webflux http basic仅在特定路径上运行，而其他所有路径都使用jwt

oo7oh9g9 于 2021-09-29 发布在 Java

关注(0)|答案(0)|浏览(171)

我有一个SpringBoot应用程序，它对所有端点使用jwt。现在我想添加一个 /actuator 使用基本身份验证启用prometheus刮片度量的端点。

@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class SecurityConfig(
  val userService: UserService
) {

  @Bean
  fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
    return http {
      csrf { disable() }
      formLogin { disable() }
      httpBasic { disable() }
      authorizeExchange {
        authorize(ServerWebExchangeMatchers.pathMatchers(HttpMethod.OPTIONS, "/**"), permitAll)

        // the following should not use JWT but basic auth
        authorize(ServerWebExchangeMatchers.pathMatchers("/actuator"), authenticated)

        authorize(anyExchange, authenticated)
      }
      oauth2ResourceServer {
        jwt {
          jwtAuthenticationConverter = customConverter()
        }
      }
    }
  }
}

在mvc堆栈中，我将使用如下内容：

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Configuration
    @Order(1)
    public static class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        @Value("${management.endpoints.web.base-path}")
        private String managementPath;

        @Value("${config.actuator.user.name}")
        private String actuatorUser;

        @Value("${config.actuator.user.password}")
        private String actuatorPassword;

        @Autowired
        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication()
                    .withUser(actuatorUser)
                    .password(passwordEncoder().encode(actuatorPassword))
                    .authorities("ROLE_ACTUATOR");
        }

        @Bean
        public PasswordEncoder passwordEncoder() {
            return new Argon2PasswordEncoder();
        }

        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher(managementPath + "/**")
                    .cors().and()
                    .csrf().disable()
                    .authorizeRequests()
                    .anyRequest()
                    .hasRole("ACTUATOR")
                    .and()
                    .httpBasic();
        }
    }

    @Configuration
    @Order(2)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
             http
                    .cors().and()
                    .csrf().disable()
                    .authenticationProvider(...)
                    .authorizeRequests()
                    // ...
        }
    }
}

这如何转化为webflux？

spring-boot spring-security spring-webflux

来源：https://stackoverflow.com/questions/68543670/webflux-http-basic-on-specific-path-only-while-all-others-use-jwt