无法保护Spring启动管理执行器端点
[英]Unable to secure Spring boot management actuator endpoints
问题描述
I am trying to secure the Spring Boot actuactor endpoints. 
我正在尝试保护Spring Boot执行器端点。 I have working security on my /api REST interface, but trying to add security on the built-in endpoints does not seem to work. 我在/api REST界面上运行安全性,但尝试在内置端点上添加安全性似乎不起作用。
I have set up grouping of the endpoints in my application.properties : 我在application.properties设置了端点分组:
management.context-path=/management
I have this in my Java Config 我在Java Config中有这个
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );
http.authorizeRequests()
.antMatchers( "/api/**" ).hasRole( "READONLY" )
.antMatchers( "/management/**" ).hasRole( "ADMIN" );
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
http.apply( securityConfigurer );
}
When I use my browser to go to anything below /api , I get a 403 back as expected. 当我使用我的浏览器去/api下面的任何东西时,我按预期得到了403。 When going to / management/info for example, I see the JSON being returned where I would also expect a 403. 例如,当进入/ management/info ,我看到JSON被返回,我也期望403。
I also tried adding this to my application.properties file: 我也尝试将其添加到我的application.properties文件中:
management.security.role=ADMIN
But that did not help either. 但这也没有帮助。
The DEBUG output shows: DEBUG输出显示:
2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource -
Adding web access control expression 'hasRole('ROLE_READONLY')', for Ant [pattern='/api/**']
2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource -
Adding web access control expression 'hasRole('ROLE_ADMIN')', for Ant [pattern='/management/**']
And then why I try the HTTP GET: 然后我尝试HTTP GET的原因:
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/css/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/js/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/images/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/**/favicon.ico'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/management/info'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] FilterChainProxy - /management/info has an empty filter list
1 个解决方案
解决方案1
2 已采纳 2014-05-02 08:23:08
The log that tells the story is: "/management/info has an empty filter list" because it is explicitly marked as ignored (/info is always supposed to be available). 告诉故事的日志是:“/ management / info有一个空的过滤器列表”因为它被明确标记为忽略(/ info总是应该可用)。 Try one of the other actuator endpoints and see if those behave as you expect. 尝试使用其他执行器端点之一,看看它们是否符合您的预期。 If you really need to secure the info endpoint you can set endpoints.info.sensitive=true (I think). 如果您确实需要保护信息端点,可以设置endpoints.info.sensitive = true(我认为)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.