Question

我定义了一个ResourceServer，它正在使用公钥验证AccessToken。这是按预期工作的。

我希望保留Actuator端点的敏感性行为，并将OAuth用于敏感端点。

Spring引导中的默认行为是使用某种形式的Basic Auth来保护Actuator端点。如何切换到敏感端点的OAuth？

我尝试过的事情：

management.security.enabled = false（禁用所有Actuator端点的所有形式的安全性）
security.basic.enabled = false（似乎没有做任何事情）

如何实现理想的行为？

Edit-1 ：添加ResourceServer的配置

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

}

# OAuth2 Resource Configuration
security.oauth2.resource.filter-order=3
security.oauth2.resource.jwt.key-value=-----BEGIN PUBLIC KEY----- \
ABCD|\
-----END PUBLIC KEY-----

编辑-2 ：使用management.security.enabled = false记录日志

2018-04-04 09:38:52,428 [restartedMain  ] INFO    o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/webjars/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []
2018-04-04 09:38:52,428 [restartedMain  ] INFO    o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration$LazyEndpointPathRequestMatcher@cba0b40, []
2018-04-04 09:38:52,517 [restartedMain  ] DEBUG   o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ln:74) - Adding web access control expression 'hasAnyRole('ROLE_USER','ROLE_ACTUATOR')', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2018-04-04 09:38:52,527 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,528 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,537 [restartedMain  ] INFO    o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: Ant [pattern='/h2-console/**'], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2f0907e7, org.springframework.security.web.context.SecurityContextPersistenceFilter@7d0c8fcd, org.springframework.security.web.header.HeaderWriterFilter@1deb6ece, org.springframework.security.web.authentication.logout.LogoutFilter@54ae565a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@101e66ff, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@48870c1e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2c3aa8cc, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@43db62cc, org.springframework.security.web.session.SessionManagementFilter@1c417a06, org.springframework.security.web.access.ExceptionTranslationFilter@6af61e6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@e2595cc]
2018-04-04 09:38:52,559 [restartedMain  ] DEBUG   o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ln:74) - Adding web access control expression 'authenticated', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2018-04-04 09:38:52,560 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,560 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,561 [restartedMain  ] INFO    o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@71c85f60, org.springframework.security.web.context.SecurityContextPersistenceFilter@3867025d, org.springframework.security.web.header.HeaderWriterFilter@1fe578f, org.springframework.security.web.authentication.logout.LogoutFilter@6bcc7bbf, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@52f4e578, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2a57cae0, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5966b20a, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@10e17172, org.springframework.security.web.session.SessionManagementFilter@440ed2d3, org.springframework.security.web.access.ExceptionTranslationFilter@76cc8ddc, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@72a6a42e]
2018-04-04 09:38:52,565 [restartedMain  ] DEBUG   o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ln:74) - Adding web access control expression 'hasAnyRole('ROLE_USER','ROLE_ACTUATOR')', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2018-04-04 09:38:52,566 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,566 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,567 [restartedMain  ] INFO    o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/**']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3b9584b5, org.springframework.security.web.context.SecurityContextPersistenceFilter@2181d916, org.springframework.security.web.header.HeaderWriterFilter@5ed5886a, org.springframework.security.web.authentication.logout.LogoutFilter@74909e09, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5b76b0e4, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@7c129fed, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@ef6dedd, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6c8179fb, org.springframework.security.web.session.SessionManagementFilter@4d36e557, org.springframework.security.web.access.ExceptionTranslationFilter@1868a4d7, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@15c448ac]


2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG   o.s.s.w.u.m.OrRequestMatcher.matches(ln:65) - Trying to match using Ant [pattern='/metrics']
2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG   o.s.s.w.u.m.AntPathRequestMatcher.matches(ln:157) - Checking match of request : '/metrics'; against '/metrics'
2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG   o.s.s.w.u.m.OrRequestMatcher.matches(ln:68) - matched
2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG   o.s.s.w.FilterChainProxy.doFilterInternal(ln:201) - /metrics has an empty filter list


2018-04-04 09:41:57,195 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG   o.s.s.o.p.a.BearerTokenExtractor.extractToken(ln:54) - Token not found in headers. Trying request parameters.
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG   o.s.s.o.p.a.BearerTokenExtractor.extractToken(ln:57) - Token not found in request parameters.  Not an OAuth2 request.
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG   o.s.s.o.p.a.OAuth2AuthenticationProcessingFilter.doFilter(ln:141) - No token in request, will continue chain.
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-04-04 09:41:57,198 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-04-04 09:41:57,198 [nio-8080-exec-5] DEBUG   o.s.s.w.a.AnonymousAuthenticationFilter.doFilter(ln:100) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG   o.s.s.w.s.SessionManagementFilter.doFilter(ln:124) - Requested session ID A2BB697A35FC287599CE86AA715115CA is invalid.
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-04-04 09:41:57,200 [nio-8080-exec-5] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation(ln:219) - Secure object: FilterInvocation: URL: /customers; Attributes: [#oauth2.throwOnError(authenticated)]
2018-04-04 09:41:57,200 [nio-8080-exec-5] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.authenticateIfRequired(ln:348) - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2018-04-04 09:41:57,205 [nio-8080-exec-5] DEBUG   o.s.s.a.v.AffirmativeBased.decide(ln:66) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@794e8437, returned: -1
2018-04-04 09:41:57,207 [nio-8080-exec-5] DEBUG   o.s.s.w.a.ExceptionTranslationFilter.handleSpringSecurityException(ln:173) - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied

Answer 1

蛮力方式是明确保护WebSecurityConfigurerAdapter中的执行器端点。这样的事情应该这样做：

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
            .and()
            .httpBasic().disable()
            .anonymous().disable()
            .authorizeRequests().anyRequest().authenticated();
    }

看看this tutorial。接下来，您应该能够在配置中使用适当的匹配器来保护任何端点。

ResourceServer中的Actuator和OAuth2

1 个答案: