Spring Boot Actuator Endpoints安全性不适用于自定义Spring Security配置
这是我的Spring Boot 1.5.1 Actuator application.properties
:
This is my Spring Boot 1.5.1 Actuator application.properties
:
#Spring Boot Actuator
management.contextPath: /actuator
management.security.roles=R_0
这是我的 WebSecurityConfig
:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Value("${logout.success.url}")
private String logoutSuccessUrl;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class);
http
.csrf().ignoringAntMatchers("/v1.0/**", "/logout")
.and()
.authorizeRequests()
.antMatchers("/oauth/authorize").authenticated()
//Anyone can access the urls
.antMatchers("/signin/**").permitAll()
.antMatchers("/v1.0/**").permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority("R_0")
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.failureUrl("/login?error=true")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl(logoutSuccessUrl)
.permitAll();
// @formatter:on
}
/**
* Configures the authentication manager bean which processes authentication requests.
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
现在我已经成功了使用具有 R_0
权限的合适用户登录我的应用程序,但是当我尝试访问时,例如
Right now I'm successfully able to login in my application with a right user that has R_0
authorities but when I trying to access for example
http://localhost:8080/api/actuator/beans
我收到以下错误:
There was an unexpected error (type=Forbidden, status=403).
Access is denied. User must have one of the these roles: R_0
如何正确配置Spring Boot Actuator以便了解正确的身份验证
?
How to correctly configure Spring Boot Actuator in order to be aware about the correct Authentication
?
现在为了让它工作,我必须做以下诀窍:
Right now in order to get it workin I have to do the following trick:
management.security.enabled=false
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority("R_0")
是否有机会以正确的方式配置执行器?
Is any chance to configure Actuator in a right way ?
更新
我正在使用 UserDetailsService.UserDetails.Authorities
public Collection<? extends GrantedAuthority> getAuthorities() {
String[] authorities = permissions.stream().map(p -> {
return p.getName();
}).toArray(String[]::new);
return AuthorityUtils.createAuthorityList(authorities);
}
你必须使用前缀 management.security.roles 的code> ROLE _ 例如 management.security.roles = ROLE_SOMENAME
为了解决这个问题
You have to use prefix ROLE_
for your management.security.roles
for example management.security.roles=ROLE_SOMENAME
in order to solve this issue