我正在使用jdk 1.8和Spring Boot 2.1.2。
我想在Spring Boot的管理控制台及其客户端中启用身份验证。
我在管理 application.properties 中设置:
spring.security.user.name=admin
spring.security.user.password=secret
spring.boot.admin.discovery.enabled=true
management.endpoints.web.exposure.include=*
management.endpoints.web.cors.allowed-methods=GET,POST
在管理项目中,我添加了此类:
@EnableWebSecurity
@Configuration
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {
private static final Logger logger = (Logger) LoggerFactory.getLogger(SecuritySecureConfig.class);
private final String adminContextPath;
public SecuritySecureConfig(AdminServerProperties adminServerProperties) {
this.adminContextPath = adminServerProperties.getContextPath();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successHandler.setTargetUrlParameter("redirectTo");
successHandler.setDefaultTargetUrl(adminContextPath + "/");
http.authorizeRequests()
.antMatchers(adminContextPath + "/assets/**").permitAll()
.antMatchers(adminContextPath + "/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
.logout().logoutUrl(adminContextPath + "/logout").and()
.httpBasic().and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers(
adminContextPath + "/instances",
adminContextPath + "/actuator/**"
);
}
}
在管理 pom.xml 中,我添加了:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-server</artifactId>
</dependency>
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-server-ui</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</dependency>
</dependencies>
我被迫在主类上添加注释 @EnableWebFluxSecurity ,因为如果没有注释,它会引发异常:
org.springframework.beans.factory.support.BeanDefinitionOverrideException: 定义名称为“ springSecurityFilterChain”的无效Bean 类路径资源 [org / springframework / boot / actuate / autoconfigure / security / reactive / ReactiveManagementWebSecurityAutoConfiguration.class]: 无法注册bean定义[root bean:class [null]; scope =; abstract = false; lazyInit = false; autowireMode = 3; dependencyCheck = 0; autowireCandidate = true; primary = false; factoryBeanName = org.springframework.boot.actuate.autoconfigure.security.reactive.ReactiveManagementWebSecurityAutoConfiguration; factoryMethodName = springSecurityFilterChain; initMethodName = null; destroyMethodName =(推断);在类路径资源中定义 [org / springframework / boot / actuate / autoconfigure / security / reactive / ReactiveManagementWebSecurityAutoConfiguration.class]] 对于bean'springSecurityFilterChain':已经存在[root bean: 类[null]; scope =; abstract = false; lazyInit = false; autowireMode = 3; dependencyCheck = 0; autowireCandidate = true; primary = false; factoryBeanName = org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration; factoryMethodName = springSecurityFilterChain; initMethodName = null; destroyMethodName =(推断);在类路径资源中定义 [org / springframework / security / config / annotation / web / configuration / WebSecurityConfiguration.class]] 绑定。
在 client 中 application.properties :
spring.security.user.name=joe
spring.security.user.password=my-secret-password
spring.boot.admin.client.username=admin
spring.boot.admin.client.password=secret
spring.boot.admin.client.instance.metadata.user.name=admin
spring.boot.admin.client.instance.metadata.user.password=secret
spring.boot.admin.client.enabled=true
spring.boot.admin.client.auto-registration=true
spring.boot.admin.client.auto-deregistration=true
在客户端 pom.xml 中:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
现在,如果我使用浏览器访问它们两个,它们都会用登录表单提示我。我输入了登录名和密码,所有命令都充当了超级按钮,但是客户端的执行器无法访问管理员,它始终返回403 FORBIDDEN。
2019-02-12 15:21:52.004-[registrationTask1]调试 o.s.core.log.CompositeLog.debug 142-禁止响应403
我真的不明白为什么管理控制台和客户端之间的通信无法正常工作。 有人知道我错了吗?
答案 0 :(得分:1)
我有同样的问题 因此,使用
@EnableWebFluxSecurity
不是
@EnableWebSecurity
像这样
@Configuration
@EnableWebFluxSecurity
public class AppSecurityConfig {
private final AdminServerProperties adminServer;
public AppSecurityConfig (AdminServerProperties adminServer) {
this.adminServer = adminServer;
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.securityMatcher(new NegatedServerWebExchangeMatcher(
ServerWebExchangeMatchers.pathMatchers("/instances")))
.securityMatcher(new NegatedServerWebExchangeMatcher(
ServerWebExchangeMatchers.pathMatchers("/actuator/**")))
.authorizeExchange()
.anyExchange().authenticated()
.and()
.formLogin()
.loginPage(this.adminServer.getContextPath() + "/login")
.and()
.logout()
.logoutUrl(this.adminServer.getContextPath() + "/logout")
.and()
.httpBasic()
.and()
.csrf().disable();
return http.build();
} }
在您的application.yml
spring:
security:
user:
password: ${ADMIN_PASSWORD}
name: ${ADMIN_USER}
application:
name: Admin Server
boot:
admin:
client:
username: ${ADMIN_USER}
password: ${ADMIN_PASSWORD}
url: ${ADMIN_SERVER_URL}
enabled: true
ui:
cache:
no-cache: true
title: App Monitoring
instance:
name: ${spring.application.name}
main:
allow-bean-definition-overriding: true
management:
endpoints:
web:
exposure:
include: "*"
cors:
allowed-origins: "*"
allowed-methods: GET,POST
endpoint:
health:
show-details: always
如果需要,它可以自我监控
在客户端应用程序中
spring:
boot:
admin:
client:
url: ${ADMIN_SERVER_URL}
username: ${ADMIN_USER}
password: ${ADMIN_PASSWORD}
instance:
name: ${spring.application.name}
auto-registration: true
application:
name: Client App