我有一个Spring Boot 2项目,其中包含客户端和服务器身份验证,我想仅公开/actuator/health
端点,以便无需进行任何身份验证。
我的初始WebSecurityConfigurerAdapter
如下:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
private void configureWithSsl(@NotNull HttpSecurity http) throws Exception {
LOG.info("configuring access with ssl");
http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
...
}
以及 application.yaml
文件
server:
port: 8443
ssl:
enabled: true
key-store: 'paht/to/kestore/keystore.jks'
key-store-password: 123456
key-store-type: JKS
client-auth: need
trust-store: 'paht/to/truststore/truststore.jks'
trust-store-type: JKS
trust-store-password: 123456
protocol: TLS
enabled-protocols: TLSv1.2
我已经尝试过以下方法: 1. 将终端点的 'channel'配置为不安全。
private void configureWithSsl(HttpSecurity http) throws Exception {
http
.csrf().disable()
.requiresChannel().requestMatchers(EndpointRequest.to("health")).requiresInsecure()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
- 为端点添加匹配器:
private void configureWithSsl(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health")).permitAll()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
- 在端点中添加忽略选项:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().requestMatchers(EndpointRequest.to("health"));
}
我尝试了所有这些组合,但仍然出现问题。
curl -k https://localhost:8443/actuator/health
curl: (35) error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate
curl http://localhost:8443/actuator/health
Bad Request
This combination of host and port requires TLS.
我希望只有健康端点不受保护,其他执行器端点需要受保护,因此配置
management.server.ssl.enabled=false
无法解决问题...
编辑:
根据@Aritra Paul的答案,我也尝试了:
http
.csrf().disable()
.authorizeRequests()
.antMatchers( "/actuator/health/**").permitAll()
.antMatchers( "/**").authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
但我仍然得到相同的结果。