我试图确保Spring执行器端点的安全。我在我的/api
REST接口上有工作安全性,但是试图在内置端点上添加安全性似乎不起作用。
我已经在我的application.properties
中设置了端点分组
management.context-path=/management
我在我的中有这个
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );
http.authorizeRequests()
.antMatchers( "/api/**" ).hasRole( "READONLY" )
.antMatchers( "/management/**" ).hasRole( "ADMIN" );
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
http.apply( securityConfigurer );
}
当我使用我的浏览器访问/api
以下的任何内容时,我将得到一个403,如预期的那样。例如,在转到/management/info
时,我看到返回的JSON也是403。
我还尝试将其添加到我的application.properties
文件中:
management.security.role=ADMIN
但这也于事无补。
调试输出显示:
2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource -
Adding web access control expression 'hasRole('ROLE_READONLY')', for Ant [pattern='/api/**']
2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource -
Adding web access control expression 'hasRole('ROLE_ADMIN')', for Ant [pattern='/management/**']
然后,我尝试HTTP的原因:
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/css/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/js/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/images/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/**/favicon.ico'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/management/info'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] FilterChainProxy - /management/info has an empty filter list
发布于 2014-05-02 08:23:08
讲述这个故事的日志是:"/management/info有一个空的筛选列表“,因为它被显式标记为忽略(/info总是被认为是可用的)。尝试其他执行器端点之一,看看这些端点的行为是否与您预期的一样。如果您确实需要保护info端点,可以设置endpoints.info.sensitive=true (我认为)。
https://stackoverflow.com/questions/23423550
复制相似问题