堆栈内存溢出
  简体   繁体   English

为什么我的所有Spring启动器执行器端点都是公开的?

[英]Why are all my Spring boot actuator endpoints publicly available?

 原文  2016-04-15 10:43:24       java/ spring-security/ spring-boot

问题描述

I have Spring Security on my classpath (and verified working for my own REST controllers), yet my Actuator endpoints are all publicly available by default (except for /shutdown ). 我的类路径上有Spring Security(并且已经验证了我自己的REST控制器的工作情况),但我的Actuator端点默认公开可用(除了/shutdown )。

I can disable endpoints as I please (after reading through this question), but enabled ones are always available without authentication and without the role required by management.security.role in my properties. 我可以随意禁用端点(在阅读完这个问题之后),但是启用的端点始终可用,无需身份验证,并且我的属性中没有management.security.role所需的角色。

Even when I explicitly set endpoints.beans.sensitive=true for instance, it's still accessible without authentication. 即使我明确设置了endpoints.beans.sensitive=true ,它仍然可以在没有身份验证的情况下访问。

My Security configuration which uses LDAP for authentication: 我的安全配置使用LDAP进行身份验证: 

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private LdapContextSource contextSource;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .ldapAuthentication()
                .contextSource(contextSource)
                .groupRoleAttribute("<hidden>")
                .groupSearchBase("<hidden>")
                .groupSearchFilter("<hidden>")
                .userDnPatterns("<hidden>");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic();
    }
}

My application.properties during this test: 我在此测试期间的application.properties: 

# Log4J properties
logging.file=${user.home}/nubis-log.log
logging.level.org.springframework.web=INFO
logging.level.org.hibernate=INFO
logging.register-shutdown-hook=true

# SSL configuration
server.ssl.key-store=<hidden>
server.ssl.key-store-password=<hidden>
server.ssl.keyStoreType=<hidden>
server.ssl.key-password=<hidden>

# Spring actuator
endpoints.enabled=false
endpoints.info.enabled=true
endpoints.health.enabled=true
endpoints.beans.enabled=true
endpoints.beans.sensitive=true
management.security.role=ADMIN

My console output: 我的控制台输出: 

[2016-04-15 12:30:05.742] boot - 2754  INFO [localhost-startStop-1] --- DelegatingFilterProxyRegistrationBean: Mapping filter: 'springSecurityFilterChain' to: [/*]
[2016-04-15 12:30:05.742] boot - 2754  INFO [localhost-startStop-1] --- FilterRegistrationBean: Mapping filter: 'webRequestLoggingFilter' to: [/*]
[2016-04-15 12:30:05.743] boot - 2754  INFO [localhost-startStop-1] --- FilterRegistrationBean: Mapping filter: 'CORSFilter' to: [/*]
[2016-04-15 12:30:05.743] boot - 2754  INFO [localhost-startStop-1] --- FilterRegistrationBean: Mapping filter: 'applicationContextIdFilter' to: [/*]
[2016-04-15 12:30:05.743] boot - 2754  INFO [localhost-startStop-1] --- ServletRegistrationBean: Mapping servlet: 'dispatcherServlet' to [/]
[2016-04-15 12:30:05.800] boot - 2754 DEBUG [localhost-startStop-1] --- DelegatingFilterProxy: Initializing filter 'springSecurityFilterChain'
[2016-04-15 12:30:07.059] boot - 2754  INFO [localhost-startStop-1] --- EndpointHandlerMapping: Mapped "{[/info || /info.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
[2016-04-15 12:30:07.061] boot - 2754  INFO [localhost-startStop-1] --- EndpointHandlerMapping: Mapped "{[/beans || /beans.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
[2016-04-15 12:30:07.063] boot - 2754  INFO [localhost-startStop-1] --- EndpointHandlerMapping: Mapped "{[/health || /health.json],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.HealthMvcEndpoint.invoke(java.security.Principal)

Could there be a configuration/property blocking Spring Security somewhere? 可能有一个配置/属性阻止Spring Security在哪里? Do I need to configure something extra to make it work with LDAP? 我是否需要配置额外的东西才能使其与LDAP一起使用?

1 个解决方案

解决方案1
 -1  2016-04-15 19:36:49

All the endpoints have a sensitive property that needs to be set to true 所有端点都具有需要设置为true的敏感属性

look at Apedenix A https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html 看看Apedenix A https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html

search for ACTUATOR PROPERTIES on that page. 在该页面上搜索ACTUATOR PROPERTIES。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么在我的情况下 Spring 引导执行器不显示 /info、/actuator 端点? - Why in my case Spring Boot Actuator does not show /info, /actuator endpoints? 弹簧启动执行器端点未激活 - spring boot actuator endpoints not activated Spring Boot 2自定义执行器端点 - Spring Boot 2 Custom Actuator Endpoints Spring 启动执行器 - 自定义端点 - Spring Boot Actuator - Custom Endpoints 如何启用执行器中的所有端点(Spring Boot 2.0.0 RC1) - How to enable all endpoints in actuator (Spring Boot 2.0.0 RC1) 如何使用 spring boot 2 以编程方式获取所有执行器端点? - How to get all actuator endpoints programatically using spring boot 2? 禁用弹簧启动执行器端点java配置 - Disable spring boot actuator endpoints java config 无法保护Spring启动管理执行器端点 - Unable to secure Spring boot management actuator endpoints Spring-boot-actuator 暴露 0 个端点 - Spring-boot-actuator exposing 0 endpoints Spring Boot 2执行器端点无法访问Jersey - Spring Boot 2 Actuator endpoints inaccessible with Jersey
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM