Spring Boot 2:基本 Http Auth 导致未受保护的端点以 401“Unauthorized"响应如果附加了授权标头 [英] Spring Boot 2: Basic Http Auth causes unprotected endpoints to respond with 401 "Unauthorized" if Authorization header is attached
问题描述
在迁移到 Spring Boot 2 并为执行器和另一个应用程序控制端点添加基本授权要求后,无法使用授权标头调用任何未受保护的端点.
After migration to Spring Boot 2 and adding basic authorization requirement for actuator and another application controlling endpoint it became impossible to call any unprotected endpoint with Authorization header.
配置片段:
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("shutdown")).fullyAuthenticated()
.antMatchers("/payment/status/*").fullyAuthenticated()
.and().httpBasic();
}
例如使用Authorization: Basic ..."调用 .../health 将导致 401Unauthorized",即使它不受 spring security 保护.
E.g. call to .../health with "Authorization: Basic ..." will cause 401 "Unauthorized" even though it is not protected by spring security.
问题:如何调整配置,以便可以将带有授权标头的请求发送到任何不受保护的端点而不会被拒绝?
Question: How can i adjust the configuration so that it is possible to send request with Authorization header to any unprotected endpoint without being denied?
<打击>UPD:此修复程序如我所愿
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("shutdown")).fullyAuthenticated()
.antMatchers("/payment/status/*").fullyAuthenticated()
.antMatchers("/payment/**").permitAll()
.and().httpBasic();
}
UPD2:没关系,刚刚测试了另一个请求,但仍然收到 401未经授权".
UPD2: Nevermind, just tested another request and still receive 401 "Unauthorized".
curl localhost:8080/payment/<any_endpoint> -H "Authorization: Basic asdadas"
{"code":401,"message":"Unauthorized"}
不幸的是,这种方法覆盖了 HttpSecurity 匹配器,例如:/payment/变得可访问
This approach unfortunately overrides HttpSecurity matchers, e.g.: /payment/ becomes accessible
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("shutdown")).fullyAuthenticated()
.antMatchers("/payment/status/*").fullyAuthenticated()
.and().httpBasic();
}
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/payment/**");
}
UPD 3:我已经创建了一个简单的项目来重现这个问题https://github.com/Anoobizzz/SpringSecurity2BasicAuthDemo
UPD 3: I've created a simple project with this issue being reproduced https://github.com/Anoobizzz/SpringSecurity2BasicAuthDemo
- /内部 &/shutdown 只能由用户访问:P455W0RD
- /exposed 未经授权可访问
- /exposed with header "Authorization: Basic 123123" 响应 401 "Unauthorized"
推荐答案
通过调用 .authorizeRequests() ,你强制所有这些请求的授权,因为你没有调用 .ignore() 在一些匹配器上.
By calling .authorizeRequests() , you enforce authorization of all these requests because you've not called .ignore() on some matcher.
我建议在 ** 匹配器上使用 ignore ,然后在 permit-all 层之上的指定匹配器上逐步实施授权,以便除了明确指定的.
I suggest to use ignore on a ** matcher and then incrementally enforce authorization on specified matchers ontop of the permit-all layer so that everything is accessible except of the ones explicitly specified.
这可以完成您想要做的事情,但要注意,这不是最佳做法,理由很充分:您应该默认拒绝所有未经授权的流量,并且只明确允许对特定路由模板的未经授权的请求.
This accomplishes what you want to do but beware, it's not a best practise for a very good reason: You should deny all unauthorized traffic by default and only explicitly permit unauthorized requests for specific route templates.
也就是说,在您希望无需身份验证即可访问的路由上明确使用 ignore 会更明智,而不仅仅是 **(例如仅用于 <代码>/home -/about -/login -/signup)
That said, it would be wiser to just use ignore explicitly on the routes you want to be accessible without authentication, not just ** (for example only for /home - /about - /login - /signup)
这篇关于Spring Boot 2:基本 Http Auth 导致未受保护的端点以 401“Unauthorized"响应如果附加了授权标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
