配置执行器端点安全 [英] Configure actuator endpoints security
问题描述
Spring Boot Actuator Endpoints 默认受基本的 http 安全保护.
The Spring Boot Actuator Endpoints are by default protected by basic http security.
这可以更改为使用 Spring Security 吗?我已成功设置 Spring Security 并使用它来保护我的其他页面.
Can this be changed to use Spring Security? I've setup Spring Security successfully and use this to protect my other pages.
我尝试了 security.basic.enabled: false 并在我的授权请求中添加了 .antMatchers("/manage/**").hasRole("ADMIN")(注意我使用不同的 url 作为端点的根)但这没有帮助.我不断收到一个基本的 http auth 日志,它没有在 AuthenticationManager 中配置用户.
I tried security.basic.enabled: false and adding .antMatchers("/manage/**").hasRole("ADMIN") in my authorize requests (note I'm using a different url as root for the endpoints) but this didn't help.
I keep getting a basic http auth log, which does not users configured in the AuthenticationManager.
有什么想法吗?
编辑 - 提供更多细节 -
我的 Application.java 看起来像:
My Application.java looks like:
@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application extends WebMvcConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/app").setViewName("app/index");
registry.addViewController("/app/login").setViewName("app/login");
}
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Order(Ordered.LOWEST_PRECEDENCE - 8)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// @formatter:off
auth.inMemoryAuthentication()
.withUser("test1")
.password("test1pw")
.roles("USER", "ADMIN")
.and()
.withUser("test2")
.password("test2pw")
.roles("USER");
// @formatter:on
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/app/login").permitAll()
.antMatchers("/app/**").hasRole("USER")
.antMatchers("/manage/**").hasRole("ADMIN")
.and()
.formLogin()
.loginPage("/app/login")
.failureUrl("/app/login?error")
.defaultSuccessUrl("/app")
.permitAll()
.and()
.logout()
.logoutUrl("/app/logout")
.logoutSuccessUrl("/app/login?logout");
// @formatter:on
}
@Override
public void configure(WebSecurity web) throws Exception {
// @formatter:off
web
.ignoring()
.antMatchers("/assets/**");
// @formatter:on
}
}
}
在我的 application.yml 中,我也有:
In my application.yml I also have:
management:
context-path: /management
请注意,设置与您提到的指南相同.
Note that is setup is the same as you the guide you mentioned.
现在我期望 - 或喜欢配置 - 是/manage 端点(如健康、映射等)将受到来自自定义 AuthenticationManager 的用户的保护.
Now what I would expect - or like to configure - is that the /manage endpoints like health, mappings etc would be protected with users from the customized AuthenticationManager.
我还尝试添加 management.security.enabled=false 这确实关闭了例如身份验证/管理/映射.然而,问题在于我明确告诉 Spring Security 通过以下方式保护这些 url:
I also tried to add management.security.enabled=falseand this indeed switches off authentication for e.g. /manage/mappings.
The problematic thing however is that I explicitly told Spring Security to protect these urls's via:
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/app/login").permitAll()
.antMatchers("/app/**").hasRole("USER")
.antMatchers("/manage/**").hasRole("ADMIN")
但这不起作用.注意其他授权匹配器确实有效.我想知道在时间/顺序内是否有什么事情要做.我从示例中复制了 @Order(Ordered.LOWEST_PRECEDENCE - 8) 但我不知道为什么 - 8 被使用.
but this does not work. Note other authorize matchers do work.
I wonder if has something to do within timing/order. I copied @Order(Ordered.LOWEST_PRECEDENCE - 8) from the sample but I don't know why - 8 is used.
为了更深入地研究,我还运行了示例(https://github.com/spring-projects/spring-boot/blob/master/spring-boot-samples/spring-boot-sample-web-method-security) 我和我在示例应用程序中看到了相同的行为.管理安全性似乎完全独立于示例内存验证中配置的 user 和 admin 用户.
To delve a little bit deeper I've also run the sample (https://github.com/spring-projects/spring-boot/blob/master/spring-boot-samples/spring-boot-sample-web-method-security) myself and I see the same behaviour in the sample application.
The management security is seems completely independent of the user and admin users configured in the sample's in memory authentication.
推荐答案
这可以更改为使用 Spring Security 吗?
Can this be changed to use Spring Security?
它是 Spring Security(您认为我们还会使用什么?).如果您只想保留默认安全规则并自定义 AuthenticationManager,那么如果您使用 Spring Security 团队推荐的 AuthenticationManagerBuilder ,它应该可以正常工作.secure method sample 具有您正在寻找的行为,因此您可以从那里复制配置模式.关键是,如果你想替换 Boot 默认的身份验证策略,是在 GlobalAuthenticationConfigurerAdapter 中配置 AuthenticationManager 就像在示例中.
It is Spring Security (what else did you think we'd use?). If you just want to keep the default security rules and customize the AuthenticationManager it should just work if you use the AuthenticationManagerBuilder as recommended by the Spring Security team. The secure method sample has the behavior you are looking for, so you can copy the configuration pattern from there. The key thing, if you want to replace the Boot default authentication strategy, is to get the AuthenticationManager configured in a GlobalAuthenticationConfigurerAdapter like in the sample.
您可以使用 management.security.enabled=false 关闭管理安全性(假设 Spring Security 在类路径上).它在 用户指南,但随时提出说明.
You can switch off management security with management.security.enabled=false (assuming Spring Security is on the classpath). It is mentioned in the user guide, but feel free to propose clarifications.
这篇关于配置执行器端点安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
