1. 首頁
  2. 問答
  3. 無法保護Spring引導管理執行器端點

無法保護Spring引導管理執行器端點

2014-05-02 18 views
5

我試圖保護Spring Boot執行器端點。我在我的/api REST界面上安全工作,但試圖增加內置端點的安全性似乎並不奏效。無法保護Spring引導管理執行器端點

我已經設置了終端的分組在我application.properties

management.context-path=/management

我在我的Java配置

@Override 
protected void configure(HttpSecurity http) throws Exception 
{ 
    http.csrf().disable(); 
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); 

    http.authorizeRequests() 
     .antMatchers("/api/**").hasRole("READONLY") 
     .antMatchers("/management/**").hasRole("ADMIN"); 


    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer(userDetailsServiceBean()); 
    http.apply(securityConfigurer); 
}

當我使用我的瀏覽器去任何低於/api有這個,我按預期獲得403回。當去/ management/info例如,我看到返回的JSON,我也期待一個403

我也想加入這個我application.properties文件:

management.security.role=ADMIN

但是,這並沒有幫助。

調試輸出顯示:

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_READONLY')', for Ant [pattern='/api/**'] 

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_ADMIN')', for Ant [pattern='/management/**']

然後爲什麼我嘗試HTTP GET:

2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/css/**' 
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/js/**' 
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/images/**' 
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/**/favicon.ico' 
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/management/info' 
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] FilterChainProxy - /management/info has an empty filter list

來源

2014-05-02 Wim Deblauwe

回答

2

告訴故事中的日誌:「/管理/信息有一個空的篩選器列表「因爲它明確標記爲忽略(/ info總是應該可用)。嘗試其他執行器端點之一,看看它們的行爲是否符合您的預期。如果您確實需要保護信息端點,則可以設置endpoints.info.sensitive = true(我認爲)。

來源

2014-05-02 08:23:08

+0

完全正確!我試過的兩個是'/ info'和'/ health',兩者似乎總是可用的。如果我使用'/ beans',我確實得到了預期的403。您可以添加此信息[在文檔中](http://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#production-ready-sensitive-endpoints)? –

+0

它在那裏:http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready-sensitive-endpoints,http://docs.spring.io/spring-boot/docs /電流/參考/ htmlsingle /#生產就緒的端點。如果您想提出進一步的說明,請參閱。 –

+0

事實上,我似乎沒有注意到表中的「敏感」列。 –

相關問題

 相關問題