gpt4 book ai didi

spring - Spring Boot 中用于应用程序身份验证和管理身份验证的不同凭据?

转载 作者:行者123 更新时间:2023-12-01 15:33:26 31 4
gpt4 key购买 nike

我想使用一组凭据对 Spring Boot 应用程序使用 http 基本身份验证,同时我想将执行器配置为对管理资源(健康、环境等)使用一组不同的凭据。我已经阅读了 Actucator 文档,其中说您应该能够使用 security.user.name 设置用户名和密码。和 security.user.password特性。但是,当我添加自定义 WebSecurityConfigurerAdapter 时它似乎不再适用。我的 WebSecurityConfigurerAdapter看起来像这样:

@Configuration
@EnableWebMvcSecurity
@Order(Ordered.LOWEST_PRECEDENCE - 11)
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {

private static final String API_USER = "API";
private static final String ADMIN_USER = "ADMIN";

@NotNull
@Value("${security.user.name}")
private String managementUsername;
@NotNull
@Value("${security.user.password}")
private String managementPassword;
@NotNull
@Value("${management.context-path}")
private String managementContextPath;

public ApplicationSecurityConfig() {
super(true);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and()
.headers().and()
.sessionManagement()
.sessionCreationPolicy(STATELESS)
.and()
.securityContext().and()
.requestCache().and()
.servletApi().and()
.authorizeRequests()
.antMatchers(managementContextPath+"/**").hasRole(ADMIN_USER)
.antMatchers("/**").hasRole(API_USER)
.and()
.httpBasic();
// @formatter:on
}


@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("apiUsername").password("apiPassword").roles(API_USER).
and().withUser(managementUsername).password(managementPassword).roles(ADMIN_USER);
}
}

我也试过设置 management.security.enabledfalse但是尽管我在上面努力保护它,但管理资源似乎对所有人开放。

有谁知道我做错了什么以及如何去做?

更新

我看到 Spring 从我的应用程序发出了三个事件:
2015-06-10 20:04:37.076  INFO 44081 --- [nio-8083-exec-1] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Wed Jun 10 20:04:37 CEST 2015, principal=<unknown>, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException, message=An Authentication object was not found in the SecurityContext}]
2015-06-10 20:04:39.564 INFO 44081 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:39 CEST 2015, principal=admin, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]
2015-06-10 20:04:39.569 INFO 44081 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 20:04:39 CEST 2015, principal=admin, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]

但是 hyness 示例应用程序只有两个:
2015-06-10 19:34:10.851  INFO 42714 --- [nio-8083-exec-1] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Wed Jun 10 19:34:10 CEST 2015, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2015-06-10 19:34:17.139 INFO 42714 --- [nio-8083-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Wed Jun 10 19:34:17 CEST 2015, principal=manage, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null}]

最佳答案

我猜你想对不同的 URL 有不同的配置? Multiple HttpSecurity Spring Security 引用文档中的章节建议您应该创建一个具有多个 WebSecurityConfigurerAdapter 的安全配置。 bean(基于您的问题和引用文档中的示例的简化片段):

@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig {

// variables omitted...

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth
.inMemoryAuthentication()
.withUser("apiUsername").password("apiPassword")
.roles(API_USER).and()
.withUser(managementUsername).password(managementPassword)
.roles(ADMIN_USER);
}

@Configuration
@Order(1)
public static class ManagementWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher(managementContextPath+"/**")
.authorizeRequests()
.anyRequest().hasRole("ADMIN_USER")
.and()
.httpBasic();
}
}

@Configuration
public static class DefaultWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().hasRole("API_USER")
.and()
.httpBasic()
}
}
}

有关详细信息,请阅读引用文档。

关于spring - Spring Boot 中用于应用程序身份验证和管理身份验证的不同凭据?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30382775/

31 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com