Spring Boot 管理端口和 Spring Security [英] Spring Boot Management Port and Spring Security

问题描述

我有一个带有安全配置的 Spring Boot Web 应用程序，可以将所有未经授权的请求转发到/login.我设置了一个 spring boot 管理端口与我的应用程序端口不同.当我转到管理端口并尝试访问/health 时，它会尝试将我发送到该端口上的/login 并得到以下响应:

I have a spring boot web application with security configurations to forward all unauthorized requests to /login. I set up a spring boot management port different from my application port. When I go to the management port and try to access /health, it tries to send me to /login on that port and I get this response:

'''{"timestamp":1435680239995,"status":404,"error":"Not Found","message":"无可用消息","path":"/login"}'''

''' {"timestamp":1435680239995,"status":404,"error":"Not Found","message":"No message available","path":"/login"} '''

我发现了这个问题，但我无法在我的应用程序中使用它:Spring Boot Management 安全性的工作方式与端口集不同

I found this question but I couldn't make it work in my application: Spring Boot Management security works differently with port set

在尝试设置单独的管理端口时，使这个非常基本的 Spring Security 配置与 Spring Boot 一起工作的正确方法是什么??

What's the right way of making this pretty basic Spring Security config work with Spring Boot when trying to set a separate management port??

这是我的 spring 安全配置的相关部分:

Here is the pertinent part of my spring security configs:

```

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable()       //temporary
        .authorizeRequests()
        .antMatchers("/public/**").permitAll()
        .antMatchers("/private*/**").access("hasRole('ADMIN')")
        .antMatchers("/**").access("hasRole('USER')");

    http
      .formLogin().failureUrl("/login?error")
      .defaultSuccessUrl("/")
      .loginPage("/login")
      .permitAll()
      .and()
      .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login")
      .permitAll();
}
}

```

谢谢！

更新:

我无法使上述解决方案起作用，但我找到了一种解决方法，将我的管理端点置于 spring security 认为是公共 (permitAll) 路由下.然后将其暴露在不同的端口后面.这适用于我的目的，即能够在仅向 ELB 公开的端口上向我的 ELB 公开健康检查.

I couldn't make the solution above to work but I found a workaround by putting my management endpoints under what spring security thinks is the public (permitAll) route. Then exposed that behind a different port. This works for my purposes which was to be able to expose a health check to my ELB on a port that is only exposed to the ELB.

<代码>管理:端口:8081上下文路径:/public安全:启用:假

推荐答案

按照您发布的另一个问题，我设法找到了我的解决方案，它与提供的基本相同.

Following the other question you posted, I managed to find my solution and it is the basically the same as the provided.

因此，您将有 2 个类实现此 WebSecurityConfigurerAdapter 并比较这些请求集路径并使每个请求都经过身份验证.一定要使用@Order(0)，因为会发生冲突.

So you will have 2 classes implemented this WebSecurityConfigurerAdapter and compare those requeset path and make every request to be authenticated. Make sure to use @Order(0) as there will be conflicted.

@Order(0)
@Configuration
public class ManagementSecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Autowired
  private ManagementServerProperties managementProperties;

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().formLogin().disable()
        .httpBasic()
        .authenticationEntryPoint(new NoPopupBasicAuthenticationEntryPoint())
        .and()
        .requestMatchers()
        .requestMatchers(new RequestMatcher() {
          @Override
          public boolean matches(HttpServletRequest request) {
            return managementProperties.getServlet().getContextPath().equals(request.getContextPath());
          }
        })
        .and()
        .authorizeRequests()
        .anyRequest().hasRole("ADMIN")
        .and()
        .sessionManagement().maximumSessions(1);
  }

}

这篇关于Spring Boot 管理端口和 Spring Security的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！