我有一个带有客户端和服务器身份验证的Spring Boot 2项目,我正在尝试仅公开/actuator/health
端点,因此它不需要任何身份验证。
我的最初WebSecurityConfigurerAdapter
是:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
private void configureWithSsl(@NotNull HttpSecurity http) throws Exception {
LOG.info("configuring access with ssl");
http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
...
}
和application.yaml
server:
port: 8443
ssl:
enabled: true
key-store: 'paht/to/kestore/keystore.jks'
key-store-password: 123456
key-store-type: JKS
client-auth: need
trust-store: 'paht/to/truststore/truststore.jks'
trust-store-type: JKS
trust-store-password: 123456
protocol: TLS
enabled-protocols: TLSv1.2
我尝试过:1.将"频道"配置为端点
的不安全 private void configureWithSsl(HttpSecurity http) throws Exception {
http
.csrf().disable()
.requiresChannel().requestMatchers(EndpointRequest.to("health")).requiresInsecure()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
- 将匹配器添加到端点:
private void configureWithSsl(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health")).permitAll()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
- 添加忽略到端点:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().requestMatchers(EndpointRequest.to("health"));
}
我尝试了所有这些组合,但我仍然得到
curl -k https://localhost:8443/actuator/health
curl: (35) error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate
curl http://localhost:8443/actuator/health
Bad Request
This combination of host and port requires TLS.
我只希望没有保护健康终点,其余的执行器端点我确实需要确保,因此配置management.server.ssl.enabled=false
不会解决问题...
编辑:
根据@aritra Paul的答案,我也尝试了:
http
.csrf().disable()
.authorizeRequests()
.antMatchers( "/actuator/health/**").permitAll()
.antMatchers( "/**").authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
,但我仍然得到相同的结果。
我有一个非常相似的情况,我们在端点上添加了 X.509
身份验证,但想保持弹簧执行器端点不含身份验证。
使用Spring 2.2.3,可以像您一样使用SSL配置server
,但是在您的management
配置中禁用SSL(用于配置执行器端点)中的SSL类似:
management:
server:
port: 8080
ssl:
enabled: false
这种简单的组合使我们能够在端口8080上没有AUTH的执行器端点,而我们在端口8443上使用SSL击中其他端点。
我解决了如下
在SecurityConfig
中实现WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception {
http.regexMatcher("^(?!(/actuator/)).*$")
.csrf().disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.x509()
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(userDetailsService());
和application.yaml
management:
server:
port: 8088
ssl:
enabled: false
endpoint:
health:
probes:
enabled: true
health:
livenessState:
enabled: true
readinessState:
enabled: true
我知道您要为所有其他URL打开actuator/health
URL的内容是基于角色或授权。如果是这样,您可以尝试像Bellow
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers( "/actuator/health/**").permitAll()
.antMatchers("/other-url/**").hasRole("your role")
.authenticated();
}