spring - Spring Boot 中用于应用程序身份验证和管理身份验证的不同凭据？

Question

我想使用一组凭据对 Spring Boot 应用程序使用 http 基本身份验证，同时我想将执行器配置为对管理资源(健康、环境等)使用一组不同的凭据。我已经阅读了 Actucator 文档，其中说您应该能够使用 security.user.name 设置用户名和密码。和 security.user.password特性。但是，当我添加自定义 WebSecurityConfigurerAdapter 时它似乎不再适用。我的 WebSecurityConfigurerAdapter看起来像这样:

@Configuration
@EnableWebMvcSecurity
@Order(Ordered.LOWEST_PRECEDENCE - 11)
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final String API_USER = "API";
    private static final String ADMIN_USER = "ADMIN";

    @NotNull
    @Value("${security.user.name}")
    private String managementUsername;
    @NotNull
    @Value("${security.user.password}")
    private String managementPassword;
    @NotNull
    @Value("${management.context-path}")
    private String managementContextPath;

    public ApplicationSecurityConfig() {
        super(true);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
                .addFilter(new WebAsyncManagerIntegrationFilter())
                .exceptionHandling().and()
                .headers().and()
                .sessionManagement()
                    .sessionCreationPolicy(STATELESS)
                .and()
                .securityContext().and()
                .requestCache().and()
                .servletApi().and()
                .authorizeRequests()
                      .antMatchers(managementContextPath+"/**").hasRole(ADMIN_USER)
                      .antMatchers("/**").hasRole(API_USER)
                      .and()
                .httpBasic();
        // @formatter:on
    }


    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("apiUsername").password("apiPassword").roles(API_USER).
                and().withUser(managementUsername).password(managementPassword).roles(ADMIN_USER);
    }
}

我也试过设置 management.security.enabled至 false但是尽管我在上面努力保护它，但管理资源似乎对所有人开放。

有谁知道我做错了什么以及如何去做？

更新

我看到 Spring 从我的应用程序发出了三个事件:

2015-06-10 20:04:37.076  INFO 44081 --- [nio-8083-exec-1] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Wed Jun 10 20:04:37 CEST 2015, principal=<unknown>, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException, message=An Authentication object was not found in the SecurityContext}]
2015-06-10 20:04:39.564  INFO 44081 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Wed Jun 10 20:04:39 CEST 2015, principal=admin, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]
2015-06-10 20:04:39.569  INFO 44081 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Wed Jun 10 20:04:39 CEST 2015, principal=admin, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]

但是 hyness 示例应用程序只有两个:

2015-06-10 19:34:10.851  INFO 42714 --- [nio-8083-exec-1] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Wed Jun 10 19:34:10 CEST 2015, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2015-06-10 19:34:17.139  INFO 42714 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Wed Jun 10 19:34:17 CEST 2015, principal=manage, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]

Answer 1

我猜你想对不同的 URL 有不同的配置？ Multiple HttpSecurity Spring Security 引用文档中的章节建议您应该创建一个具有多个 WebSecurityConfigurerAdapter 的安全配置。 bean(基于您的问题和引用文档中的示例的简化片段):

@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig {

    // variables omitted...

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) { 
    auth
        .inMemoryAuthentication()
            .withUser("apiUsername").password("apiPassword")
                .roles(API_USER).and()
            .withUser(managementUsername).password(managementPassword)
                .roles(ADMIN_USER);
    }

    @Configuration
    @Order(1)                                                        
    public static class ManagementWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher(managementContextPath+"/**")                               
                .authorizeRequests()
                    .anyRequest().hasRole("ADMIN_USER")
                    .and()
                .httpBasic();
        }
    }

    @Configuration                                                   
    public static class DefaultWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .anyRequest().hasRole("API_USER")
                    .and()
                .httpBasic()
        }
    }
}

有关详细信息，请阅读引用文档。