在 Spring Boot 2 中为 Actuator 和自定义 API 端点单独的身份验证提供程序
Separate authentication provider in Spring Boot 2 for Actuator and custom API endpoints
我们有一个 spring 引导应用程序(spring 引导版本 2.1.4),它公开了一个使用 OAuth2 保护的 Rest API。
我们还需要将 Spring Boot 提供的健康检查(Actuator)端点暴露给仅支持基本身份验证的遗留监控工具。
然而,执行器,自 Spring Boot 2 以来,与常规应用程序安全规则共享安全配置,因此到目前为止我能看到的唯一选项是使用 Oauth2 保护它或不保护它(.permitAll()
).
我尝试使用单独的 WebSecurityConfigurerAdapter(s) 为执行器端点设置 httpBasic 身份验证提供程序,为 API 端点设置 oauth2,尝试执行 @Order 但两个身份验证提供程序似乎是互斥。
下面是两个 WebSecurityConfigurerAdapter 实现:
- 执行器:
@Configuration
@Order(1)
public class ActuatorConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("password")
.roles("ADMIN", "USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// requestMatchers(EndpointRequest.to(MetricsEndpoint.class))
.antMatchers("/actuator/**")
.hasAnyRole("ADMIN","USER").and().authorizeRequests().and().httpBasic();
}
}
- 对于API:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Order(10)
public class SecurityConfiguration2 extends WebSecurityConfigurerAdapter {
@Autowired
private CorsFilter corsFilter;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors()
.and()
.addFilterBefore(corsFilter, CsrfFilter.class)
.exceptionHandling()
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
.and()
.headers()
.and()
.authorizeRequests()
.antMatchers("/v2/api-docs").permitAll()
.antMatchers("/authenticate").permitAll()
.antMatchers("/customer/**").hasAuthority("MARKETING")
.anyRequest().authenticated()
.and()
.oauth2Login() // generates the /login page
.successHandler(successHandler())
...
}
关于如何使这项工作大受赞赏的任何提示。
我有相同的用例,这对我有用:
@EnableWebSecurity()
@EnableGlobalMethodSecurity(
securedEnabled = true,
prePostEnabled = true
)
public class WebSecurityConfig {
@Configuration
@Order(3)
public static class ActuatorSecurityAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private AppProperties prop;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests()
.requestMatchers(EndpointRequest.to("info","env")).authenticated()
.requestMatchers(EndpointRequest.to("health")).permitAll()
.anyRequest().hasRole("ADMIN") // Any other endpoint
.and()
.httpBasic();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername(prop.getManagement().getUsername())
.password(prop.getManagement().getPassword()).roles("ACTUATOR").build());
return manager;
}
}
[....]
@Configuration
@Order(1)
public class OAuthSecurityConfig extends WebSecurityConfigurerAdapter {
[...]
}
也许有帮助:)
我们有一个 spring 引导应用程序(spring 引导版本 2.1.4),它公开了一个使用 OAuth2 保护的 Rest API。
我们还需要将 Spring Boot 提供的健康检查(Actuator)端点暴露给仅支持基本身份验证的遗留监控工具。
然而,执行器,自 Spring Boot 2 以来,与常规应用程序安全规则共享安全配置,因此到目前为止我能看到的唯一选项是使用 Oauth2 保护它或不保护它(.permitAll()
).
我尝试使用单独的 WebSecurityConfigurerAdapter(s) 为执行器端点设置 httpBasic 身份验证提供程序,为 API 端点设置 oauth2,尝试执行 @Order 但两个身份验证提供程序似乎是互斥。
下面是两个 WebSecurityConfigurerAdapter 实现:
- 执行器:
@Configuration
@Order(1)
public class ActuatorConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("password")
.roles("ADMIN", "USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// requestMatchers(EndpointRequest.to(MetricsEndpoint.class))
.antMatchers("/actuator/**")
.hasAnyRole("ADMIN","USER").and().authorizeRequests().and().httpBasic();
}
}
- 对于API:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Order(10)
public class SecurityConfiguration2 extends WebSecurityConfigurerAdapter {
@Autowired
private CorsFilter corsFilter;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors()
.and()
.addFilterBefore(corsFilter, CsrfFilter.class)
.exceptionHandling()
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
.and()
.headers()
.and()
.authorizeRequests()
.antMatchers("/v2/api-docs").permitAll()
.antMatchers("/authenticate").permitAll()
.antMatchers("/customer/**").hasAuthority("MARKETING")
.anyRequest().authenticated()
.and()
.oauth2Login() // generates the /login page
.successHandler(successHandler())
...
}
关于如何使这项工作大受赞赏的任何提示。
我有相同的用例,这对我有用:
@EnableWebSecurity()
@EnableGlobalMethodSecurity(
securedEnabled = true,
prePostEnabled = true
)
public class WebSecurityConfig {
@Configuration
@Order(3)
public static class ActuatorSecurityAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private AppProperties prop;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests()
.requestMatchers(EndpointRequest.to("info","env")).authenticated()
.requestMatchers(EndpointRequest.to("health")).permitAll()
.anyRequest().hasRole("ADMIN") // Any other endpoint
.and()
.httpBasic();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername(prop.getManagement().getUsername())
.password(prop.getManagement().getPassword()).roles("ACTUATOR").build());
return manager;
}
}
[....]
@Configuration
@Order(1)
public class OAuthSecurityConfig extends WebSecurityConfigurerAdapter {
[...]
}
也许有帮助:)