无法保护Spring启动管理执行器端点

Question

我正在尝试保护Spring Boot驱动器端点。我在/api REST接口上运行安全性，但尝试在内置端点上添加安全性似乎不起作用。

我已在application.properties：

中设置了端点分组

management.context-path=/management

我在Java Config中有这个

@Override
protected void configure( HttpSecurity http ) throws Exception
{
    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );

    http.authorizeRequests()
        .antMatchers( "/api/**" ).hasRole( "READONLY" )
        .antMatchers( "/management/**" ).hasRole( "ADMIN" );


    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
    http.apply( securityConfigurer );
}

当我使用浏览器转到/api以下的任何内容时，我会按预期返回403。例如，当我转到/ management/info时，我看到JSON被返回，我也期望得到403.

我也尝试将其添加到我的application.properties文件中：

management.security.role=ADMIN

但这也无济于事。

DEBUG输出显示：

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_READONLY')', for Ant [pattern='/api/**']

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_ADMIN')', for Ant [pattern='/management/**']

然后我尝试HTTP GET的原因：

2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/css/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/js/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/images/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/**/favicon.ico'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/management/info'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] FilterChainProxy - /management/info has an empty filter list

Answer 1

讲述故事的日志是：＆＃34; / management / info有一个空的过滤列表＆＃34;因为它被明确标记为忽略（/ info总是应该可用）。尝试使用其他执行器端点之一，看看它们是否符合您的预期。如果您确实需要保护信息端点，可以设置endpoints.info.sensitive = true（我认为）。