无法了解Spring安全性的行为

Question

I am using spring boot 2.1.4 with dependencies of actuator. I wanted to configure separate authentication and authorization mechanisms for actuator and my application. I read the Multiple HttpSecurity and configured my WebSecurityAdapter as follows:

@Configuration
public class ProvisioningServiceSecurityConfiguration {

  @Value("${actuator.user.name}")
  private String actuatorUserName;

  @Value("${actuator.password}")
  private String actuatorPassword;

  @Value("${actuator.role}")
  private String actuatorRole;

  @Bean
  public UserDetailsService userDetailsService() throws Exception {
    // ensure the passwords are encoded properly
    UserBuilder users = User.withDefaultPasswordEncoder();
    InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
    manager.createUser(users.username("user").password("password").roles("ADMIN").build());
    manager.createUser(
        users.username(actuatorUserName).password(actuatorPassword).roles(actuatorRole).build());
    return manager;
  }

  @Configuration
  @Order(1)
  public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
      http
          .antMatcher("/locations/**")
          .antMatcher("/organizations/**")
          .antMatcher("/productTypes/**")
          .authorizeRequests()
          .anyRequest().hasRole("ADMIN")
          .and()
          .httpBasic();
    }
  }

  @Configuration
  @Order(2)
  public static class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
      http
          .antMatcher("/manage/**")
          .authorizeRequests()
          .anyRequest().hasRole("ACTUATOR_ADMIN")
          .and()
          .httpBasic();
    }
  }

  /*@Configuration
  public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
      http
          .authorizeRequests()
          .anyRequest().authenticated()
          .and()
          .formLogin();
    }
  }*/

}

Note: I have disabled form Login temporarily

When I run a curl request

curl -XGET  http://localhost:9797/provisioningService/organizations/all

I am able to see the output. Its as though the spring security never existed. When I enable form login, I get the spring login screen. The other behavior that I observed is if I interchange the username and password of /locations with the actuator username and password, I still get a valid response back.

I understand the form login is more of a fallback but I want to disable the form login (probably we may move to cas) and use authentication and authorization only based on the spring security httpBasic. I am not able to understand the mistake I am making.

My requirement is finally :

1) a request to /organizations or /locations etc should be accessible only if the username password is "user" and "password"

2) a request to /manage which is the actuator api should be accessible only if the username and password and role matches with the actuator username and password.

3) Any other API can be permitAll / form login

How do i go about achieving this?

Answer 1

1) Spring Security has a function to control access by filtering by Authorities(after Authentication), but there is no function to filter by the information required for login. You need business logic to verify that you are attempting to log in with the corresponding ID and password during login.

2) As mentioned above, access control with ID and password is not provided. I recommend creating Authorities for only the two accounts you requested.

3) .antMatcher("/form").permitAll()