Geek Answers Handbook

Spring start point boot control basic security

How to use basic security for management endpoints like /env, /health, /metrics ? I want to use different user credentials for the above endpoints compared to the other endpoint protection of the application controller. In my application.properties file below for application controller security

 security.user.name = user
 security.user.password = password

But I want a different username / password for management endpoints. Could not find property management.security.user.name .

+8
spring boot
source share
3 answers

Spring security has a "global" AuthenticationManager configured on @Bean instances of type GlobalAuthenticationConfigurerAdapter . This AuthenticationManager is the one that is configured using the security.user.* Properties, unless you set security.basic.enabled=false . Global AM also tied to default management endpoints, and it is the parent of any "local" AuthenticationManagers defined in WebSecurityConfigurationAdapters (all of them ProviderManagers ).

Thus, if you want different user accounts for the management endpoints and application endpoints, you have (at least) two options:

  • Define a local AM for the application endpoints in the WebSecurityConfigurationAdapter and ensure that management endpoints are not covered by this filter. This is easy, because this is what you get without thinking too much and adding AuthenticationManagerBuilder to your WebSecurityConfigurationAdapter (provided that it is neatly ordered with respect to which protects the management endpoints ).

  • Use global AM (or even another local one) for the application endpoints and reconfigure protection for the management endpoints (for example, set security.basic.enabled=false and add your own WebSecurityConfigurerAdapter covering the management endpoints). This may be more work and duplicates some default boot options, but at least you'll know what you're getting.

+2
source share

To implement basic endpoint security, you need to use the code below

 security.user.name=user security.user.password=password

and in the configuration file should be as below

 @Configuration public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic(); } }

still not working hope it works

Basic Authentication

+2
source share

Dave already explained well, but here is a complete example of using WebSecurityConfigurerAdapter and the database as an auth source.

SecurityConfig.java

 @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private DataSource dataSource; @Override public void configure(WebSecurity web) throws Exception { // Ignore any request that starts with /resources or /webjars web.ignoring() .antMatchers("/resources/**") .antMatchers("/webjars/**"); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); // for app access http.authorizeRequests() .antMatchers("/configuration").hasRole("ADMIN") .antMatchers("/user").hasRole("ADMIN") .anyRequest().fullyAuthenticated() .and() .exceptionHandling().accessDeniedPage("/auth_error") .and() .formLogin().loginPage("/login").failureUrl("/login?error").permitAll() .and() .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/").invalidateHttpSession(true); // for management access with basic auth http.httpBasic() .and() .authorizeRequests() .antMatchers("/management/**").hasRole("ADMIN"); } @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource) .passwordEncoder(new BCryptPasswordEncoder()); } }

And this is my application.properties application

application.properties

 # MANAGEMENT HTTP SERVER (ManagementServerProperties) management.port=8081 management.address=127.0.0.1 management.context-path=/management management.security.enabled=true # MVC ONLY ENDPOINTS endpoints.jolokia.path=/jolokia endpoints.jolokia.sensitive=true endpoints.jolokia.enabled=true # JMX ENDPOINT (EndpointMBeanExportProperties) endpoints.jmx.enabled=true endpoints.jmx.domain=org.springboot endpoints.jmx.unique-names=false # ENDPOINT endpoints.enabled=true endpoints.shutdown.id=shutdown endpoints.shutdown.sensitive=true endpoints.shutdown.enabled=true # HYPERMEDIA ENDPOINTS endpoints.actuator.enabled=true endpoints.actuator.path=/actuator endpoints.actuator.sensitive=false

You can check additional endpoint properties from spring application properties

Management request example

The ADMIN Role user (username: admin, password: password) has already been added to the database.

  • Example of a management request to close

     $ curl -u admin:password -X POST http://127.0.0.1:8081/management/shutdown {"message":"Shutting down, bye..."}

  • Example control request for checking HeapMemoryUsage and ThreadCount via jolokia

     $ curl -u admin:password http://127.0.0.1:8081/management/jolokia/read/java.lang:type=Memory/HeapMemoryUsage {"request":{"mbean":"java.lang:type=Memory","attribute":"HeapMemoryUsage","type":"read"},"value":{"init":268435456,"committed":829947904,"max":3817865216,"used":466033000},"timestamp":1444167809,"status":200} $ curl -u admin:password http://127.0.0.1:8081/management/jolokia/read/java.lang:type=Threading/ThreadCount {"request":{"mbean":"java.lang:type=Threading","attribute":"ThreadCount","type":"read"},"value":47,"timestamp":1444174639,"status":200}

  • Sample management request for health check

     $ curl -u admin:password http://127.0.0.1:8081/management/health {"status":"UP","diskSpace":{"status":"UP","free":163634987008,"threshold":10485760},"db":{"status":"UP","database":"H2","hello":1}}
+1
source share

More articles:


All Articles