无法保护Spring启动管理执行器端点 [英] Unable to secure Spring boot management actuator endpoints

问题描述

我正在尝试保护Spring Boot驱动器端点。我在 / api REST界面上运行安全性，但尝试在内置端点上添加安全性似乎不起作用。

我在 application.properties 中设置了端点分组：

  management.context-path = / management 
  

我的Java中有这个配置

  @Override 
 protected void configure（HttpSecurity http）抛出异常
 {
 http .csrf（）禁用（）; 
 http.sessionManagement（）。sessionCreationPolicy（SessionCreationPolicy.STATELESS）; 
 
 http.authorizeRequests（）
 .antMatchers（/ api / **）。hasRole（READONLY）
 .antMatchers（/ management / **） .hasRole（ADMIN）; 
 
 
 SecurityConfigurer< DefaultSecurityFilterChain，HttpSecurity> securityConfigurer = new XAuthTokenConfigurer（userDetailsS​​erviceBean（））; 
 http.apply（securityConfigurer）; 
} 
  

当我使用浏览器转到以下的任何地方时/ api ，我按预期收到了403。例如，当我转到/ management / info 时，我看到返回的JSON，我也期望403.

<我还尝试将其添加到我的 application.properties 文件中：

  management.security.role = ADMIN 
  

但这也无济于事。

DEBUG输出显示：

  2014-05-02 10:15:30 DEBUG [ localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource  -  
为Ant添加Web访问控制表达式'hasRole（'ROLE_READONLY'）'[pattern ='/ api / **'] 
 
 2014-05 -02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource  -  
为Ant添加Web访问控制表达式'hasRole（'ROLE_ADMIN'）'[pattern ='/ management / **'] 
  

然后我尝试HTTP GET的原因：

  2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPat hRequestMatcher  - 检查请求的匹配：'/ management / info';反对'/ css / **'
 2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher  - 检查请求的匹配：'/ management / info';反对'/ js / **'
 2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher  - 检查请求的匹配：'/ management / info';反对'/ images / **'
 2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher  - 检查请求的匹配：'/ management / info';反对'/**/favicon.ico'
 2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher  - 检查请求的匹配：'/ management / info';反对'/ management / info'
 2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] FilterChainProxy  -  / management / info有一个空的过滤列表
  

解决方案

说明故事的日志是：/ management / info有一个空的过滤器列表因为它被明确标记为忽略（/ info始终应该可用）。尝试使用其他执行器端点之一，看看它们是否符合您的预期。如果您确实需要保护信息端点，可以设置endpoints.info.sensitive = true（我认为）。

I am trying to secure the Spring Boot actuactor endpoints. I have working security on my /api REST interface, but trying to add security on the built-in endpoints does not seem to work.

I have set up grouping of the endpoints in my application.properties:

management.context-path=/management

I have this in my Java Config

@Override
protected void configure( HttpSecurity http ) throws Exception
{
    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );

    http.authorizeRequests()
        .antMatchers( "/api/**" ).hasRole( "READONLY" )
        .antMatchers( "/management/**" ).hasRole( "ADMIN" );


    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
    http.apply( securityConfigurer );
}

When I use my browser to go to anything below /api, I get a 403 back as expected. When going to /management/info for example, I see the JSON being returned where I would also expect a 403.

I also tried adding this to my application.properties file:

management.security.role=ADMIN

But that did not help either.

The DEBUG output shows:

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_READONLY')', for Ant [pattern='/api/**']

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_ADMIN')', for Ant [pattern='/management/**']

And then why I try the HTTP GET:

2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/css/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/js/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/images/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/**/favicon.ico'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/management/info'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] FilterChainProxy - /management/info has an empty filter list

解决方案

The log that tells the story is: "/management/info has an empty filter list" because it is explicitly marked as ignored (/info is always supposed to be available). Try one of the other actuator endpoints and see if those behave as you expect. If you really need to secure the info endpoint you can set endpoints.info.sensitive=true (I think).

这篇关于无法保护Spring启动管理执行器端点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！