xia*_*000 5 spring spring-security spring-boot spring-boot-actuator
我正在将一个旧的java spring项目重构为springboot,并以传统的war风格部署它。由于某种原因,我必须坚持使用传统的 web.xml 来启动应用程序。感谢 Springboot 的遗留,我可以通过 web.xml 实现这一点:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>com.MyServerServletConfig</param-value>
</context-param>
<listener>
<listener-class>org.springframework.boot.legacy.context.web.SpringBootContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>myservlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>myservlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
另外,我添加了springboot执行器依赖。如下所示application.properties:
endpoints.enabled=true
endpoints.sensitive=true
management.security.enabled=true
management.context-path=/manage
security.user.password=myserver
security.user.name=myserver
应用程序可以正常启动,但是当我尝试从浏览器访问端点时,它只是返回错误,401 Full authentication is required to access this resource而不要求我输入用户名和密码。相关日志如下:
16:00:04.264 DEBUG [resin-port-8081-19] org.springframework.web.servlet.DispatcherServlet: DispatcherServlet with name 'myservlet' processing GET request for [/manage/health]
16:00:04.264 DEBUG [resin-port-8081-19] org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping: Looking up handler method for path /manage/health
16:00:04.264 DEBUG [resin-port-8081-19] org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping: Returning handler method [public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.HealthMvcEndpoint.invoke(javax.servlet.http.HttpServletRequest,java.security.Principal)]
16:00:04.264 DEBUG [resin-port-8081-19] org.springframework.web.servlet.DispatcherServlet: Last-Modified value for [/manage/health] is: -1
16:00:04.264 DEBUG [resin-port-8081-19] org.springframework.core.env.PropertySourcesPropertyResolver: Found key 'endpoints.sensitive' in [applicationConfig: [classpath:../conf/application.properties]] with type [String]
16:00:04.265 DEBUG [resin-port-8081-19] org.springframework.web.servlet.DispatcherServlet: Successfully completed request
这个问题的原因可能是什么?springboot 自动构建的 DispatherServlet 和 web.xml 中显式定义的 DispatherServlet 之间有什么区别吗?出于安全考虑management.security.enabled=true是有必要的。
请参阅 Spring Boot 手册的这一部分:
https://docs.spring.io/spring-boot/docs/current/reference/html/product-ready-monitoring.html
特别是本节:
48.1 访问敏感端点
通过将端点标记为敏感,除非您使用适当的角色登录,否则您将无法看到它们。因此,您必须为敏感端点设置 Spring Security。
这里有一篇很好的博客文章介绍了如何做到这一点:
http://www.devglan.com/spring-security/secure-spring-boot-actuator-endpoints-with-spring-security
| 归档时间: |
|
| 查看次数: |
17479 次 |
| 最近记录: |