当在生产中我想禁用 /actuator 端点但仍然允许 /actuator/health。我已经使用 SecurityConfigurerAdapter 尝试了下面的代码,但它返回 500。我想返回 404 并获得“找不到页面”错误页面。非常感谢任何帮助
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
if(isProd) {
http.authorizeRequests().antMatchers("/actuator/", "/actuator").denyAll();
}
}
【问题讨论】:
标签: java spring spring-boot spring-security spring-boot-actuator
您不必使用 Spring Security。
这可以使用属性进行配置:
默认情况下,健康和信息通过网络公开。
因此,您可以在生产和开发中继续运行您的应用程序
-Dmanagement.endpoints.web.exposure.include=*
【讨论】:
@Configuration
@EnableWebSecurity
//@EnableOAuth2Sso
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private JwtRequestFilter jwtRequestFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
// dont authenticate this particular request
.authorizeRequests()
.antMatchers(
"/api/login",
"/user/create-new-user",
"/user/get-verification",
"/user/pwd-reset",
"/user/pwd-reset/verification",
"/api/swagger-ui.html")
.permitAll()
// .antMatchers("/**").permitAll().hasRole("ADMIN")
.anyRequest()
.fullyAuthenticated()
.and()
.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// .and()
// .logout()
// .logoutRequestMatcher(new AntPathRequestMatcher("/api/logout")).logoutSuccessUrl("/https://www.baeldung.com/spring-security-logout")
// .invalidateHttpSession(true).deleteCookies("JSESSIONID");
// Add a filter to validate the tokens with every request
http
.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
}
或者这样用
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/home").access("hasRole('USER')")
.antMatchers("/admin/**").hasRole("ADMIN")
.and()
// some more method calls
.formLogin();
}
【讨论】: