:
- ./config:/config/
environment:
DB_VENDOR: MYSQL
DB_ADDR: mysql
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: xxx
KEYCLOAK_PASSWORD: yyy
KEYCLOAK_IMPORT_REALM: /keycloak/import/realm-import.json
ports:
- 8180:8080
depends_on:
- mysql
networks:
- testNetwork
然后,我添加了我的领域(SpringBootKeycloak),我的客户端(testclient)和一个角色为’user’的用户。之后,我在Spring-
boot-application中添加了spring-security。并编辑了我的application.yml
spring:
main:
banner-mode: 'off'
application:
name: testclient
version: @project.version@
jpa:
hibernate:
ddl-auto: create
datasource:
url: jdbc:h2:mem:testclient;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
username: xxx
password: xxx
keycloak:
auth-server-url: http://localhost:8180/auth
realm: SpringBootKeycloak
resource: testclient
public-client: true
principal-attribute: preferred_username
security-constraints:
- authRoles:
- user
securityCollections:
- patterns:
- /*
server:
port: ${port:8090}
rest:
path: testclient
根据我添加了我的SecurityConfig:
/**
* Secure appropriate endpoints
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.antMatchers("/*").hasRole("user") // only user with role user are allowed to access
.anyRequest().permitAll();
}
在本地运行SpringBoot-
Application运行正常。我必须使用keycloak登录并重定向到localhost:8090。但是,当我将SpringBoot-
Application添加到我的docker-compose并在容器中启动它时,我仍然会进入keycloak进行登录,但是当我应该重定向时会得到403。
testclient:
image: testclient
container_name: testclient
environment:
JAVA_OPTS: "-agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n"
build:
context: testclient-application
ports:
- 8090:8090
- 5006:5005
networks:
- testNetwork
具有以下容器日志:
{"@timestamp":"2018-08-16T11:50:11.530+00:00","@version":"1","message":"failed to turn code into token","logger_name":"org.keycloak.adapters.OAuthRequestAuthenticator","thread_name":"http-nio-8090-exec-6","level":"ERROR","level_value":40000,"stack_trace":"java.net.ConnectException: Connection refused (Connection refused)\n\tat java.net.PlainSocketImpl.socketConnect(Native Method)\n\tat java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)\n\tat java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)\n\tat java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)\n\tat java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)\n\tat java.net.Socket.connect(Socket.java:589)\n\tat org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:121)\n\tat org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)\n\tat org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)\n\tat org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)\n\tat org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)\n\tat org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)\n\tat org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)\n\tat org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)\n\tat org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)\n\tat org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)\n\tat org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111)\n\tat org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:336)\n\tat org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:281)\n\tat org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139)\n\tat org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:203)\n\tat org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:50)\n\tat org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.doAuthenticate(KeycloakAuthenticatorValve.java:57)\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:575)\n\tat org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)\n\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)\n\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tat java.lang.Thread.run(Thread.java:748)\n","app":"testclient","version":"1.0.0-SNAPSHOT"}
我不知道该怎么解决…
编辑1:更多信息:我在Windows上运行docker。
编辑2:一种解决方案
我的工作解决方案包含以下内容:
- 步骤,将密钥斗篷添加为主机
为了使一切正常,您需要确保将以下内容添加到您的主机文件中(在Mac / Linux中为/ etc / hosts,在Windows中为c:\
Windows \ System32 \ Drivers \ etc \ hosts)。127.0.0.1密钥斗篷
这是因为您将使用计算机上的浏览器(名称为localhost或127.0.0.1)访问应用程序,但是在Docker内部它将在自己的容器(名称为keycloak)中运行。
- 步
内部Docker端口和发布的端口必须相同:
services:
mysql:
image: mysql:5.7
container_name: mysql
volumes:
- mysql_data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: keycloak
MYSQL_USER: keycloak
MYSQL_PASSWORD: password
networks:
- testNetwork
keycloak:
image: jboss/keycloak
container_name: keycloak
restart: on-failure
volumes:
- ./config:/config/
environment:
DB_VENDOR: MYSQL
DB_ADDR: mysql
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: xxx
KEYCLOAK_PASSWORD: yyy
KEYCLOAK_IMPORT_REALM: /keycloak/import/realm-import.json
ports:
- 8080:8080 <--- edited
depends_on:
- mysql
networks:
- testNetwork
步骤3:在application.yml中为Spring Boot编辑的auth-server-url中的密钥库定义:
keycloak:
realm: SpringBootKeycloak
auth-server-url: http://keycloak:8080/auth <--- edited
resource: testclient
public-client: true
security-constraints:
- authRoles:
- user
securityCollections:
- patterns:
- /*
ssl-required: external
confidential-port: 0
该解决方案带来的丑陋之处:您无法将Docker
Port映射到另一个端口以从url访问。端口:-8080:8080我花了大量时间测试其他组合,结果访问URL端口必须与内部docker端口相同(在我的情况下为8080)。
编辑4:
同样的事情正在与Thorntail合作。
要更改Keycloak的端口,请添加…
environment:
JAVA_OPTS: "-Djboss.socket.binding.port-offset=10 -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
-Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true"
…用于docker-compose中的密钥斗篷。-Djboss.socket.binding.port-offset =
10设置默认端口(8080)+偏移量(10),其余均为密钥斗篷的默认值。不要忘记编辑“端口”和“ auth-server-url”
java – Docker(Spring Boot或Thorntail)和Keycloak
我在Docker容器中运行Spring Boot和Keycloak时出现问题.
我开始使用Keycloak和MysqL作为db在docker中运行.
services:
MysqL:
image: MysqL:5.7
container_name: MysqL
volumes:
- MysqL_data:/var/lib/MysqL
environment:
MysqL_ROOT_PASSWORD: root
MysqL_DATABASE: keycloak
MysqL_USER: keycloak
MysqL_PASSWORD: password
networks:
- testNetwork
keycloak:
image: jboss/keycloak
container_name: keycloak
restart: on-failure
volumes:
- ./config:/config/
environment:
DB_vendOR: MysqL
DB_ADDR: MysqL
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: xxx
KEYCLOAK_PASSWORD: yyy
KEYCLOAK_IMPORT_REALM: /keycloak/import/realm-import.json
ports:
- 8180:8080
depends_on:
- MysqL
networks:
- testNetwork
然后我添加了我的领域(SpringBootKeycloak),我的客户端(testclient)和一个角色为’user’的用户.
之后,我在Spring-boot-application中添加了spring-security.并编辑了我的application.yml
spring:
main:
banner-mode: 'off'
application:
name: testclient
version: @project.version@
jpa:
hibernate:
ddl-auto: create
datasource:
url: jdbc:h2:mem:testclient;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
username: xxx
password: xxx
keycloak:
auth-server-url: http://localhost:8180/auth
realm: SpringBootKeycloak
resource: testclient
public-client: true
principal-attribute: preferred_username
security-constraints:
- authRoles:
- user
securityCollections:
- patterns:
- /*
server:
port: ${port:8090}
rest:
path: testclient
因为我添加了我的SecurityConfig:
/**
* Secure appropriate endpoints
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.antMatchers("/*").hasRole("user") // only user with role user are allowed to access
.anyRequest().permitAll();
}
在本地运行我的SpringBoot-Application工作正常.
我必须使用keycloak登录并重定向到localhost:8090.
但是当我将我的SpringBoot-Application添加到我的docker-compose并在容器中启动时,我仍然可以使用keycloak进行登录,但是当我应该重定向时,我得到403.
testclient:
image: testclient
container_name: testclient
environment:
JAVA_OPTS: "-agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n"
build:
context: testclient-application
ports:
- 8090:8090
- 5006:5005
networks:
- testNetwork
使用以下容器日志:
{"@timestamp":"2018-08-16T11:50:11.530+00:00","@version":"1","message":"Failed to turn code into token","logger_name":"org.keycloak.adapters.OAuthRequestAuthenticator","thread_name":"http-nio-8090-exec-6","level":"ERROR","level_value":40000,"stack_trace":"java.net.ConnectException: Connection refused (Connection refused)\n\tat java.net.PlainSocketImpl.socketConnect(Native Method)\n\tat java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)\n\tat java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)\n\tat java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)\n\tat java.net.socksSocketImpl.connect(SocksSocketImpl.java:392)\n\tat java.net.socket.connect(Socket.java:589)\n\tat org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:121)\n\tat org.apache.http.impl.conn.DefaultClientConnectionoperator.openConnection(DefaultClientConnectionoperator.java:180)\n\tat org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)\n\tat org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)\n\tat org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)\n\tat org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)\n\tat org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)\n\tat org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)\n\tat org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)\n\tat org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)\n\tat org.keycloak.adapters.ServerRequest.invokeAccessCodetoToken(ServerRequest.java:111)\n\tat org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:336)\n\tat org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:281)\n\tat org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139)\n\tat org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:203)\n\tat org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:50)\n\tat org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.doAuthenticate(KeycloakAuthenticatorValve.java:57)\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:575)\n\tat org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)\n\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)\n\tat org.apache.tomcat.util.net.socketProcessorBase.run(SocketProcessorBase.java:49)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tat java.lang.Thread.run(Thread.java:748)\n","app":"testclient","version":"1.0.0-SNAPSHOT"}
我无法弄清楚如何解决这个问题……
编辑1:
还有一个信息:我在Windows上运行docker.
