Spring Boot 2.1.x 如何使用基本身份验证保护执行器端点 [英] Spring boot 2.1.x how to secure Actuator end points with basic auth

问题描述

我正在尝试构建一个 Spring Boot 应用程序并希望利用 Actuator 功能，但我想保护 Actuator/health、/shutdown 等的端点.我有以下似乎不起作用的配置.即，应用程序从不提示输入凭据，或者当邮递员点击时不会给出 403.我尝试了各种方法，甚至是 spring 文档中的方法.任何人都可以帮忙解决这个问题.这又是 Spring Boot 2.1.x.我知道spring以前版本的application.yml里面有个配置可以做

I am trying to build a spring boot application and wanted to leverage the Actuator features, but I want to secure the end points of Actuator /health,/shutdown etc. I have the below configurations which does not seem to work. I.e., application never prompts for credentials or when hit from post man does not give 403. I tried various ways, even the one from spring documentation. Can any one please help with this. Again this is spring boot 2.1.x. I know there is a configuration that can be made in application.yml in the previous version of spring

@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                .requestMatchers(EndpointRequest.to(ShutdownEndpoint.class, InfoEndpoint.class, HealthEndpoint.class,
                        MetricsEndpoint.class))
                .hasRole("ENDPOINT_ADMIN").requestMatchers(PathRequest.toStaticResources().atCommonLocations())
                .authenticated().and().httpBasic();
    }

应用程序.yml

spring:
  security:
    user:
      name: admin
      password: admin
      roles:
      - ENDPOINT_ADMIN

management:   
  endpoints:  
    web:
      exposure:
        include: "*"
  endpoint:
    shutdown:
      enabled: true
    health:
      show-details: when-authorized
      roles:
      - ENDPOINT_ADMIN
    mappings:
      enabled: true

推荐答案

此代码可以作为参考，为 Actuator Endpoints Spring Boot 2.X 实现 BasicAuth.这不是确切的代码.在扩展 WebSecurityConfigurerAdapter 时，您必须配置 AuthenticationManagerBuilder 为角色分配角色和密码.在这里，我使用noop"您可以使用不同的密码编码器来提供更高的安全性.

This code can serve you as a reference to achieve BasicAuth for Actuator Endpoints Spring Boot 2.X. This is not the exact code. While Extending WebSecurityConfigurerAdapter you have to configure AuthenticationManagerBuilder to assign roles and passwords for the roles. Here I am using "noop" password encoder you can use a different one to provide more security.

protected void configure(AuthenticationManagerBuilder auth) throws Exception {
                            
                auth.inMemoryAuthentication().withUser("ROLE_USER").password("{noop}" + "USER_PWD").roles("USER").and()
                .withUser("ROLE_ADMIN").password("{noop}" + "ADMIN").roles("ADMIN", "USER");
    }

一旦配置了 AuthenticationManagerBuilder，现在通过禁用 csrf 来配置 HttpSecurity.下面的代码需要使用任何角色单独对指标进行身份验证.您可以根据需要进行身份验证的端点进行自定义.确保您从此身份验证中排除了 Rest Controller 的基本 url.您可以在下面的配置代码中插入 authorizeRequests().antMatchers("/baseurl").permitAll().and() 来实现这一点.以下是配置 HttpSecurity 的示例.

Once AuthenticationManagerBuilder is configured now configure HttpSecurity by disabling csrf. Below code requires authentication for metrics alone using any role. You can customize according to the end points you need to authenticate. Make sure you exclude base url of Rest Controller from this Authentication. You can insert authorizeRequests().antMatchers("/baseurl").permitAll().and() in the below configuration code to achieve that. Below is an example to configure HttpSecurity.

protected void configure(Httpsecurity http) {
    http.csrf().authorizeRequests().requestMatchers(EndpointRequest.to(MetricsEndpoint.class))
    .hasANyRole("ADMIN","USER").and().authorizeRequests().and().httpBasic();
}

这篇关于Spring Boot 2.1.x 如何使用基本身份验证保护执行器端点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！