一尘不染

无法保护Spring Boot管理执行器端点

spring-boot

我正在尝试保护Spring Boot执行器端点。我的/apiREST接口具有安全性,但是尝试在内置端点上添加安全性似乎不起作用。

我在我的终端中设置了端点分组application.properties

management.context-path=/management

我的Java Config中有这个

@Override
protected void configure( HttpSecurity http ) throws Exception
{
    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );

    http.authorizeRequests()
        .antMatchers( "/api/**" ).hasRole( "READONLY" )
        .antMatchers( "/management/**" ).hasRole( "ADMIN" );


    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
    http.apply( securityConfigurer );
}

当我使用浏览器转到下面的任何内容时/api,都得到了预期的403返回。management/info例如,当转到/时,我看到返回了JSON,而我也希望它返回403。

我也尝试将其添加到我的application.properties文件中:

management.security.role=ADMIN

但这也无济于事。

DEBUG输出显示:

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_READONLY')', for Ant [pattern='/api/**']

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_ADMIN')', for Ant [pattern='/management/**']

然后为什么我尝试HTTP GET:

2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/css/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/js/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/images/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/**/favicon.ico'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/management/info'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] FilterChainProxy - /management/info has an empty filter list

阅读 310

收藏
2020-05-30

共1个答案

一尘不染

讲述这个故事的日志是:“ / management / info的过滤器列表为空”,因为它被明确标记为已忽略(始终应该使用/
info)。尝试其他执行器端点之一,看看它们是否表现出预期的效果。如果您确实需要保护信息端点,则可以设置endpoints.info.sensitive =
true(我认为)。

2020-05-30