Spring Security+Spring Actuator实践

Posted 2023-04-07

参考技术A Spring Security用于安全认证

Spring Actuator用于应用监控

在实际项目中，两者结合使用的一些注意事项，总结如下：

endpoints.sensitive 用于控制 actuator 端点，security.basic 用于控制 Controller 层接口，二者互不影响

针对 actuator 的权限控制

1. endpoints.sensitive 和  management.security.enabled 有一个关闭，则无需鉴权，例如：

endpoints.sensitive = false 所有端点打开，即无需密码验证，即使 management.security.enabled=true，也配置了 security.user，也无需鉴权。

endpoints.sensitive = true 所有端点需要验证，但 management.security.enabled=false，即使配置了 security.user，也无需鉴权。

2. endpoints.sensitive 和  management.security.enabled 都打开的情况下：

1）配置了 security.user，使用对应用户名/密码可打开

2）未配置 security.user，则一定打不开

3. 若需单独开启或关闭某个端点，则使用 endpoints.端点名.属性名=true/false，例如： endpoints.info.sensitive=false

注： actuator 端点权限控制与 security.basic.enabled 无关。以上规则，对于单个端点的开关，同样适用。

针对 Controller 层接口权限控制

1. security.basic.enabled=false，则所有接口无需鉴权，即使配置了 security.user

2. security.basic.enabled=true，也配置了 security.user，则看 security.basic.path，则只有该path中的接口需要鉴权，默认为所有接口

3. 若需要单独控制某个接口，则使用 security.basic.path=/config/qryUser 多个时以逗号隔开

注： Controller 层接口权限控制与 endpoints.sensitive 和  management.security.enabled 无关

Spring Security：2.4 Getting Spring Security

You can get hold of Spring Security in several ways. You can download a packaged distribution from the main Spring Security page, download individual jars from the Maven Central repository (or a Spring Maven repository for snapshot and milestone releases) or, alternatively, you can build the project from source yourself.

您可以通过多种方式获得Spring Security。您可以从Spring Security主页面下载打包的发行版，从Maven Central存储库（或Spring Maven存储库下载快照和里程碑版本）下载单个jar，或者，您也可以自己从源代码构建项目。

 

2.4.1 Usage with Maven (使用Maven)

A minimal Spring Security Maven set of dependencies typically looks like the following:

最小的Spring Security Maven依赖项通常如下所示：

 

pom.xml

 

<dependencies>
<!-- ... other dependency elements ... -->
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-web</artifactId>
	<version>4.2.10.RELEASE</version>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-config</artifactId>
	<version>4.2.10.RELEASE</version>
</dependency>
</dependencies>

If you are using additional features like LDAP, OpenID, etc. you will need to also include the appropriate Section 2.4.3, “Project Modules”.　　

Maven Repositories

All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central, so no additional Maven repositories need to be declared in your pom.

所有GA版本（即以.RELEASE结尾的版本）都部署到Maven Central，因此不需要在您的pom中声明其他Maven存储库。

 

If you are using a SNAPSHOT version, you will need to ensure you have the Spring Snapshot repository defined as shown below:

 

如果您使用的是SNAPSHOT版本，则需要确保定义了Spring Snapshot存储库，如下所示：

 

pom.xml. 

 

<repositories>
<!-- ... possibly other repository elements ... -->
<repository>
	<id>spring-snapshot</id>
	<name>Spring Snapshot Repository</name>
	<url>http://repo.spring.io/snapshot</url>
</repository>
</repositories>

If you are using a milestone or release candidate version, you will need to ensure you have the Spring Milestone repository defined as shown below:

如果您使用里程碑或候选发布版本，则需要确保已定义Spring Milestone存储库，如下所示：

 

pom.xml

 

<repositories>
<!-- ... possibly other repository elements ... -->
<repository>
	<id>spring-milestone</id>
	<name>Spring Milestone Repository</name>
	<url>http://repo.spring.io/milestone</url>
</repository>
</repositories>

 

Spring Framework Bom (良好的spring框架)

Spring Security builds against Spring Framework 4.3.21.RELEASE, but should work with 4.0.x. The problem that many users will have is that Spring Security’s transitive dependencies resolve Spring Framework 4.3.21.RELEASE which can cause strange classpath problems.

