java - Spring Security 拒绝访问/actor/health

Question

我试图理解为什么 Spring security 拒绝访问/actuator/health 谁能发现问题所在吗？

日志显示:

27/02/2020 11:24:57.902 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/actuator/health'; against '/actuator/**'
27/02/2020 11:24:57.902 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /actuator/health; Attributes: [hasIpAddress('127.0.0.1/32')]
27/02/2020 11:24:57.902 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@187dbd2d: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
27/02/2020 11:24:57.909 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@790ce264, returned: -1
27/02/2020 11:24:57.912 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at no.gjensidige.bank.nasasupport.jwt.JwtTokenFilter.doFilterInternal(JwtTokenFilter.java:60) [15 skipped]
at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256) [41 skipped]
at java.base/java.lang.Thread.run(Thread.java:830) [13 skipped]


http
                .antMatcher("/**") // If you want to override the security provided by Spring Boot.
                .cors().and()
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/actuator/**")
                .access("hasIpAddress('127.0.0.1/32')")
                .antMatchers("/api")
                .hasAnyAuthority("not important")
  .antMatchers("/actuator/health", "/open/**")
                .permitAll()
                .anyRequest()
                .denyAll();

有人发现错误了吗？我正在使用 spring-boot-2.2.2.RELEASE

我必须添加这个: @SpringBootApplication(exclude = {UserDetailsServiceAutoConfiguration.class}) to删除默认生成的密码。无论是否排除 UserDetailsS​​erviceAutoConfiguration，我都会收到相同的错误。

Answer 1

我们使用此配置来实现与您的要求类似的目标:health 和 prometheus 端点必须无需身份验证即可访问。允许来自 localhost(在我们的例子中运行 Docker 容器)或来自任何经过身份验证的用户的请求。

private static final String ACTUATOR_BASE                = "/actuator";
private static final String MATCHERS_ACTUATOR_HEALTH     = ACTUATOR_BASE + "/health";
private static final String MATCHERS_ACTUATOR_PROMETHEUS = ACTUATOR_BASE + "/prometheus";

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers(MATCHERS_ACTUATOR_HEALTH).permitAll()
        .antMatchers(MATCHERS_ACTUATOR_PROMETHEUS).permitAll()
        .anyRequest()
        .access("hasIpAddress('127.0.0.0/8') or hasIpAddress('::1') or isAuthenticated()")
        .and()
        .httpBasic()
        .and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}