[英]How to secure actuator endpoints with role in Spring Boot 2?
Can you help to secure actuator endpoints in Spring Boot 2? 你能帮助保护Spring Boot 2中的执行器端点吗? I checked migration guide but it doesn't help me.
我检查了迁移指南,但它对我没有帮助。
Here is my security config: 这是我的安全配置:
@Configuration
@EnableWebSecurity
public class SecConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ADMIN")
.anyRequest().authenticated();
}
}
but when I go to http://localhost:8080/actuator/health
it loads without login. 但是当我转到
http://localhost:8080/actuator/health
它会在没有登录的情况下加载。 Other endpoints with prefix /actuator
doesn't require login as well. 带前缀
/actuator
其他端点也不需要登录。 What I did wrong? 我做错了什么?
I also add OAuth with this configuration: 我还使用此配置添加OAuth:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("client-id")
.scopes("read", "write")
.authorizedGrantTypes("password")
.secret("xxxxxx")
.accessTokenValiditySeconds(6000);
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/ajax/**").authenticated()
.and()
.csrf()
.disable();
}
}
If your application is a resource server you don't need the SecConfig class. 如果您的应用程序是资源服务器,则不需要SecConfig类。
So if you remove it, in your ResourceServerConfig
class you can secure the actuators and just let admin through: 因此,如果删除它,在
ResourceServerConfig
类中,您可以保护执行器并让管理员通过:
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/ajax/**").authenticated()
.antMatchers("/actuator/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.csrf()
.disable();
}
}
I add .anyRequest().authenticated()
to secure the rest of the application endpoints. 我添加
.anyRequest().authenticated()
来保护其余的应用程序端点。
you can try below configuration 你可以尝试下面的配置
@Configuration
public class SecConfig extends WebSecurityConfigurerAdapter {
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/actuator/**").hasRole("ACTUATOR")
.anyRequest().permitAll();
}
}
Verify that you have the following in the application.properties: 验证application.properties中是否包含以下内容:
spring.security.user.name=user
spring.security.user.password=pass
spring.security.user.roles=ACTUATOR,USER # or any other role
management.endpoint.health.roles=ACTUATOR
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.