This is my Spring Boot 1.5.1 Actuator application.properties:
#Spring Boot Actuator
management.contextPath: /actuator
management.security.roles=R_0
This is my WebSecurityConfig:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Value("${logout.success.url}")
private String logoutSuccessUrl;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class);
http
.csrf().ignoringAntMatchers("/v1.0/**", "/logout")
.and()
.authorizeRequests()
.antMatchers("/oauth/authorize").authenticated()
//Anyone can access the urls
.antMatchers("/signin/**").permitAll()
.antMatchers("/v1.0/**").permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority("R_0")
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.failureUrl("/login?error=true")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl(logoutSuccessUrl)
.permitAll();
// @formatter:on
}
/**
* Configures the authentication manager bean which processes authentication requests.
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
Right now I'm successfully able to login in my application with a right user that has R_0 authorities but when I trying to access for example
http://localhost:8080/api/actuator/beans
I receive a following error:
There was an unexpected error (type=Forbidden, status=403).
Access is denied. User must have one of the these roles: R_0
How to correctly configure Spring Boot Actuator in order to be aware about the correct Authentication ?
Right now in order to get it workin I have to do the following trick:
management.security.enabled=false
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority("R_0")
Is any chance to configure Actuator in a right way ?
UPDATED
I'm using UserDetailsService.UserDetails.Authorities
public Collection<? extends GrantedAuthority> getAuthorities() {
String[] authorities = permissions.stream().map(p -> {
return p.getName();
}).toArray(String[]::new);
return AuthorityUtils.createAuthorityList(authorities);
}
You have to use prefix ROLE_ for your management.security.roles for example management.security.roles=ROLE_SOMENAME in order to solve this issue
To have authorization to spring boot actuator endpoints you need to have ACTUATOR role. Refer this example Accessing Restricted Actuator Endpoints with Spring Security
I'm coming at this from a Reactive Spring Boot 2.x app and had this problem and solved it by updating the WebSecurityConfig.securityWebFilterChain as well as SecurityContextRepository.load to include /actuator/** as follows:
public class WebSecurityConfig {
private AuthenticationManager authenticationManager;
private SecurityContextRepository securityContextRepository;
@Autowired
public WebSecurityConfig(AuthenticationManager authenticationManager, SecurityContextRepository securityContextRepository) {
this.authenticationManager = authenticationManager;
this.securityContextRepository = securityContextRepository;
}
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http
.exceptionHandling()
.authenticationEntryPoint((swe, e) -> Mono.fromRunnable(() -> {
swe.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
})).accessDeniedHandler((swe, e) -> Mono.fromRunnable(() -> {
swe.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
})).and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.authenticationManager(authenticationManager)
.securityContextRepository(securityContextRepository)
.authorizeExchange()
.pathMatchers("/actuator/**").permitAll()
.anyExchange().authenticated()
.and().build();
}
as well as updating
@Slf4j
@Component
public class SecurityContextRepository implements ServerSecurityContextRepository {
private AuthenticationManager authenticationManager;
public SecurityContextRepository(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
public Mono<Void> save(ServerWebExchange swe, SecurityContext sc) {
return Mono.error(new UnsupportedOperationException("Not supported"));
}
@Override
public Mono<SecurityContext> load(ServerWebExchange swe) {
ServerHttpRequest request = swe.getRequest();
if (request.getPath().value().startsWith("/actuator") ) {
return Mono.empty();
}
// other authentication logic here
}
According to this link:
http://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-monitoring.html
By default all sensitive HTTP endpoints are secured such that only users that have an ACTUATOR role may access them. Security is enforced using the standard HttpServletRequest.isUserInRole method.
Use the management.security.roles property if you want something different to ACTUATOR.
So I think all you have to do is set the following property in application.properties.
management.security.roles
Ex:
management.security.roles=R_0
来源:https://stackoverflow.com/questions/42142556/spring-boot-actuator-endpoints-security-doesnt-work-with-custom-spring-security