3

I have created Spring Boot Admin 2 Server and integrated Spring Boot Admin 2 Client in my API service application. Currently my API service project is protected with OAuth2 Framework. In order to bypass the actuator endpoints I have added the configuration in WebSecurity and HttpSecurity of WebSecurityConfigurerAdapter class, but it looks like still the actuator endpoints are giving 401. When I looked into the issue I found that in public void configure(HttpSecurity http) when I remove .antMatcher("/user") the actuator endpoints was opened and the Admin Server was able to get all the details, but when I remove .antMatcher("/user") OAuth2 was not failing.

My Spring Boot Admin Server is running under http://localhost:8080 and the API project (Admin Client) is running under http://localhost:8081

I am using

Spring Boot 2 (2.0.4.RELEASE)
Spring Cloud (Finchley.RELEASE)
Spring Boot Admin 2 (2.0.2)

Oauth2 user-info-uri is configured in my API project like as shown below

security: 
  oauth2:
    resource:
      user-info-uri: http://localhost:9999/auth/user

Some of the properties which I have added in API project is given below

management.endpoints.web.exposure.include=health,info,auditevents,metrics,loggers,logfile,httptrace,env,flyway,liquidbase,shutdown,mappings,scheduledtasks,threaddump,heapdump
management.endpoint.health.show-details=always
management.security.enabled=false
management.health.rabbit.enabled=false
spring.boot.admin.client.url[0]=http://localhost:8080
spring.boot.admin.client.username=user
spring.boot.admin.client.password=password
spring.boot.admin.client.instance.management-url=http://localhost:8081/actuator
spring.boot.admin.client.instance.health-url=http://localhost:8081/actuator/health
spring.boot.admin.client.instance.service-url=http://localhost:8081

My Custom WebSecurityConfigurer is given below

@Order(1)
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {

    public WebSecurityConfigurer() {
        super(true);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
         web.ignoring()
         .antMatchers("/actuator/**");
        web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**", "/actuator/**");
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.anonymous().and().antMatcher("/user").authorizeRequests()
        .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll().
         antMatchers("/actuator/**").permitAll().
         anyRequest().authenticated()
        .and()
        .csrf()
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
        .ignoringAntMatchers("/instances", "/actuator/**");
    }
}

Can anyone please help me on this

Alex Man
  • 4,746
  • 17
  • 93
  • 178

0 Answers0