这是我的Spring Boot 1.5.1执行器application.properties:
#Spring Boot Actuator
management.contextPath: /actuator
management.security.roles=R_0
这是我的WebSecurityConfig:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Value("${logout.success.url}")
private String logoutSuccessUrl;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class);
http
.csrf().ignoringAntMatchers("/v1.0/**", "/logout")
.and()
.authorizeRequests()
.antMatchers("/oauth/authorize").authenticated()
//Anyone can access the urls
.antMatchers("/signin/**").permitAll()
.antMatchers("/v1.0/**").permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority("R_0")
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.failureUrl("/login?error=true")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl(logoutSuccessUrl)
.permitAll();
// @formatter:on
}
/**
* Configures the authentication manager bean which processes authentication requests.
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
现在,我已成功登录我的应用程序,并拥有R_0权限的合适用户,但当我尝试访问时,
http://localhost:8080/api/actuator/beans
我收到以下错误:
There was an unexpected error (type=Forbidden, status=403).
Access is denied. User must have one of the these roles: R_0
如何正确配置Spring Boot Actuator以了解正确的Authentication?
现在为了让它工作,我必须做以下技巧:
management.security.enabled=false
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority("R_0")
是否有机会以正确的方式配置执行器?
已更新
我正在使用UserDetailsService.UserDetails.Authorities
public Collection<? extends GrantedAuthority> getAuthorities() {
String[] authorities = permissions.stream().map(p -> {
return p.getName();
}).toArray(String[]::new);
return AuthorityUtils.createAuthorityList(authorities);
}
答案 0 :(得分:5)
您必须为ROLE_使用前缀management.security.roles,例如management.security.roles=ROLE_SOMENAME才能解决此问题
答案 1 :(得分:0)
要获得弹簧启动执行器端点的授权,您需要具有 ACTUATOR 角色。 请参阅此示例Accessing Restricted Actuator Endpoints with Spring Security
答案 2 :(得分:0)
我来自Reactive Spring Boot 2.x应用程序,遇到了这个问题,并通过更新WebSecurityConfig.securityWebFilterChain以及SecurityContextRepository.load使其包含/ actuator / **来解决此问题,如下所示:
public class WebSecurityConfig {
private AuthenticationManager authenticationManager;
private SecurityContextRepository securityContextRepository;
@Autowired
public WebSecurityConfig(AuthenticationManager authenticationManager, SecurityContextRepository securityContextRepository) {
this.authenticationManager = authenticationManager;
this.securityContextRepository = securityContextRepository;
}
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http
.exceptionHandling()
.authenticationEntryPoint((swe, e) -> Mono.fromRunnable(() -> {
swe.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
})).accessDeniedHandler((swe, e) -> Mono.fromRunnable(() -> {
swe.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
})).and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.authenticationManager(authenticationManager)
.securityContextRepository(securityContextRepository)
.authorizeExchange()
.pathMatchers("/actuator/**").permitAll()
.anyExchange().authenticated()
.and().build();
}
以及更新
@Slf4j
@Component
public class SecurityContextRepository implements ServerSecurityContextRepository {
private AuthenticationManager authenticationManager;
public SecurityContextRepository(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
public Mono<Void> save(ServerWebExchange swe, SecurityContext sc) {
return Mono.error(new UnsupportedOperationException("Not supported"));
}
@Override
public Mono<SecurityContext> load(ServerWebExchange swe) {
ServerHttpRequest request = swe.getRequest();
if (request.getPath().value().startsWith("/actuator") ) {
return Mono.empty();
}
// other authentication logic here
}
答案 3 :(得分:0)
1
1.You can add the following properties
endpoints.health.enabled=true
endpoints.loggers.enabled=true
endpoints.metrics.enabled=true
endpoints.env.enabled=false
endpoints.configprops.enabled=false
endpoints.autoconfig.enabled=false
endpoints.info.enabled=false
management.context-path=/management
2)
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements ApplicationContextAware {
private static final String ACTUATOR = "ACTUATOR";
private static final String ROLE1 = "USER";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests().antMatchers("/controllerpath/**")
.hasAnyRole(ROLE1).antMatchers("/loggers/**","/metrics/**","/health/**").hasAnyRole(ACTUATOR).and()
.csrf().disable().headers().frameOptions().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("username-of-app").password("encryptedpassword")
.roles(ROLE1).and().withUser("username-of-management-for-path")
.password("encrypted password").roles(ACTUATOR);
}
}
答案 4 :(得分:0)
endpoints.health.enabled=true
endpoints.loggers.enabled=true
endpoints.metrics.enabled=true
endpoints.env.enabled=false
endpoints.configprops.enabled=false
endpoints.autoconfig.enabled=false
endpoints.info.enabled=false
management.context-path=/management
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements ApplicationContextAware {
private static final String ACTUATOR = "ACTUATOR";
private static final String ROLE1 = "USER";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests().antMatchers("/controllerpath/**")
.hasAnyRole(ROLE1).antMatchers("/loggers/**","/metrics/**","/health/**").hasAnyRole(ACTUATOR).and()
.csrf().disable().headers().frameOptions().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("username-of-app").password("encryptedpassword")
.roles(ROLE1).and().withUser("username-of-management-for-path")
.password("encrypted password").roles(ACTUATOR);
}
}
答案 5 :(得分:-1)
根据这个链接:
https://www.w3.org/TR/CSS21/visuren.html#float-rules
默认情况下,所有敏感HTTP端点都是安全的 具有ACTUATOR角色的用户可以访问它们。安全性得到执行 使用标准的HttpServletRequest.isUserInRole方法。
如果您需要,请使用management.security.roles属性 与ACTUATOR不同。
所以我认为您所要做的就是在application.properties中设置以下属性。
SystemStackError: stack level too deep例如:
management.security.roles