在生产中,我想禁用/ actuator端点,但仍允许/ actuator / health。我使用SecurityConfigurerAdapter尝试了以下代码,但返回了500。我想返回404并获取“找不到页面”错误页面。任何帮助都非常感激
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
if(isProd) {
http.authorizeRequests().antMatchers("/actuator/", "/actuator").denyAll();
}
}
答案 0 :(得分:1)
get_success_url或使用这种方式
@Configuration
@EnableWebSecurity
//@EnableOAuth2Sso
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private JwtRequestFilter jwtRequestFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
// dont authenticate this particular request
.authorizeRequests()
.antMatchers(
"/api/login",
"/user/create-new-user",
"/user/get-verification",
"/user/pwd-reset",
"/user/pwd-reset/verification",
"/api/swagger-ui.html")
.permitAll()
// .antMatchers("/**").permitAll().hasRole("ADMIN")
.anyRequest()
.fullyAuthenticated()
.and()
.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// .and()
// .logout()
// .logoutRequestMatcher(new AntPathRequestMatcher("/api/logout")).logoutSuccessUrl("/https://www.baeldung.com/spring-security-logout")
// .invalidateHttpSession(true).deleteCookies("JSESSIONID");
// Add a filter to validate the tokens with every request
http
.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
}
答案 1 :(得分:0)
您不必使用Spring Security。
这可以使用属性进行配置:
默认情况下,健康状况和信息是通过网络公开的。
因此您可以继续进行生产和开发,您可以使用
-Dmanagement.endpoints.web.exposure.include=*