Spring Security针对Spring Framework 4.3.21.RELEASE构建，但应该与4.0.x一起使用。许多用户将遇到的问题是Spring Security的传递依赖性解决了Spring Framework 4.3.21.RELEASE，它可能导致奇怪的类路径问题。

 

One (tedious) way to circumvent this issue would be to include all the Spring Framework modules in a <dependencyManagement> section of your pom. An alternative approach is to include the spring-framework-bomwithin your <dependencyManagement> section of your pom.xml as shown below:

 

解决此问题的一种（繁琐）方法是将所有Spring Framework模块包含在pom的<dependencyManagement>部分中。另一种方法是将spring-framework-bom包含在pom.xml的<dependencyManagement>部分中，如下所示：

 

 

pom.xml

<dependencyManagement>
	<dependencies>
	<dependency>
		<groupId>org.springframework</groupId>
		<artifactId>spring-framework-bom</artifactId>
		<version>4.3.21.RELEASE</version>
		<type>pom</type>
		<scope>import</scope>
	</dependency>
	</dependencies>
</dependencyManagement>

This will ensure that all the transitive dependencies of Spring Security use the Spring 4.3.21.RELEASE modules.

这将确保Spring Security的所有传递依赖项都使用Spring 4.3.21.RELEASE模块。

 

This approach uses Maven’s "bill of materials" (BOM) concept and is only available in Maven 2.0.9+. For additional details about how dependencies are resolved refer to Maven’s Introduction to the Dependency Mechanism documentation.

这种方法使用Maven的“物料清单”（BOM）概念，仅适用于Maven 2.0.9+。有关如何解析依赖关系的其他详细信息，请参阅Maven的依赖关系机制简介文档。

 

2.4.2 Gradle

A minimal Spring Security Gradle set of dependencies typically looks like the following:

最小的Spring Security Gradle依赖项集通常如下所示：

 

build.gradle. 

 

dependencies {
	compile ‘org.springframework.security:spring-security-web:4.2.10.RELEASE‘
	compile ‘org.springframework.security:spring-security-config:4.2.10.RELEASE‘
}

　

Gradle Repositories

All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central, so using the mavenCentral() repository is sufficient for GA releases.

所有GA版本（即以.RELEASE结尾的版本）都部署到Maven Central，因此使用mavenCentral（）存储库足以支持GA版本。

 

repositories {
	mavenCentral()
}

If you are using a SNAPSHOT version, you will need to ensure you have the Spring Snapshot repository defined as shown below:

如果您使用的是SNAPSHOT版本，则需要确保定义了Spring Snapshot存储库，如下所示：

 

build.gradle. 

 

repositories {
	maven { url ‘https://repo.spring.io/snapshot‘ }
}

　

If you are using a milestone or release candidate version, you will need to ensure you have the Spring Milestone repository defined as shown below:

如果您使用里程碑或候选发布版本，则需要确保已定义Spring Milestone存储库，如下所示：

 

build.gradle. 

 

repositories {
	maven { url ‘https://repo.spring.io/milestone‘ }
}

Using Spring 4.0.x and Gradle

By default Gradle will use the newest version when resolving transitive versions. This means that often times no additional work is necessary when running Spring Security 4.2.10.RELEASE with Spring Framework 4.3.21.RELEASE. However, at times there can be issues that come up so it is best to mitigate this using Gradle’s ResolutionStrategy as shown below:

默认情况下，Gradle将在解析传递版本时使用最新版本。这意味着在使用Spring Framework 4.3.21.RELEASE运行Spring Security 4.2.10.RELEASE时，通常不需要额外的工作。但是，有时可能会出现问题，因此最好使用Gradle的ResolutionStrategy来缓解这个问题，如下所示：

 

build.gradle. 

 

configurations.all {
	resolutionStrategy.eachDependency { DependencyResolveDetails details ->
		if (details.requested.group == ‘org.springframework‘) {
			details.useVersion ‘4.3.21.RELEASE‘
		}
	}
}

 

This will ensure that all the transitive dependencies of Spring Security use the Spring 4.3.21.RELEASE modules.

这将确保Spring Security的所有传递依赖项都使用Spring 4.3.21.RELEASE模块。

 

This example uses Gradle 1.9, but may need modifications to work in future versions of Gradle since this is an incubating feature within Gradle.

 

此示例使用Gradle 1.9，但可能需要修改才能在Gradle的未来版本中使用，因为这是Gradle中的孵化功能。