Java Spring security拒绝访问/执行器/运行状况
我试图理解为什么Spring security在/actuator/health上拒绝访问 有人能发现问题吗 日志说:Java Spring security拒绝访问/执行器/运行状况,java,spring,spring-boot,spring-security,Java,Spring,Spring Boot,Spring Security,我试图理解为什么Spring security在/actuator/health上拒绝访问 有人能发现问题吗 日志说: 27/02/2020 11:24:57.902 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/actuator/health'; against '/actuator/**' 27/02/2020 11:24:57.902 [
27/02/2020 11:24:57.902 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/actuator/health'; against '/actuator/**'
27/02/2020 11:24:57.902 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /actuator/health; Attributes: [hasIpAddress('127.0.0.1/32')]
27/02/2020 11:24:57.902 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@187dbd2d: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
27/02/2020 11:24:57.909 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@790ce264, returned: -1
27/02/2020 11:24:57.912 [http-nio-4104-exec-1] [,,] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at no.gjensidige.bank.nasasupport.jwt.JwtTokenFilter.doFilterInternal(JwtTokenFilter.java:60) [15 skipped]
at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256) [41 skipped]
at java.base/java.lang.Thread.run(Thread.java:830) [13 skipped]
http
.antMatcher("/**") // If you want to override the security provided by Spring Boot.
.cors().and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/actuator/**")
.access("hasIpAddress('127.0.0.1/32')")
.antMatchers("/api")
.hasAnyAuthority("not important")
.antMatchers("/actuator/health", "/open/**")
.permitAll()
.anyRequest()
.denyAll();
有人发现错误了吗?我使用的是spring-boot-2.2.2.RELEASE
我必须补充一点:
@SpringBootApplication(exclude={UserDetailsServiceAutoConfiguration.class})删除默认生成的密码。如果用户详细信息服务自动配置被排除或未被排除,则会出现相同的错误。将执行器添加到安全应用程序后,您会得到一个仅适用于执行器端点的附加筛选器链。它的顺序为ManagementServerProperties.BASIC\u AUTH\u order
。如果要将应用程序安全规则应用于执行器端点,可以添加排序早于执行器的筛选器链,这可以使用ManagementServerProperties.ACCESS\u OVERRIDE\u ORDER
完成。
简而言之,试着这样做:
@Configuration
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
public class ApplicationConfigurerAdapter extends WebSecurityConfigurerAdapter {
// your implementation
}
我们使用此配置来实现与您的要求类似的功能:健康
和普罗米修斯
端点必须无需身份验证即可访问。对于经过身份验证的用户,允许从localhost
(在本例中运行Docker容器)或任何地方发出任何请求
private static final String ACTUATOR_BASE = "/actuator";
private static final String MATCHERS_ACTUATOR_HEALTH = ACTUATOR_BASE + "/health";
private static final String MATCHERS_ACTUATOR_PROMETHEUS = ACTUATOR_BASE + "/prometheus";
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(MATCHERS_ACTUATOR_HEALTH).permitAll()
.antMatchers(MATCHERS_ACTUATOR_PROMETHEUS).permitAll()
.anyRequest()
.access("hasIpAddress('127.0.0.0/8') or hasIpAddress('::1') or isAuthenticated()")
.and()
.httpBasic()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
我发现了问题。
我不知道为什么我们的配置不起作用,但我改变了顺序。我首先定义了/exactor/health
permitAll(),然后定义了/exactor/**
访问
http.antMatcher("/**")
.cors().and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/actuator/health", "/open/**")
.permitAll()
.antMatchers("/actuator/**")
.access("hasIpAddress('127.0.0.1/32')")
.antMatchers("/api")
.hasAnyAuthority("not important")
.anyRequest()
.denyAll();
我使用的是SpringBoot2.2。ManagementServerProperties.ACCESS\u OVERRIDE\u ORDER)仅在Spring Boot 1.x中。看起来,自Spring Boot 2.0以来,他们已经删除了执行器的单独安全自动配置。因此,更改过滤器顺序可能不起作用。我首先要尝试的是在当前实现中将permitAll()规则移到access()规则之上。另外,您是否正在尝试从127.0.0.1访问/exactor/health
?