8

Probably I'm doing something wrong here, I just can't figure out what...

I have an Oauth2 authentication server and a resource server within the same application.

Resource server configuration:

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER-1)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    public static final String RESOURCE_ID = "resources";

    @Override
    public void configure(final ResourceServerSecurityConfigurer resources) {
        resources
                .resourceId(RESOURCE_ID);
    }

    @Override
    public void configure(final HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/**").access("#oauth2.hasScope('read')")
                .antMatchers(HttpMethod.POST, "/**").access("#oauth2.hasScope('write')")
                .antMatchers(HttpMethod.PUT, "/**").access("#oauth2.hasScope('write')")
                .antMatchers(HttpMethod.PATCH, "/**").access("#oauth2.hasScope('write')")
                .antMatchers(HttpMethod.DELETE, "/**").access("#oauth2.hasScope('write')")
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers(HttpMethod.GET, "/health").permitAll();
    }

}

Authentication server configuration:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    public void configure(final AuthenticationManagerBuilder auth) throws Exception {
        auth
                .userDetailsService(userDetailsService)
                .passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and().httpBasic().realmName("OAuth Server");
    }
}

When I try to access /health, I got a HTTP/1.1 401 Unauthorized.

How can I persuade Spring Boot to make /health anonymously accessible?

endrec
  • 447
  • 6
  • 17
  • In SecurityConfig I think you miss to add that : .antMatchers(HttpMethod.GET, "/health").permitAll(); – mherbert Aug 20 '15 at 15:03
  • 1
    The order in which you specify your mappings is also the order in which they are consulted. The first match wins... As `/**` matches everything your `/health` mapping is useless. Move that above the `/**` mappings to have it functional. – M. Deinum Aug 20 '15 at 17:56
  • @M.Deinum Thanks, that solved the problem. If you add this as an answer, I'm happy to accept it. – endrec Aug 21 '15 at 10:47

3 Answers3

4

I had same issue and struggled a bit.

protected void configure(HttpSecurity http) throws Exception {
    ...
    .authorizeRequests()
            .antMatchers("/actuator/**").permitAll()
}

is not enough.

Also override this method and add the below and it works.

public void configure(WebSecurity web) throws Exception {
     web.ignoring().antMatchers("/actuator/**");
}
Lyju I Edwinson
  • 1,764
  • 20
  • 20
3

As M. Deinum said:

The order in which you specify your mappings is also the order in which they are consulted. The first match wins... As /** matches everything your /health mapping is useless. Move that above the /** mappings to have it functional. – M. Deinum Aug 20 at 17:56

endrec
  • 447
  • 6
  • 17
0

You also need to disable it by setting management.security.enabled to false.

http://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#production-ready-customizing-management-server-port

Pavel Lishin
  • 129
  • 7
  • 2
    This solution will disable security on ALL actuator endpoints. The question was about how to allow anonymous access to the health endpoint. – quintonm Feb 02 '16 at 17:17