目标:保护所有执行器端点(信息和健康状况除外),但为了健康,请在验证用户身份后显示详细信息。
我的pom只有spring-boot-starter-web
,spring-boot-starter-security
和spring-boot-starter-web
(春季启动版本:2.1.6.RELEASE),整个配置为
@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint().excluding("info", "health"))
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
和application.yml
management:
endpoints:
web:
exposure:
include: "*"
endpoint:
health:
show-details: "when-authorized"
这可以保护所有端点,并提供未经身份验证的信息和健康访问。但是,当使用凭据访问运行状况时,它不会返回详细信息。在这种情况下,management.endpoint.health.show-details="when-authorized"
似乎被忽略了。
有人知道如何解决此问题吗?
答案 0 :(得分:2)
应该使用
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()
.excluding("info", "health")).authenticated()
.and().httpBasic();
}
或
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.requestMatchers(EndpointRequest.to("info", "health"))
.permitAll()
.anyRequest().authenticated()
.and().httpBasic();
}