我有这个设置
# Server
server.servlet.contextPath=/myapp/api
server.port=8080
# Actuator port
management.health.probes.enabled=true
management.server.port=8090
management.endpoints.web.base-path=/myapp/api/actuator
management.metrics.export.prometheus.enabled=true
像这样简单的授权
@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain {
http.authorizeHttpRequests()
.requestMatchers(HttpMethod.GET, "/actuator/health").permitAll() # Worked before when everything was on port 8080. Still works but with token
.requestMatchers(HttpMethod.GET, "/myapp/api/actuator/health").permitAll() # Worked when actuator was on different port without token
.requestMatchers(HttpMethod.GET, "/vehicles/**").permitAll()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter())
return http.build()
}
之前我曾经在端口 8080 上运行所有内容。现在我需要在辅助端口上运行日志。两者都必须具有以 /myapp/api/ 开头的基本路径。 执行此操作的最佳实践方法是什么?
您可以为每个端口使用两个单独的
SecurityConfigurerAdapter
实例:
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun actuatorSecurityConfigurerAdapter(): SecurityConfigurerAdapter {
return object : SecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http.antMatcher("/myapp/api/actuator/**")
.authorizeRequests {
it.antMatchers(HttpMethod.GET, "/myapp/api/actuator/health").permitAll()
// Other actuator endpoints can be configured here
}
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter())
}
}
}
@Bean
fun appSecurityConfigurerAdapter(): SecurityConfigurerAdapter {
return object : SecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http.antMatcher("/myapp/api/**")
.authorizeRequests {
it.antMatchers(HttpMethod.GET, "/myapp/api/vehicles/**").permitAll()
// Other application endpoints can be configured here
}
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter())
}
}
}
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http.csrf().disable() // Disable CSRF for simplicity
http.apply(actuatorSecurityConfigurerAdapter())
http.apply(appSecurityConfigurerAdapter())
return http.build()
}
actuatorSecurityConfigurerAdapter
配置执行器端点的安全性,appSecurityConfigurerAdapter
配置应用程序端点的安全性。 securityFilterChain bean 将这两种配置应用于整体安全设置。
这样,您可以为执行器和应用程序端点拥有不同的安全配置,并且它们将根据指定的基本路径应用。