我想知道是否有办法配置Spring Security以仅为管理端口提供基本身份验证。我想限制对执行器端点的访问,但仍然不希望通过基本身份验证来限制对服务端点的访问。在Spring可以做到这一点吗?
更新:
所以我知道了。下面帮助实现了上面所述的内容
package com.foo.bar;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
public class WebSecurityConfiguration {
@Value("${server.port}")
private static int serverPort;
@Value("${management.server.port}")
private static int managementPort;
@Order(1)
@Configuration
public static class ServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**").authorizeRequests()
.requestMatchers(new AndRequestMatcher(httpServletRequest -> serverPort == httpServletRequest.getLocalPort(),
new AntPathRequestMatcher("/foo/bar/api/**"))).permitAll().anyRequest().anonymous();
}
}
@Configuration
public static class ManagementSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.requestMatchers(new AndRequestMatcher(httpServletRequest -> managementPort == httpServletRequest.getLocalPort(),
new AntPathRequestMatcher("/actuator/**"))).authenticated().anyRequest().authenticated().and().httpBasic();
}
}
}