Spring Boot 中用于应用程序身份验证和管理身份验证的凭据不同?
Different credentials in Spring Boot for app authentication and management authentication?
我想为我的 Spring 启动应用程序使用 http 基本身份验证和一组凭据,同时我想配置执行器以使用一组不同的凭据来管理资源(健康,环境等)。我已经阅读了 Actucator 文档,其中说您应该能够使用 security.user.name 和 security.user.password 属性设置用户名和密码。但是,当我添加自定义 WebSecurityConfigurerAdapter 时,它似乎不再适用。我的 WebSecurityConfigurerAdapter 看起来像这样:
@Configuration
@EnableWebMvcSecurity
@Order(Ordered.LOWEST_PRECEDENCE - 11)
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String API_USER = "API";
private static final String ADMIN_USER = "ADMIN";
@NotNull
@Value("${security.user.name}")
private String managementUsername;
@NotNull
@Value("${security.user.password}")
private String managementPassword;
@NotNull
@Value("${management.context-path}")
private String managementContextPath;
public ApplicationSecurityConfig() {
super(true);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and()
.headers().and()
.sessionManagement()
.sessionCreationPolicy(STATELESS)
.and()
.securityContext().and()
.requestCache().and()
.servletApi().and()
.authorizeRequests()
.antMatchers(managementContextPath+"/**").hasRole(ADMIN_USER)
.antMatchers("/**").hasRole(API_USER)
.and()
.httpBasic();
// @formatter:on
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("apiUsername").password("apiPassword").roles(API_USER).
and().withUser(managementUsername).password(managementPassword).roles(ADMIN_USER);
}
}
我也试过将 management.security.enabled 设置为 false 但是尽管我在上面努力保护它,但管理资源似乎对所有人开放。
有谁知道我做错了什么以及如何处理?
更新
我看到 Spring 从我的应用中发出了三个事件:
2015-06-10 20:04:37.076 INFO 44081 --- [nio-8083-exec-1] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:37 CEST 2015, principal=<unknown>, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException, message=An Authentication object was not found in the SecurityContext}]
2015-06-10 20:04:39.564 INFO 44081 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:39 CEST 2015, principal=admin, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]
2015-06-10 20:04:39.569 INFO 44081 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:39 CEST 2015, principal=admin, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
但是 hyness 示例应用只有两个:
2015-06-10 19:34:10.851 INFO 42714 --- [nio-8083-exec-1] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 19:34:10 CEST 2015, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2015-06-10 19:34:17.139 INFO 42714 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 19:34:17 CEST 2015, principal=manage, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]
我猜你想对不同的 URL 进行不同的配置? Spring 安全参考文档中的 Multiple HttpSecurity 章节建议您创建一个具有多个 WebSecurityConfigurerAdapter bean 的安全配置(基于您的问题和参考文档中的示例的简化代码段):
@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig {
// variables omitted...
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth
.inMemoryAuthentication()
.withUser("apiUsername").password("apiPassword")
.roles(API_USER).and()
.withUser(managementUsername).password(managementPassword)
.roles(ADMIN_USER);
}
@Configuration
@Order(1)
public static class ManagementWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher(managementContextPath+"/**")
.authorizeRequests()
.anyRequest().hasRole("ADMIN_USER")
.and()
.httpBasic();
}
}
@Configuration
public static class DefaultWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().hasRole("API_USER")
.and()
.httpBasic()
}
}
}
详情请阅读参考文档。
我更改了优先级并更改了管理用户名和密码 属性 名称,它适用于我。管理上下文仅供管理用户访问,其余安全路径仅供 apiUsername 访问。问题是没有基本的注销功能。您需要关闭浏览器 window 或使用私人标签切换用户。
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String API_USER = "API";
private static final String ADMIN_USER = "ADMIN";
@NotNull
@Value("${management.user.name}")
private String managementUsername;
@NotNull
@Value("${management.user.password}")
private String managementPassword;
@NotNull
@Value("${management.context-path}")
private String managementContextPath;
public ApplicationSecurityConfig() {
super(true);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and().headers().and().sessionManagement()
.sessionCreationPolicy(STATELESS).and().securityContext().and()
.requestCache().and().servletApi().and().authorizeRequests()
.antMatchers(managementContextPath + "/**").hasRole(ADMIN_USER)
.antMatchers("/**").hasRole(API_USER).and().httpBasic();
// @formatter:on
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("apiUsername")
.password("apiPassword").roles(API_USER).and()
.withUser(managementUsername).password(managementPassword)
.roles(ADMIN_USER);
}
}
hyness 答案在我更改后有效:
..
.antMatchers(managementContextPath + "/**").hasRole(ADMIN_USER)
.antMatchers("/**").hasRole(API_USER)
至
..
