我想使用一组凭据对 Spring Boot 应用程序使用 http 基本身份验证,同时我想将执行器配置为对管理资源(健康、环境等)使用一组不同的凭据。我已经阅读了 Actucator 文档,其中说您应该能够使用 security.user.name
设置用户名和密码。和 security.user.password
特性。但是,当我添加自定义 WebSecurityConfigurerAdapter
时它似乎不再适用。我的 WebSecurityConfigurerAdapter
看起来像这样:
@Configuration
@EnableWebMvcSecurity
@Order(Ordered.LOWEST_PRECEDENCE - 11)
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String API_USER = "API";
private static final String ADMIN_USER = "ADMIN";
@NotNull
@Value("${security.user.name}")
private String managementUsername;
@NotNull
@Value("${security.user.password}")
private String managementPassword;
@NotNull
@Value("${management.context-path}")
private String managementContextPath;
public ApplicationSecurityConfig() {
super(true);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and()
.headers().and()
.sessionManagement()
.sessionCreationPolicy(STATELESS)
.and()
.securityContext().and()
.requestCache().and()
.servletApi().and()
.authorizeRequests()
.antMatchers(managementContextPath+"/**").hasRole(ADMIN_USER)
.antMatchers("/**").hasRole(API_USER)
.and()
.httpBasic();
// @formatter:on
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("apiUsername").password("apiPassword").roles(API_USER).
and().withUser(managementUsername).password(managementPassword).roles(ADMIN_USER);
}
}
我也试过设置
management.security.enabled
至 false
但是尽管我在上面努力保护它,但管理资源似乎对所有人开放。有谁知道我做错了什么以及如何去做?
更新
我看到 Spring 从我的应用程序发出了三个事件:
2015-06-10 20:04:37.076 INFO 44081 --- [nio-8083-exec-1] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:37 CEST 2015, principal=<unknown>, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException, message=An Authentication object was not found in the SecurityContext}]
2015-06-10 20:04:39.564 INFO 44081 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:39 CEST 2015, principal=admin, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]
2015-06-10 20:04:39.569 INFO 44081 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:39 CEST 2015, principal=admin, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
但是 hyness 示例应用程序只有两个:
2015-06-10 19:34:10.851 INFO 42714 --- [nio-8083-exec-1] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 19:34:10 CEST 2015, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2015-06-10 19:34:17.139 INFO 42714 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 19:34:17 CEST 2015, principal=manage, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]
最佳答案
我猜你想对不同的 URL 有不同的配置? Multiple HttpSecurity Spring Security 引用文档中的章节建议您应该创建一个具有多个 WebSecurityConfigurerAdapter
的安全配置。 bean(基于您的问题和引用文档中的示例的简化片段):
@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig {
// variables omitted...
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth
.inMemoryAuthentication()
.withUser("apiUsername").password("apiPassword")
.roles(API_USER).and()
.withUser(managementUsername).password(managementPassword)
.roles(ADMIN_USER);
}
@Configuration
@Order(1)
public static class ManagementWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher(managementContextPath+"/**")
.authorizeRequests()
.anyRequest().hasRole("ADMIN_USER")
.and()
.httpBasic();
}
}
@Configuration
public static class DefaultWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().hasRole("API_USER")
.and()
.httpBasic()
}
}
}
有关详细信息,请阅读引用文档。
关于spring - Spring Boot 中用于应用程序身份验证和管理身份验证的不同凭据?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30382775/