webflux http basic仅在特定路径上运行,而其他所有路径都使用jwt

oo7oh9g9  于 2021-09-29  发布在  Java
关注(0)|答案(0)|浏览(223)

我有一个SpringBoot应用程序,它对所有端点使用jwt。现在我想添加一个 /actuator 使用基本身份验证启用prometheus刮片度量的端点。

@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class SecurityConfig(
  val userService: UserService
) {

  @Bean
  fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
    return http {
      csrf { disable() }
      formLogin { disable() }
      httpBasic { disable() }
      authorizeExchange {
        authorize(ServerWebExchangeMatchers.pathMatchers(HttpMethod.OPTIONS, "/**"), permitAll)

        // the following should not use JWT but basic auth
        authorize(ServerWebExchangeMatchers.pathMatchers("/actuator"), authenticated)

        authorize(anyExchange, authenticated)
      }
      oauth2ResourceServer {
        jwt {
          jwtAuthenticationConverter = customConverter()
        }
      }
    }
  }
}

在mvc堆栈中,我将使用如下内容:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Configuration
    @Order(1)
    public static class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        @Value("${management.endpoints.web.base-path}")
        private String managementPath;

        @Value("${config.actuator.user.name}")
        private String actuatorUser;

        @Value("${config.actuator.user.password}")
        private String actuatorPassword;

        @Autowired
        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication()
                    .withUser(actuatorUser)
                    .password(passwordEncoder().encode(actuatorPassword))
                    .authorities("ROLE_ACTUATOR");
        }

        @Bean
        public PasswordEncoder passwordEncoder() {
            return new Argon2PasswordEncoder();
        }

        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher(managementPath + "/**")
                    .cors().and()
                    .csrf().disable()
                    .authorizeRequests()
                    .anyRequest()
                    .hasRole("ACTUATOR")
                    .and()
                    .httpBasic();
        }
    }

    @Configuration
    @Order(2)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
             http
                    .cors().and()
                    .csrf().disable()
                    .authenticationProvider(...)
                    .authorizeRequests()
                    // ...
        }
    }
}

这如何转化为webflux?

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题