时间戳

首页 > 解决方案 > 如何在 Spring Boot 2 中禁用管理端口的安全性

spring - 如何在 Spring Boot 2 中禁用管理端口的安全性

问题描述

我在端口 6565 上有/actuator/ Endpoints(在我的情况下为manage)。是否可以仅针对特定端口禁用 Spring Boot 2 中的安全性?目前我只能从安全性中排除某些路径。如果我现在在 /manage/ 下的主应用程序端口 1337 下运行 Enpoints,那将是不安全的。过去我们使用management.security.enabled: false还是该路径也相关?

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/manage/**").permitAll()
                .anyRequest().authenticated().and().httpBasic().realmName("Hay, the Config Server is here");

    }
}

应用程序.yml

spring:
  cloud:
    config:
      server:
        git:
          uri: https://bitbucket.xxx.net/scm/gpi/springconfiguration.git
          username: xxx
          password: xxx
          searchPaths: application-*
          force-pull: true
  security:
    user:
      name: xxxUser
      password: xxx
server:
  port: 1337
  address: 0.0.0.0
management:
    server:
      port: 6565
    metrics:
      export:
        prometheus:
          enabled: true
    endpoints:
      web:
        exposure:
          include: '*'
        base-path: /manage
    endpoint:
      prometheus:
        enabled: true

标签: springspring-bootspring-security

解决方案

我最终将此作为在这里找到的工作解决方案如何告诉spring security仅将authorizeRequests应用于特定端口?

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${management.server.port}")
    private int managementPort;

    @Value("${server.port}")
    private int apiPort;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .requestMatchers(forPortAndPath(managementPort, "/manage/**")).permitAll()
                .anyRequest().authenticated().and().httpBasic().realmName("Hay, the Config Server is here");

    }

    private RequestMatcher forPortAndPath(final int port, final String pathPattern) {
        return new AndRequestMatcher(forPort(port), new AntPathRequestMatcher(pathPattern));
    }

    private RequestMatcher forPortAndPath(final int port, final HttpMethod method,
                                          final String pathPattern) {
        return new AndRequestMatcher(forPort(port), new AntPathRequestMatcher(pathPattern, method.name()));
    }

    private RequestMatcher forPort(final int port) {
        return (HttpServletRequest request) -> port == request.getLocalPort();
    }

另一个解决方案是将路径添加到 WebSecurity

@Value("${management.server.port:6565}")
private int managementPort;

@Value("${management.endpoints.web.base-path:/manage}")
private String managementPath;


@Override
public void configure(WebSecurity web) {
    if (securityConfiguration.getAuthenticationScenario()
            .equals(HwlPortalAuthenticationScenario.DISABLE_SECURITY)) {
        web.ignoring().antMatchers("/**");
    } else {
        web.ignoring().antMatchers(securityConfiguration.securityDisabledPaths().toArray(new String[]{}))
                .requestMatchers(forPortAndPath(managementPort,managementPath + "/**"));
    }
}

推荐阅读