Java 无法保护Spring启动管理执行器终结点_Java_Spring Security_Spring Boot

Java 无法保护Spring启动管理执行器终结点

java spring-security spring-boot

Java 无法保护Spring启动管理执行器终结点,java,spring-security,spring-boot,Java,Spring Security,Spring Boot,我正在尝试保护Spring Boot Actuator端点。我的/apiREST接口上有工作安全性，但尝试在内置端点上添加安全性似乎不起作用我已在我的应用程序中设置端点分组。属性： management.context-path=/management 我的Java配置中有这个 @Override protected void configure( HttpSecurity http ) throws Exception { http.csrf().disable(); ht

我正在尝试保护Spring Boot Actuator端点。我的

/api

REST接口上有工作安全性，但尝试在内置端点上添加安全性似乎不起作用

我已在我的

应用程序中设置端点分组。属性

：

management.context-path=/management

我的Java配置中有这个

@Override
protected void configure( HttpSecurity http ) throws Exception
{
    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );

    http.authorizeRequests()
        .antMatchers( "/api/**" ).hasRole( "READONLY" )
        .antMatchers( "/management/**" ).hasRole( "ADMIN" );


    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
    http.apply( securityConfigurer );
}

但这也无济于事

调试输出显示：

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_READONLY')', for Ant [pattern='/api/**']

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_ADMIN')', for Ant [pattern='/management/**']

那么我为什么要尝试HTTP GET：

2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/css/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/js/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/images/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/**/favicon.ico'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/management/info'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] FilterChainProxy - /management/info has an empty filter list

讲述这个故事的日志是：“/management/info有一个空的筛选器列表”，因为它被显式标记为忽略（/info总是应该可用）。尝试其他一个执行器端点，看看它们的行为是否符合预期。如果你真的需要保护info端点，你可以设置endpoints.info.sensitive=true（我认为）。

完全正确！我试过的两种方法是

/info

和

/health

，这两种方法似乎总是可以使用的。例如，如果我使用

/beans

，我会得到预期的403。你可以添加这些信息吗？在那里：。如果您想建议进一步澄清，请这样做。事实上，我似乎没有注意到表中的

敏感列。我也有同样的问题，我仍然无法保护敏感API（例如：/env）我在application.properties management.context path=/management.security.enabled=true management.security.roles=SOME_ROLE中进行配置，这是否足够，或者配置类中的配置是必需的？您必须将spring安全性添加到类路径中？
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/css/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/js/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/images/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/**/favicon.ico'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/management/info'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] FilterChainProxy - /management/info has an empty filter list