Java 如何重新启用对Spring Boot健康端点的匿名访问?
也许我在这里做错了什么,我只是不知道 我在同一个应用程序中有一个Oauth2身份验证服务器和一个资源服务器 资源服务器配置:Java 如何重新启用对Spring Boot健康端点的匿名访问?,java,spring,spring-security,spring-boot,spring-security-oauth2,Java,Spring,Spring Security,Spring Boot,Spring Security Oauth2,也许我在这里做错了什么,我只是不知道 我在同一个应用程序中有一个Oauth2身份验证服务器和一个资源服务器 资源服务器配置: @Configuration @EnableResourceServer @EnableGlobalMethodSecurity(prePostEnabled = true) @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER-1) public class ResourceServerConfig extends Resour
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER-1)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
public static final String RESOURCE_ID = "resources";
@Override
public void configure(final ResourceServerSecurityConfigurer resources) {
resources
.resourceId(RESOURCE_ID);
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/**").access("#oauth2.hasScope('read')")
.antMatchers(HttpMethod.POST, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.PUT, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.PATCH, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.DELETE, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers(HttpMethod.GET, "/health").permitAll();
}
}
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic().realmName("OAuth Server");
}
}
身份验证服务器配置:
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER-1)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
public static final String RESOURCE_ID = "resources";
@Override
public void configure(final ResourceServerSecurityConfigurer resources) {
resources
.resourceId(RESOURCE_ID);
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/**").access("#oauth2.hasScope('read')")
.antMatchers(HttpMethod.POST, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.PUT, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.PATCH, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.DELETE, "/**").access("#oauth2.hasScope('write')")
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers(HttpMethod.GET, "/health").permitAll();
}
}
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic().realmName("OAuth Server");
}
}
当我尝试访问/health时,我得到了一个未经授权的HTTP/1.1 401
如何说服Spring Boot以匿名方式访问/health?您还需要通过将
management.security.enabled
设置为false来禁用它
正如戴纳姆先生所说:
指定映射的顺序也是中的顺序 咨询他们的意见。第一场比赛获胜。。。As/**匹配 你的/健康映射的一切都是无用的。把它移到桌子上方/** 使其功能化的映射戴纳姆先生8月20日17:56
我也有同样的问题,有点挣扎
protected void configure(HttpSecurity http) throws Exception {
...
.authorizeRequests()
.antMatchers("/actuator/**").permitAll()
}
这还不够
同时重写此方法并添加下面的选项,它就可以工作了
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/actuator/**");
}
在SecurityConfig中,我想您没有添加以下内容:.antMatchers(HttpMethod.GET,“/health”).permitAll();指定映射的顺序也是查询映射的顺序。第一场比赛获胜。。。由于
/**
匹配所有内容,因此您的/health
映射是无用的。将其移动到/**
映射上方,使其正常工作。@M.Deinum谢谢,解决了问题。如果您将此添加为答案,我很乐意接受。此解决方案将禁用所有启动器端点上的安全性。问题是如何允许匿名访问健康端点。我已经为此忙了一整天。有缺失的第二部分。谢谢你也为我工作!