如何为/env, /health, /metrics等管理端点使用基本安全性?
与其他应用程序控制器端点安全性相比,我想为上述端点使用不同的用户凭据。
在我的application.properties文件中,我在下面指定了应用程序控制器安全性
security.user.name=user security.user.password=password
但我想为管理端点提供不同的用户名/密码。找不到management.security.user.name属性。
答案 0 :(得分:3)
要实现端点基本安全性,您需要在代码
下使用security.user.name=user
security.user.password=password
并且在配置文件中应该像下面一样
@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
}
}
仍然没有工作,希望这会起作用
答案 1 :(得分:2)
Spring安全有一个"全球"在AuthenticationManager @Bean类型的GlobalAuthenticationConfigurerAdapter个实例中配置了AuthenticationManager。除非您设置security.user.*,否则此security.basic.enabled=false是由AM属性配置的AuthenticationManagers。默认情况下,全局WebSecurityConfigurationAdapters也附加到管理端点,它是任何" Local"的父级。 ProviderManagers中定义了AM(它们都是WebSecurityConfigurationAdapter)。
因此,如果您需要管理端点和应用程序端点的不同用户帐户,则至少有两个选择:
在AuthenticationManagerBuilder中为应用程序端点定义本地WebSecurityConfigurationAdapter,并确保该过滤器不涵盖管理端点。这很容易,因为它是您不必过多思考就可以获得AM security.basic.enabled=false的{{1}}(只要根据filter that secures the management endpoints进行仔细订购)。
对应用程序端点使用全局WebSecurityConfigurerAdapter(或实际上是另一个本地端点)并重新配置管理端点的安全性(例如,设置{{1}}并添加自己的{{1}}覆盖管理端点)。这可能是更多的工作,并重复一些引导默认值,但至少你会知道你得到了什么。
答案 2 :(得分:2)
Dave已经解释得很好,但这里有一些使用WebSecurityConfigurerAdapter和数据库作为auth源的完整示例。
<强> SecurityConfig.java
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Override
public void configure(WebSecurity web) throws Exception {
// Ignore any request that starts with /resources or /webjars
web.ignoring()
.antMatchers("/resources/**")
.antMatchers("/webjars/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
// for app access
http.authorizeRequests()
.antMatchers("/configuration").hasRole("ADMIN")
.antMatchers("/user").hasRole("ADMIN")
.anyRequest().fullyAuthenticated()
.and()
.exceptionHandling().accessDeniedPage("/auth_error")
.and()
.formLogin().loginPage("/login").failureUrl("/login?error").permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/").invalidateHttpSession(true);
// for management access with basic auth
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/management/**").hasRole("ADMIN");
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.passwordEncoder(new BCryptPasswordEncoder());
}
}
这是我的application.properties
<强> application.properties
# MANAGEMENT HTTP SERVER (ManagementServerProperties)
management.port=8081
management.address=127.0.0.1
management.context-path=/management
management.security.enabled=true
# MVC ONLY ENDPOINTS
endpoints.jolokia.path=/jolokia
endpoints.jolokia.sensitive=true
endpoints.jolokia.enabled=true
# JMX ENDPOINT (EndpointMBeanExportProperties)
endpoints.jmx.enabled=true
endpoints.jmx.domain=org.springboot
endpoints.jmx.unique-names=false
# ENDPOINT
endpoints.enabled=true
endpoints.shutdown.id=shutdown
endpoints.shutdown.sensitive=true
endpoints.shutdown.enabled=true
# HYPERMEDIA ENDPOINTS
endpoints.actuator.enabled=true
endpoints.actuator.path=/actuator
endpoints.actuator.sensitive=false
您可以从spring application properties
查看更多端点属性管理请求示例
数据库中已添加ADMIN Role用户(用户名:admin,密码:password)。
关闭示例管理请求
$ curl -u admin:password -X POST http://127.0.0.1:8081/management/shutdown
{"message":"Shutting down, bye..."}
通过jolokia检查HeapMemoryUsage和ThreadCount的示例管理请求
$ curl -u admin:password http://127.0.0.1:8081/management/jolokia/read/java.lang:type=Memory/HeapMemoryUsage
{"request":{"mbean":"java.lang:type=Memory","attribute":"HeapMemoryUsage","type":"read"},"value":{"init":268435456,"committed":829947904,"max":3817865216,"used":466033000},"timestamp":1444167809,"status":200}
$ curl -u admin:password http://127.0.0.1:8081/management/jolokia/read/java.lang:type=Threading/ThreadCount
{"request":{"mbean":"java.lang:type=Threading","attribute":"ThreadCount","type":"read"},"value":47,"timestamp":1444174639,"status":200}
检查健康状况的示例管理请求
$ curl -u admin:password http://127.0.0.1:8081/management/health
{"status":"UP","diskSpace":{"status":"UP","free":163634987008,"threshold":10485760},"db":{"status":"UP","database":"H2","hello":1}}