Spring Boot Management 安全性与端口集的工作方式不同 [英] Spring Boot Management security works differently with port set

问题描述

我正在尝试使用 Actuator 支持配置 Spring Boot 应用程序(1.2.3，但这在 1.2.4.BUILD-SNAPSHOT 版本中也失败).我想使用 Actuator 安全配置来控制对管理端点的访问，并对应用程序的其余部分进行我们自己的身份验证.

I'm trying to configure a Spring Boot application (1.2.3, but this also fails with the 1.2.4.BUILD-SNAPSHOT version) with Actuator support. I want to use the Actuator security config for controlling access to the management endpoints, and our own authentication for the rest of the application.

这是我的安全配置:

@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
{

    @Autowired
    private CustomAuthenticationProvider customAuthProvider;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception
    {
        auth.authenticationProvider(customAuthProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http
            .authorizeRequests()
            .regexMatchers(API_DOC_REGEX).permitAll()
            .regexMatchers(String.format(PATH_REGEX, PUBLIC_ACCESS)).permitAll()
            .regexMatchers(String.format(PATH_REGEX, INTERNAL_ACCESS)).access("isAuthenticated() && authentication.hasOrigin('INTERNAL')")
            .regexMatchers(String.format(PATH_REGEX, EXTERNAL_AUTHENTICATED_ACCESS)).authenticated()
            .antMatchers("/**").denyAll()
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
            .and()
            .addFilterAfter(customAuthProcessingFilter(), BasicAuthenticationFilter.class)
            .csrf().disable();
    }

}

当我没有设置管理端口时这可以正常工作，但是当我设置管理端口时，管理 URL 返回 401 响应.如果我注释掉 .antMatchers("/**").denyAll() 行，那么一切都会通过，根本不需要身份验证.因此，当我设置自定义端口时，它看起来像是将我的应用程序的安全配置用于 Actuator 端点，但我不确定为什么.

This works correctly when I don't set a management port, but when I set the management port, the management URLs return 401 responses. If I comment out the line .antMatchers("/**").denyAll(), then everything goes through without requiring authentication at all. So it looks like it is using my application's security config for the Actuator endpoints when I set a custom port, but I'm not sure why.

如何让它在自定义端口上运行时使用它自己的安全性?

How do I get it to use it's own security when running on a custom port?

推荐答案

扩展来自 @M 的评论.Deinum，为管理内容添加另一个适配器(即使它已经有一个)似乎已经修复了它.这是我最后的课程:

Expanding on the comment from @M. Deinum, adding another adapter for the Management stuff (even though it already has one) seems to have fixed it. This is the class I ended up with:

@Order(0)
@Configuration
public class ManagementSecurityConfig extends WebSecurityConfigurerAdapter
{

    @Autowired
    ManagementServerProperties managementProperties;

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http
                .requestMatchers()
                .requestMatchers(new RequestMatcher()
                {

                    @Override
                    public boolean matches(HttpServletRequest request)
                    {
                        return managementProperties.getContextPath().equals(request.getContextPath());
                    }
                })
                .and()
                .authorizeRequests()
                .anyRequest().hasRole("ADMIN")
                .and()
                .httpBasic();
    }
}

这篇关于Spring Boot Management 安全性与端口集的工作方式不同的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！