ResourceServer 中的执行器和 OAuth2

【问题标题】:Actuator and OAuth2 in ResourceServerResourceServer 中的执行器和 OAuth2
【发布时间】:2018-09-09 20:46:43
【问题描述】:

我定义了一个 ResourceServer,它当前正在使用公钥验证 AccessToken。这按预期工作。

我想保留执行器端点的敏感行为,并为敏感端点使用 OAuth。

Spring boot 中的默认行为是使用某种形式的 Basic Auth 来保护 Actuator 端点。如何为敏感端点切换到 OAuth?

我尝试过的事情:

  1. management.security.enabled=false(对所有 Actuator 端点禁用所有形式的安全性)
  2. security.basic.enabled=false(似乎根本没有做任何事情)

如何实现所需的行为?

Edit-1:添加ResourceServer的配置

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

}

# OAuth2 Resource Configuration
security.oauth2.resource.filter-order=3
security.oauth2.resource.jwt.key-value=-----BEGIN PUBLIC KEY----- \
ABCD|\
-----END PUBLIC KEY-----

Edit-2:使用 management.security.enabled=false 的日志

2018-04-04 09:38:52,428 [restartedMain  ] INFO    o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/webjars/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []
2018-04-04 09:38:52,428 [restartedMain  ] INFO    o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration$LazyEndpointPathRequestMatcher@cba0b40, []
2018-04-04 09:38:52,517 [restartedMain  ] DEBUG   o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ln:74) - Adding web access control expression 'hasAnyRole('ROLE_USER','ROLE_ACTUATOR')', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2018-04-04 09:38:52,527 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,528 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,537 [restartedMain  ] INFO    o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: Ant [pattern='/h2-console/**'], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2f0907e7, org.springframework.security.web.context.SecurityContextPersistenceFilter@7d0c8fcd, org.springframework.security.web.header.HeaderWriterFilter@1deb6ece, org.springframework.security.web.authentication.logout.LogoutFilter@54ae565a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@101e66ff, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@48870c1e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2c3aa8cc, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@43db62cc, org.springframework.security.web.session.SessionManagementFilter@1c417a06, org.springframework.security.web.access.ExceptionTranslationFilter@6af61e6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@e2595cc]
2018-04-04 09:38:52,559 [restartedMain  ] DEBUG   o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ln:74) - Adding web access control expression 'authenticated', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2018-04-04 09:38:52,560 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,560 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,561 [restartedMain  ] INFO    o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@71c85f60, org.springframework.security.web.context.SecurityContextPersistenceFilter@3867025d, org.springframework.security.web.header.HeaderWriterFilter@1fe578f, org.springframework.security.web.authentication.logout.LogoutFilter@6bcc7bbf, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@52f4e578, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2a57cae0, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5966b20a, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@10e17172, org.springframework.security.web.session.SessionManagementFilter@440ed2d3, org.springframework.security.web.access.ExceptionTranslationFilter@76cc8ddc, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@72a6a42e]
2018-04-04 09:38:52,565 [restartedMain  ] DEBUG   o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource.processMap(ln:74) - Adding web access control expression 'hasAnyRole('ROLE_USER','ROLE_ACTUATOR')', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2018-04-04 09:38:52,566 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,566 [restartedMain  ] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.afterPropertiesSet(ln:180) - Validated configuration attributes
2018-04-04 09:38:52,567 [restartedMain  ] INFO    o.s.s.w.DefaultSecurityFilterChain.<init>(ln:43) - Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/**']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3b9584b5, org.springframework.security.web.context.SecurityContextPersistenceFilter@2181d916, org.springframework.security.web.header.HeaderWriterFilter@5ed5886a, org.springframework.security.web.authentication.logout.LogoutFilter@74909e09, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5b76b0e4, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@7c129fed, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@ef6dedd, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6c8179fb, org.springframework.security.web.session.SessionManagementFilter@4d36e557, org.springframework.security.web.access.ExceptionTranslationFilter@1868a4d7, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@15c448ac]


