spring-boot、spring-security 和 dropwizard 指标

spring-boot, spring-security and dropwizard metrics

我有一个 spring-boot 应用程序,其中包含 spring-security 和 dropwizard 指标。它使用 Angularjs 作为前端。身份验证是使用单独的 login.html 页面和 angularjs 控制器将凭据发布到 '/login' 并在成功响应路由到 index.html(单独的 angularjs 应用程序)后完成的。在我尝试访问 dropwizard 指标之前,这一切都运行良好。在这种情况下,我得到一个 spring-security 异常,表明用户是匿名的(所有其他 url 都可以正常工作)。

我的 spring-security 配置:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableWebSecurity
public class FormLoginSecurityConfigurer extends WebSecurityConfigurerAdapter {

    private class AuthSuccessHandler implements AuthenticationSuccessHandler {
        @Override
        public void onAuthenticationSuccess(HttpServletRequest request,
                HttpServletResponse response, Authentication authentication)
                throws IOException, ServletException {
            response.setStatus(HttpServletResponse.SC_OK);
        }
    }

    private class AuthFailureHandler implements AuthenticationFailureHandler {
        @Override
        public void onAuthenticationFailure(HttpServletRequest request,
                HttpServletResponse response, AuthenticationException exception)
                throws IOException, ServletException {
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        }
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/login.html", "/scripts/login/**", "/libs/**", "/styles/**", "/images/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage("/login.html").loginProcessingUrl("/login")
                    .usernameParameter("username").passwordParameter("password")
                    .successHandler(new AuthSuccessHandler())
                    .failureHandler(new AuthFailureHandler())
                .and().logout().logoutUrl("/logout").logoutSuccessUrl("/login.html")
                .and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)
                .csrf().csrfTokenRepository(CsrfHeaderFilter.csrfTokenRepository());
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    }
}

指标 servlet 已在 ServletContextInitilizer 中注册:

/**
 * Configuration of web application with Servlet 3.0 APIs.
 */
@Configuration
public class WebConfigurer implements ServletContextInitializer {

    @Override
    public void onStartup(ServletContext servletContext) throws ServletException {
        initMetrics(servletContext,
                EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD, DispatcherType.ASYNC));
    }

    /**
     * Initializes Metrics.
     */
    private void initMetrics(ServletContext servletContext, EnumSet<DispatcherType> disps) {
        log.debug("Initializing Metrics registries");
        servletContext.setAttribute(InstrumentedFilter.REGISTRY_ATTRIBUTE,
                metricRegistry);
        servletContext.setAttribute(MetricsServlet.METRICS_REGISTRY,
                metricRegistry);

        log.debug("Registering Metrics Filter");
        FilterRegistration.Dynamic metricsFilter = servletContext.addFilter("webappMetricsFilter",
                new InstrumentedFilter());

        metricsFilter.addMappingForUrlPatterns(disps, true, "/*");
        metricsFilter.setAsyncSupported(true);

        log.debug("Registering Metrics Servlet");
        ServletRegistration.Dynamic metricsAdminServlet =
                servletContext.addServlet("metricsServlet", new MetricsServlet());

        metricsAdminServlet.addMapping("/metrics/metrics/*");
        metricsAdminServlet.setAsyncSupported(true);
        metricsAdminServlet.setLoadOnStartup(2);
    }
}

然而,当我访问 /metrics/metrics 下的任何内容时,浏览器会提示进行基本身份验证。响应具有以下 header WWW-Authenticate:"Basic realm="Spring""。其他资源下载正常

我是这类应用程序的新手,有点沮丧 :) 感谢您的帮助。

如果知道要查找的内容,似乎所有内容都在文档中 - link

可以使用外部属性修改执行器安全功能 (management.security.*)。要覆盖应用程序访问规则,请添加类型为 WebSecurityConfigurerAdapter 的 @Bean,如果不想覆盖执行器访问规则,请使用 @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER),如果需要,请使用 @Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)想要覆盖执行器访问规则。

将顺序更改为 ManagementServerProperties.ACCESS_OVERRIDE_ORDER,现在可以使用了。