Spring Boot 2中针对执行器和自定义API端点的独立身份验证提供程序

我们有一个spring boot应用程序（spring boot版本2.1.4），它公开了由OAuth2保护的Rest API。
我们还需要将Spring Boot提供的健康检查（执行器）端点公开给只支持基本身份验证的传统监视工具。
但是，自Spring Boot 2以来，执行器与常规应用程序安全规则共享安全配置，因此到目前为止，我能看到的唯一选项是使用Oauth2对其进行保护，或者不对其进行保护（

.permitAll（）

）

我尝试使用单独的WebSecurityConfigureAdapter为执行器端点设置httpBasic身份验证提供程序，为API端点设置oauth2，使用execution@Order，但这两个身份验证提供程序似乎是互斥的

下面是两个WebSecurity配置适配器实现：

对于致动器：

对于API：

---

任何提示如何使这项工作更受欢迎。

我有相同的用例，这对我很有用：

@EnableWebSecurity()
@EnableGlobalMethodSecurity(
    securedEnabled = true,
    prePostEnabled = true
)
public class WebSecurityConfig {


   @Configuration
   @Order(3)
   public static class ActuatorSecurityAdapter extends WebSecurityConfigurerAdapter {

   @Autowired
   private AppProperties prop;

   @Override
   protected void configure(HttpSecurity http) throws Exception {
    http
        .requestMatcher(EndpointRequest.toAnyEndpoint())
        .authorizeRequests()
        .requestMatchers(EndpointRequest.to("info","env")).authenticated()
        .requestMatchers(EndpointRequest.to("health")).permitAll()
        .anyRequest().hasRole("ADMIN") // Any other endpoint
        .and()
        .httpBasic();
  }

  @Bean
  public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
  }

  @Bean
  @Override
  public UserDetailsService userDetailsService() {
    InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
    manager.createUser(User.withUsername(prop.getManagement().getUsername())
     .password(prop.getManagement().getPassword()).roles("ACTUATOR").build());
    return manager;
    }
  }


  [....]

  @Configuration
  @Order(1)
  public class OAuthSecurityConfig extends WebSecurityConfigurerAdapter {

  [...]
}

也许这有帮助：）

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Order(10)
public class SecurityConfiguration2 extends WebSecurityConfigurerAdapter {
    @Autowired
    private CorsFilter corsFilter;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .cors()
        .and()
            .addFilterBefore(corsFilter, CsrfFilter.class)
            .exceptionHandling()
            .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
        .and()
            .headers()
        .and()
            .authorizeRequests()
            .antMatchers("/v2/api-docs").permitAll()
            .antMatchers("/authenticate").permitAll()
            .antMatchers("/customer/**").hasAuthority("MARKETING")
            .anyRequest().authenticated()
        .and()
            .oauth2Login() // generates the /login page
            .successHandler(successHandler())
            ...
    }

@EnableWebSecurity()
@EnableGlobalMethodSecurity(
    securedEnabled = true,
    prePostEnabled = true
)
public class WebSecurityConfig {


   @Configuration
   @Order(3)
   public static class ActuatorSecurityAdapter extends WebSecurityConfigurerAdapter {

   @Autowired
   private AppProperties prop;

   @Override
   protected void configure(HttpSecurity http) throws Exception {
    http
        .requestMatcher(EndpointRequest.toAnyEndpoint())
        .authorizeRequests()
        .requestMatchers(EndpointRequest.to("info","env")).authenticated()
        .requestMatchers(EndpointRequest.to("health")).permitAll()
        .anyRequest().hasRole("ADMIN") // Any other endpoint
        .and()
        .httpBasic();
  }

  @Bean
  public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
  }

  @Bean
  @Override
  public UserDetailsService userDetailsService() {
    InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
    manager.createUser(User.withUsername(prop.getManagement().getUsername())
     .password(prop.getManagement().getPassword()).roles("ACTUATOR").build());
    return manager;
    }
  }


  [....]

  @Configuration
  @Order(1)
  public class OAuthSecurityConfig extends WebSecurityConfigurerAdapter {

  [...]
}