2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG   o.s.s.w.u.m.OrRequestMatcher.matches(ln:65) - Trying to match using Ant [pattern='/metrics']
2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG   o.s.s.w.u.m.AntPathRequestMatcher.matches(ln:157) - Checking match of request : '/metrics'; against '/metrics'
2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG   o.s.s.w.u.m.OrRequestMatcher.matches(ln:68) - matched
2018-04-04 09:39:53,545 [nio-8080-exec-1] DEBUG   o.s.s.w.FilterChainProxy.doFilterInternal(ln:201) - /metrics has an empty filter list


2018-04-04 09:41:57,195 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG   o.s.s.o.p.a.BearerTokenExtractor.extractToken(ln:54) - Token not found in headers. Trying request parameters.
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG   o.s.s.o.p.a.BearerTokenExtractor.extractToken(ln:57) - Token not found in request parameters.  Not an OAuth2 request.
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG   o.s.s.o.p.a.OAuth2AuthenticationProcessingFilter.doFilter(ln:141) - No token in request, will continue chain.
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-04-04 09:41:57,196 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-04-04 09:41:57,198 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-04-04 09:41:57,198 [nio-8080-exec-5] DEBUG   o.s.s.w.a.AnonymousAuthenticationFilter.doFilter(ln:100) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG   o.s.s.w.s.SessionManagementFilter.doFilter(ln:124) - Requested session ID A2BB697A35FC287599CE86AA715115CA is invalid.
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-04-04 09:41:57,199 [nio-8080-exec-5] DEBUG   o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter(ln:325) - /customers at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-04-04 09:41:57,200 [nio-8080-exec-5] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation(ln:219) - Secure object: FilterInvocation: URL: /customers; Attributes: [#oauth2.throwOnError(authenticated)]
2018-04-04 09:41:57,200 [nio-8080-exec-5] DEBUG   o.s.s.a.i.AbstractSecurityInterceptor.authenticateIfRequired(ln:348) - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2018-04-04 09:41:57,205 [nio-8080-exec-5] DEBUG   o.s.s.a.v.AffirmativeBased.decide(ln:66) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@794e8437, returned: -1
2018-04-04 09:41:57,207 [nio-8080-exec-5] DEBUG   o.s.s.w.a.ExceptionTranslationFilter.handleSpringSecurityException(ln:173) - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied

【问题讨论】:

  • "1.5.9.RELEASE"

标签: spring spring-boot spring-security spring-boot-actuator


【解决方案1】:

蛮力方法是在您的WebSecurityConfigurerAdapter 中明确保护您的执行器端点。应该这样做:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
            .and()
            .httpBasic().disable()
            .anonymous().disable()
            .authorizeRequests().anyRequest().authenticated();
    }

看看this tutorial。接下来,您应该能够在配置中使用适当的匹配器来保护任何端点。

【讨论】:

  • 感谢您的回复。我曾尝试过这种方法,但发现它可以保护对执行器端点的所有调用。例如:拥有一些非安全端点(如 /info 或 /health)的默认行为已不复存在。有什么方法可以保留执行器的默认安全行为并使用 oauth 而不是 basic 来保护它?
  • 有一个属性:security.oauth2.resource.filter-order,您可以将其设置为 3。这会将 oauth2 过滤器放在执行器端点的前面,因此应该使用 oauth2 保护它们。看到这个答案:stackoverflow.com/questions/43526821/…
  • 看来我之前的评论弄错了。配置 WebSecurityConfigurerAdapter 时,不会禁用 Actuator 上的安全性。 filter-order 属性仅将 oAuth 过滤器切换为与执行器的过滤器相比具有更高的顺序。因此,一旦我传递了一个有效的令牌,Actuator 的过滤器就会使用 401 阻止该请求。所以此时我至少在寻找一种解决方案,我可以通过 OAuth 保护所有 Actuator 端点。在这篇文章中,@dur 强调了在配置 ResourceServer 时,不需要 WebSecurityConfigurerAdapter。
  • 这是另一篇文章的链接。 stackoverflow.com/questions/48629266/…
猜你喜欢
  • 2017-02-09
  • 2017-10-17
  • 1970-01-01
  • 2021-05-25
  • 2016-01-15
  • 2017-06-11
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode