我有一个具有客户端和服务器身份验证的Spring Boot 2项目,并且我尝试仅公开/actuator/health
端点,因此它不需要任何身份验证。
我的初始WebSecurityConfigurerAdapter
是:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
private void configureWithSsl(@NotNull HttpSecurity http) throws Exception {
LOG.info("configuring access with ssl");
http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
...
}
和application.yaml
server:
port: 8443
ssl:
enabled: true
key-store: 'paht/to/kestore/keystore.jks'
key-store-password: 123456
key-store-type: JKS
client-auth: need
trust-store: 'paht/to/truststore/truststore.jks'
trust-store-type: JKS
trust-store-password: 123456
protocol: TLS
enabled-protocols: TLSv1.2
我尝试过:1.将“通道”配置为端点不安全]
private void configureWithSsl(HttpSecurity http) throws Exception {
http
.csrf().disable()
.requiresChannel().requestMatchers(EndpointRequest.to("health")).requiresInsecure()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
private void configureWithSsl(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health")).permitAll()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().requestMatchers(EndpointRequest.to("health"));
}
我已经尝试了所有这些组合,但仍然可以得到
curl -k https://localhost:8443/actuator/health
curl: (35) error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate
curl http://localhost:8443/actuator/health
Bad Request
This combination of host and port requires TLS.
我只希望不保护运行状况端点,我确实需要保护其余的执行器端点,所以配置management.server.ssl.enabled=false
不能解决问题...
编辑:
根据@Aritra Paul的回答,我也尝试过:
http
.csrf().disable()
.authorizeRequests()
.antMatchers( "/actuator/health/**").permitAll()
.antMatchers( "/**").authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
但是我仍然得到相同的结果。
我有一个非常相似的案例,我们在端点上添加了X.509
身份验证,但想使Spring致动器端点免于身份验证。
使用Spring 2.2.3,可以像以前一样用ssl配置server
,但是可以在management
配置(用于配置执行器端点)中禁用ssl,如下所示:
management:
server:
port: 8080
ssl:
enabled: false
这种简单的组合使我们能够在端口8080上没有auth的情况下命中执行器端点,而在端口8443上使用ssl的其他端点。
[据我了解,您想为所有人打开actuator/health
网址,所有其他网址都基于角色或授权。如果是这样,您可以像下面这样尝试>]
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers( "/actuator/health/**").permitAll()
.antMatchers("/other-url/**").hasRole("your role")
.authenticated();
}