.requestMatchers(request -> !request.getContextPath().startsWith(managementContextPath)).hasRole(API)
.antMatchers("/**").not().hasRole(API)
.antMatchers(managementContextPath + "/**").hasRole(ADMIN)
我想为我的 Spring 启动应用程序使用 http 基本身份验证和一组凭据,同时我想配置执行器以使用一组不同的凭据来管理资源(健康,环境等)。我已经阅读了 Actucator 文档,其中说您应该能够使用 security.user.name 和 security.user.password 属性设置用户名和密码。但是,当我添加自定义 WebSecurityConfigurerAdapter 时,它似乎不再适用。我的 WebSecurityConfigurerAdapter 看起来像这样:
@Configuration
@EnableWebMvcSecurity
@Order(Ordered.LOWEST_PRECEDENCE - 11)
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String API_USER = "API";
private static final String ADMIN_USER = "ADMIN";
@NotNull
@Value("${security.user.name}")
private String managementUsername;
@NotNull
@Value("${security.user.password}")
private String managementPassword;
@NotNull
@Value("${management.context-path}")
private String managementContextPath;
public ApplicationSecurityConfig() {
super(true);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and()
.headers().and()
.sessionManagement()
.sessionCreationPolicy(STATELESS)
.and()
.securityContext().and()
.requestCache().and()
.servletApi().and()
.authorizeRequests()
.antMatchers(managementContextPath+"/**").hasRole(ADMIN_USER)
.antMatchers("/**").hasRole(API_USER)
.and()
.httpBasic();
// @formatter:on
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("apiUsername").password("apiPassword").roles(API_USER).
and().withUser(managementUsername).password(managementPassword).roles(ADMIN_USER);
}
}
我也试过将 management.security.enabled 设置为 false 但是尽管我在上面努力保护它,但管理资源似乎对所有人开放。
有谁知道我做错了什么以及如何处理?
更新
我看到 Spring 从我的应用中发出了三个事件:
2015-06-10 20:04:37.076 INFO 44081 --- [nio-8083-exec-1] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:37 CEST 2015, principal=<unknown>, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException, message=An Authentication object was not found in the SecurityContext}]
2015-06-10 20:04:39.564 INFO 44081 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:39 CEST 2015, principal=admin, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]
2015-06-10 20:04:39.569 INFO 44081 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:39 CEST 2015, principal=admin, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
但是 hyness 示例应用只有两个:
2015-06-10 19:34:10.851 INFO 42714 --- [nio-8083-exec-1] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 19:34:10 CEST 2015, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2015-06-10 19:34:17.139 INFO 42714 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 19:34:17 CEST 2015, principal=manage, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]
我猜你想对不同的 URL 进行不同的配置? Spring 安全参考文档中的 Multiple HttpSecurity 章节建议您创建一个具有多个 WebSecurityConfigurerAdapter bean 的安全配置(基于您的问题和参考文档中的示例的简化代码段):
@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig {
// variables omitted...
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth
.inMemoryAuthentication()
.withUser("apiUsername").password("apiPassword")
.roles(API_USER).and()
.withUser(managementUsername).password(managementPassword)
.roles(ADMIN_USER);
}
@Configuration
@Order(1)
public static class ManagementWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher(managementContextPath+"/**")
.authorizeRequests()
.anyRequest().hasRole("ADMIN_USER")
.and()
.httpBasic();
}
}
@Configuration
public static class DefaultWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().hasRole("API_USER")
.and()
.httpBasic()
}
}
}
详情请阅读参考文档。
我更改了优先级并更改了管理用户名和密码 属性 名称,它适用于我。管理上下文仅供管理用户访问,其余安全路径仅供 apiUsername 访问。问题是没有基本的注销功能。您需要关闭浏览器 window 或使用私人标签切换用户。
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String API_USER = "API";
private static final String ADMIN_USER = "ADMIN";
@NotNull
@Value("${management.user.name}")
private String managementUsername;
@NotNull
@Value("${management.user.password}")
private String managementPassword;
@NotNull
@Value("${management.context-path}")
private String managementContextPath;
public ApplicationSecurityConfig() {
super(true);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and().headers().and().sessionManagement()
.sessionCreationPolicy(STATELESS).and().securityContext().and()
.requestCache().and().servletApi().and().authorizeRequests()
.antMatchers(managementContextPath + "/**").hasRole(ADMIN_USER)
.antMatchers("/**").hasRole(API_USER).and().httpBasic();
// @formatter:on
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("apiUsername")
.password("apiPassword").roles(API_USER).and()
.withUser(managementUsername).password(managementPassword)
.roles(ADMIN_USER);
}
}
hyness 答案在我更改后有效:
..
.antMatchers(managementContextPath + "/**").hasRole(ADMIN_USER)
.antMatchers("/**").hasRole(API_USER)
至
..
.requestMatchers(request -> !request.getContextPath().startsWith(managementContextPath)).hasRole(API)
.antMatchers("/**").not().hasRole(API)
.antMatchers(managementContextPath + "/**").hasRole(ADMIN)