我有一个springboot2应用程序,它没有强制执行基本身份验证,但对其他端点有限制。我看到,即使有有效的用户角色,当从jenkins调用时,我也会收到403错误
Http POSThttp://xxxx:8085/myapp/actuator/shutdown
Response to shutdown request was
{"timestamp":1602006760226,"status":403,"error":"Forbidden","message":"Access
Denied","path":"/myapp/actuator/shutdown"}
当我尝试使用有效的用户ID/角色访问rest客户端时,这就起作用了
这是我的WebSecurityConfig文件
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSEALSecurityConfig
{
@Value("${ldap.server.admin.group}")
private String SERVER_ADMIN_GROUP;
@Value("${myapp.user.group}")
private String APP_USER;
@Autowired
private CustomAccessDeniedHandler accessDeniedHandler;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception
{
httpSecurity
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasRole(SERVER_ADMIN_GROUP)
.antMatchers("/customer/deleteUser").hasRole(APP_USER)
.and().addFilterBefore(getWinAuthenticationSelectionFilter(), BasicAuthenticationFilter.class)
.httpBasic()
.and().csrf().disable()
.httpBasic().disable()
.exceptionHandling().accessDeniedHandler(accessDeniedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
我有一个AccessDeniedHandler类,当用户点击这些受限制的url时,它可以捕获403个错误。
我能知道我在这里做错了什么吗?提前感谢
403错误代码表示权限不足。
您确定这些实例变量已正确初始化吗?
@Value("${ldap.server.admin.group}")
private String SERVER_ADMIN_GROUP;
@Value("${myapp.user.group}")
private String APP_USER;
对于url:http://xxxx:8085/myapp/actuator/shutdown,以下规则开始生效:.antMatchers("/actuator/***"(.hasRole(SERVER_ADMIN_GROUP(。
因此,如果SERVER_ADMIN_GROUP未正确初始化,您将面临问题。