编辑2:解决方案
我的工作解决方案包含以
>步骤,添加keycloak作为主机
To make things work, you’ll need to make sure to add the following to your hosts file (/etc/hosts on Mac/Linux, c:\Windows\System32\Drivers\etc\hosts on Windows).
127.0.0.1 keycloak
This is because you will access your application with a browser on your machine (which name is localhost, or 127.0.0.1), but inside Docker it will run in its own container, which name is keycloak.
>一步
内部Docker端口和发布端口需要相同:
services:
MysqL:
image: MysqL:5.7
container_name: MysqL
volumes:
- MysqL_data:/var/lib/MysqL
environment:
MysqL_ROOT_PASSWORD: root
MysqL_DATABASE: keycloak
MysqL_USER: keycloak
MysqL_PASSWORD: password
networks:
- testNetwork
keycloak:
image: jboss/keycloak
container_name: keycloak
restart: on-failure
volumes:
- ./config:/config/
environment:
DB_vendOR: MysqL
DB_ADDR: MysqL
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: xxx
KEYCLOAK_PASSWORD: yyy
KEYCLOAK_IMPORT_REALM: /keycloak/import/realm-import.json
ports:
- 8080:8080 <--- edited
depends_on:
- MysqL
networks:
- testNetwork
第3步:application.yml中的keycloak定义,用于Spring启动编辑的auth-server-url:
keycloak:
realm: SpringBootKeycloak
auth-server-url: http://keycloak:8080/auth <--- edited
resource: testclient
public-client: true
security-constraints:
- authRoles:
- user
securityCollections:
- patterns:
- /*
ssl-required: external
confidential-port: 0
这个解决方案带来了丑陋的事情:
您无法将Docker端口映射到另一个端口以从URL访问.
端口:
– 8080:8080
我花了很多时间测试其他组合,结果是访问URL端口必须与内部docker端口相同(在我的情况下为8080).
编辑4:
同样的事情是与thorntail合作.
要更改Keycloak添加的端口…
environment:
JAVA_OPTS: "-Djboss.socket.binding.port-offset=10 -xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
-Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true"
…对于docker-compose中的keycloak.
-Djboss.socket.binding.port-offset = 10设置默认端口(8080)偏移量(10)
其余是keycloak的默认值.
别忘了编辑“ports”和“auth-server-url”
解决方法:
我认为您的问题是auth-server-url:http:// localhost:8180 / auth.当您的应用程序在docker容器中运行时,localhost实际上具有不同的含义.
在容器内部,它需要是容器的名称,即keycloak.这有点尴尬,因为当您从主机连接到keycloak时,您想要使用localhost,但令牌发行者url需要匹配请求令牌的URL(否则令牌被拒绝),所以你最终必须将keycloak放入etc / hosts文件中.
你和这个问题很好 – 我遇到了这个working with Activiti.你可以找到JHipster project dealing with it in the same way – 他们说:
To make things work, you’ll need to make sure to add the following to your hosts file (
/etc/hostson Mac/Linux,c:\Windows\System32\Drivers\etc\hostson Windows).
127.0.0.1 keycloakThis is because you will access your application with a browser on your machine (which name is
localhost, or127.0.0.1), but inside Docker it will run in its own container, which name iskeycloak.
今天关于使用Docker映像的Keycloak SSL设置和docker ssl访问的讲解已经结束,谢谢您的阅读,如果想了解更多关于Docker Keycloak Mysql 卷不保留数据、Docker(1.9.1)在Mac OS X上下载的Docker映像的位置、Docker(Spring Boot或Thorntail)和Keycloak、java – Docker(Spring Boot或Thorntail)和Keycloak的相关知识,请在本站搜索。
本文标签:
