Spring boot oauth2 管理 httpbasic 认证 [英] Spring boot oauth2 management httpbasic authentication

问题描述

我有一个使用 oauth2 进行身份验证的 Spring Boot 应用程序.oauth2 机制正在发挥作用，客户端可以进行身份​​验证并接收其访问令牌.

I've got a spring boot application that uses oauth2 for authentication. The oauth2 mechanism is working and clients can authenticate and receive their access tokens.

我想使用 httpbasic 身份验证保护执行器端点，即不要求用户首先使用 oauth2 进行身份验证，然后访问执行器端点.到目前为止，我所做的是在属性文件中设置以下内容:

I want to secure the actuators endpoints with httpbasic authentication, i.e. not requiring the user to first use oauth2 for authentication and then access the actuator endpoints. What i've done so far is to set the following in properties file:

management.context-path=/admin/actuators
management.security.enabled=true
management.security.role=ADMIN

security.user.name=admin
security.user.password=password

我尝试了各种方法来使用 ResourceServerConfigurerAdapter 和 WebSecurityConfigurerAdapter 设置配置.

I've tried various ways to set configuration with a ResourceServerConfigurerAdapter and WebSecurityConfigurerAdapter.

我的尝试都没有奏效，它一直在告诉我

None of my attempts are working and it keeps on telling me

<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>

让 OAUTH2 和管理端点正常工作的正确方法是什么?

What is the correct way to get OAUTH2 and the management endpoint to work?

推荐答案

好的，使用以下 java 配置让它工作.

Ok, got it to work using the following java config.

端点/admin/actuators/health 可供任何人访问，所有其他/admin/actuators/* 端点都经过身份验证.

The endpoint, /admin/actuators/health, is accessible by anyone and all other /admin/actuators/* endpoints are authenticated.

@Configuration
@Order(1)
protected static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {

        http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/admin/actuators/health").permitAll()
            .and()
                .antMatcher("/admin/actuators/**")
                .authorizeRequests()
                .anyRequest()
                .hasRole("ADMIN")
                .and()
                .httpBasic();
    }
}

这篇关于Spring boot oauth2 管理 httpbasic 认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！