stackoom
  简体   繁体   中英

Spring Security Configuration: Basic Auth + Spring Cloud Gateway

 原文  2020-03-09 15:31:56       spring-boot/ spring-security/ spring-webflux/ spring-cloud-gateway

Question

I've got a Reactive Spring Boot application, which is responsible for routing requests to downstream services, using Spring Cloud Gateway (ie it's an API gateway). The app has some actuator endpoints, that need to be secured, hence I want to use just a simple security for this like basic auth.

I'd like to configure the app, to require requests to /actuator/refresh to be authorized using basic auth (with a configured Spring security user and password). All requests to other endpoints, even if they include basic auth , only need to be passed to the downstream service.

My current Spring security configuration:

@Bean
@Order(1)
SecurityWebFilterChain securityWebFilterChain(final ServerHttpSecurity http) {
    http.authorizeExchange(exchanges -> {
        exchanges.matchers(EndpointRequest.toAnyEndpoint().excluding(HealthEndpoint.class, InfoEndpoint.class)).hasRole("ACTUATOR"); // requires Http Basic Auth
    });
    http.httpBasic(withDefaults()); // if not enabled, you cannot get the ACTUATOR role
    return http.build();
}

@Bean
@Order(2)
SecurityWebFilterChain permitAllWebFilterChain(final ServerHttpSecurity http) {
    http.authorizeExchange(exchanges -> exchanges.anyExchange().permitAll()); // allow unauthenticated access to any endpoint (other than secured actuator endpoints?)
    http.httpBasic(ServerHttpSecurity.HttpBasicSpec::disable); // disable Http Basic Auth for all other endpoints
    return http.build();
}

The request meant for the downstream service is not propagated by the API gateway. The spring boot service returns a 401 in this setup, while a 200 is expected / required.

Any ideas why this configuration is not working / how it should be configured otherwise?

1 answers

solution1
 1  2020-03-09 23:43:54

Im not sure what is broken, but have you tried combining them and just have one filter?

@EnableWebFluxSecurity
public class MyExplicitSecurityConfiguration {

    @Bean
    public MapReactiveUserDetailsService userDetailsService() {
        UserDetails user = User.withDefaultPasswordEncoder()
            .username("user")
            .password("user")
            .roles("ACTUATOR")
            .build();
        return new MapReactiveUserDetailsService(user);
    }

    @Bean
    SecurityWebFilterChain securityWebFilterChain(final ServerHttpSecurity http) {
        http.authorizeExchange(exchanges -> {
            exchanges.matchers(EndpointRequest.toAnyEndpoint()
                                              .excluding(HealthEndpoint.class, InfoEndpoint.class))
                                              .hasRole("ACTUATOR");
            exchanges.anyExchange().permitAll();
        }).httpBasic(withDefaults());
        return http.build();
    }
}

another good thing could be to enable debug logging and see what fails.

this is done by defining in application.properties

logging.level.org.springframework.security=DEBUG

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring security - Basic auth Use RequestHeaderRequestMatcher and antmactcher basic auth in the same configuration Spring Security Securing Spring Cloud Gateway with Spring Security Spring Boot Security Basic auth access denied Spring Security Basic Auth Password Rotation Issue Spring Security Basic Auth not using CustomUserDetailsService Spring Security basic auth always getting 401 Error with CORS configuration on Spring Cloud Gateway RetryGatewayFilterFactory configuration in spring-cloud-gateway Spring boot + Spring Security: how to suppress the basic auth form
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM