无意中禁用Acuator端点的安全性

时间:2016-02-19 14:30:59

标签: spring-boot-actuator

我的应用程序具有非常简单的安全配置,似乎无法保护Actuator端点。从我在其他地方读到的SO来看,似乎不应该简单地禁用这些端点的安全性,所以我很困惑,并希望得到一些帮助来理解这里的内容

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig {
    @Autowired
    private DataSource dataSource;

    @Autowired
    private WebSecurityProperties properties;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.
                jdbcAuthentication()
                .dataSource(dataSource);
    }

    @Configuration
    @Order(0)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        @Autowired
        private WebSecurityProperties properties;

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .csrf().disable()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                    .authorizeRequests()
                    .antMatchers("/web/**", "/example/**").hasRole(properties.getApiUserGroup())
                    .and()
                    .httpBasic();
        }
    }

    @Configuration
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        @Autowired
        private WebSecurityProperties properties;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .authorizeRequests()
                    .antMatchers("/index.html")
                    .permitAll()
                    .and()
                    .authorizeRequests()
                    .antMatchers("/**").hasRole(properties.getAdminGroup());
        }
    }
}

1 个答案:

答案 0 :(得分:0)

好吧,看起来我的配置存在一些问题。

  • 使用@EnableWebSecurity批注。显然这会禁用Spring Boot默认值。根据{{​​3}},"如果使用@EnableWebSecurity,则完全关闭Spring Boot设置"
  • 未指定dsyer。具体来说,我没有在班级宣布@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)

作为努力实现这一目标的一部分,我简化了配置并最终得到了这个:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private DataSource dataSource;

    @Autowired
    private WebSecurityProperties properties;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.
                jdbcAuthentication()
                .dataSource(dataSource);
   }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
                .antMatchers("/web/**", "/example/**").hasRole(properties.getApiUserGroup())
                .antMatchers("/index.html").permitAll().and()
            .httpBasic().realmName("API example");
    }
}
相关问题
最新问题