Spring Boot Actuator Endpoints安全性不适用于自定义Spring Security配置

问题描述 投票:9回答:4

这是我的Spring Boot 1.5.1执行器application.properties

#Spring Boot Actuator
management.contextPath: /actuator
management.security.roles=R_0

这是我的WebSecurityConfig

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Value("${logout.success.url}")
    private String logoutSuccessUrl;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // @formatter:off
        http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class);

        http
            .csrf().ignoringAntMatchers("/v1.0/**", "/logout")
        .and()
            .authorizeRequests()

            .antMatchers("/oauth/authorize").authenticated()
            //Anyone can access the urls
            .antMatchers("/signin/**").permitAll()
            .antMatchers("/v1.0/**").permitAll()
            .antMatchers("/auth/**").permitAll()
            .antMatchers("/actuator/health").permitAll()
            .antMatchers("/actuator/**").hasAuthority("R_0")
            .antMatchers("/login").permitAll()
            .anyRequest().authenticated()
        .and()
            .formLogin()
                .loginPage("/login")
                .loginProcessingUrl("/login")
                .failureUrl("/login?error=true")
                .usernameParameter("username")
                .passwordParameter("password")
                .permitAll()
            .and()
                .logout()
                    .logoutUrl("/logout")
                    .logoutSuccessUrl(logoutSuccessUrl)
                    .permitAll();
        // @formatter:on
    }

    /**
     * Configures the authentication manager bean which processes authentication requests.
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

}

现在我已经成功地能够使用具有R_0权限的合适用户登录我的应用程序但是当我尝试访问时

http://localhost:8080/api/actuator/beans

我收到以下错误:

There was an unexpected error (type=Forbidden, status=403).
Access is denied. User must have one of the these roles: R_0

如何正确配置Spring Boot Actuator才能了解正确的Authentication

现在为了让它工作,我必须做以下诀窍:

management.security.enabled=false

.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority("R_0")

有没有机会以正确的方式配置执行器?

更新

我正在使用UserDetailsService.UserDetails.Authorities

    public Collection<? extends GrantedAuthority> getAuthorities() {
        String[] authorities = permissions.stream().map(p -> {
            return p.getName();
        }).toArray(String[]::new);
        return AuthorityUtils.createAuthorityList(authorities);
    }
java spring spring-boot spring-security spring-boot-actuator
4个回答
5
投票

您必须为ROLE_使用前缀management.security.roles,例如management.security.roles=ROLE_SOMENAME才能解决此问题

0
投票

要获得弹簧启动执行器端点的授权,您需要具有ACTUATOR角色。请参阅此示例Accessing Restricted Actuator Endpoints with Spring Security

0
投票

我来自Reactive Spring Boot 2.x应用程序,并解决了这个问题并通过更新WebSecurityConfig.securityWebFilterChain以及SecurityContextRepository.load来解决它,包括/ actuator / **,如下所示:

public class WebSecurityConfig {
  private AuthenticationManager authenticationManager;

  private SecurityContextRepository securityContextRepository;

  @Autowired
  public WebSecurityConfig(AuthenticationManager authenticationManager, SecurityContextRepository securityContextRepository) {
    this.authenticationManager = authenticationManager;
    this.securityContextRepository = securityContextRepository;
  }

  @Bean
  public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
    return http
      .exceptionHandling()
      .authenticationEntryPoint((swe, e) -> Mono.fromRunnable(() -> {
        swe.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
      })).accessDeniedHandler((swe, e) -> Mono.fromRunnable(() -> {
        swe.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
      })).and()
      .csrf().disable()
      .formLogin().disable()
      .httpBasic().disable()
      .authenticationManager(authenticationManager)
      .securityContextRepository(securityContextRepository)
      .authorizeExchange()
      .pathMatchers("/actuator/**").permitAll()
      .anyExchange().authenticated()
      .and().build();
  }

以及更新

@Slf4j
@Component
public class SecurityContextRepository implements ServerSecurityContextRepository {

  private AuthenticationManager authenticationManager;

  public SecurityContextRepository(AuthenticationManager authenticationManager) {
    this.authenticationManager = authenticationManager;
  }

  @Override
  public Mono<Void> save(ServerWebExchange swe, SecurityContext sc) {
    return Mono.error(new UnsupportedOperationException("Not supported"));
  }

  @Override
  public Mono<SecurityContext> load(ServerWebExchange swe) {
    ServerHttpRequest request = swe.getRequest();

    if (request.getPath().value().startsWith("/actuator") ) {
      return Mono.empty();
    }
    // other authentication logic here
  }
-1
投票

根据这个链接:

http://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-monitoring.html

默认情况下,所有敏感HTTP端点都是安全的,这样只有具有ACTUATOR角色的用户才能访问它们。使用标准HttpServletRequest.isUserInRole方法强制执行安全性。

如果您想要与ACTUATOR不同的东西,请使用management.security.roles属性。

所以我认为你要做的就是在application.properties中设置以下属性。

management.security.roles

例如:

management.security.roles=R_0
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.