为什么我的所有Spring启动器执行器端点都是公开的?

时间:2016-04-15 10:43:25

标签: java spring-security spring-boot

我在我的类路径上安装了Spring Security(并验证了我自己的REST控制器的工作情况),但我的Actuator端点默认公开可用(/shutdown除外)。

我可以随意禁用端点(在阅读this问题后),但已启用的端点始终无需身份验证,且我的属性中没有management.security.role所需的角色。

即使我明确设置了endpoints.beans.sensitive=true,它仍然可以在没有身份验证的情况下访问。

使用LDAP进行身份验证的My Security配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private LdapContextSource contextSource;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .ldapAuthentication()
                .contextSource(contextSource)
                .groupRoleAttribute("<hidden>")
                .groupSearchBase("<hidden>")
                .groupSearchFilter("<hidden>")
                .userDnPatterns("<hidden>");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic();
    }
}

在此测试期间我的application.properties:

# Log4J properties
logging.file=${user.home}/nubis-log.log
logging.level.org.springframework.web=INFO
logging.level.org.hibernate=INFO
logging.register-shutdown-hook=true

# SSL configuration
server.ssl.key-store=<hidden>
server.ssl.key-store-password=<hidden>
server.ssl.keyStoreType=<hidden>
server.ssl.key-password=<hidden>

# Spring actuator
endpoints.enabled=false
endpoints.info.enabled=true
endpoints.health.enabled=true
endpoints.beans.enabled=true
endpoints.beans.sensitive=true
management.security.role=ADMIN

我的控制台输出:

[2016-04-15 12:30:05.742] boot - 2754  INFO [localhost-startStop-1] --- DelegatingFilterProxyRegistrationBean: Mapping filter: 'springSecurityFilterChain' to: [/*]
[2016-04-15 12:30:05.742] boot - 2754  INFO [localhost-startStop-1] --- FilterRegistrationBean: Mapping filter: 'webRequestLoggingFilter' to: [/*]
[2016-04-15 12:30:05.743] boot - 2754  INFO [localhost-startStop-1] --- FilterRegistrationBean: Mapping filter: 'CORSFilter' to: [/*]
[2016-04-15 12:30:05.743] boot - 2754  INFO [localhost-startStop-1] --- FilterRegistrationBean: Mapping filter: 'applicationContextIdFilter' to: [/*]
[2016-04-15 12:30:05.743] boot - 2754  INFO [localhost-startStop-1] --- ServletRegistrationBean: Mapping servlet: 'dispatcherServlet' to [/]
[2016-04-15 12:30:05.800] boot - 2754 DEBUG [localhost-startStop-1] --- DelegatingFilterProxy: Initializing filter 'springSecurityFilterChain'
[2016-04-15 12:30:07.059] boot - 2754  INFO [localhost-startStop-1] --- EndpointHandlerMapping: Mapped "{[/info || /info.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
[2016-04-15 12:30:07.061] boot - 2754  INFO [localhost-startStop-1] --- EndpointHandlerMapping: Mapped "{[/beans || /beans.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
[2016-04-15 12:30:07.063] boot - 2754  INFO [localhost-startStop-1] --- EndpointHandlerMapping: Mapped "{[/health || /health.json],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.HealthMvcEndpoint.invoke(java.security.Principal)

是否存在阻止Spring Security的配置/属性?我是否需要配置额外的东西以使其与LDAP一起使用?

1 个答案:

答案 0 :(得分:-1)

所有端点都有一个敏感属性,需要设置为RunTimeError

查看Apedenix A https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html

在该页面上搜索ACTUATOR PROPERTIES。