I have created Spring Boot Admin 2 Server and integrated Spring Boot Admin 2 Client in my API service application. Currently my API service project is protected with OAuth2 Framework. In order to bypass the actuator endpoints I have added the configuration in WebSecurity
and HttpSecurity
of WebSecurityConfigurerAdapter
class, but it looks like still the actuator endpoints are giving 401. When I looked into the issue I found that in public void configure(HttpSecurity http)
when I remove .antMatcher("/user")
the actuator endpoints was opened and the Admin Server was able to get all the details, but when I remove .antMatcher("/user")
OAuth2 was not failing.
My Spring Boot Admin Server is running under http://localhost:8080
and the API project (Admin Client) is running under http://localhost:8081
I am using
Spring Boot 2 (2.0.4.RELEASE)
Spring Cloud (Finchley.RELEASE)
Spring Boot Admin 2 (2.0.2)
Oauth2 user-info-uri is configured in my API project like as shown below
security:
oauth2:
resource:
user-info-uri: http://localhost:9999/auth/user
Some of the properties which I have added in API project is given below
management.endpoints.web.exposure.include=health,info,auditevents,metrics,loggers,logfile,httptrace,env,flyway,liquidbase,shutdown,mappings,scheduledtasks,threaddump,heapdump
management.endpoint.health.show-details=always
management.security.enabled=false
management.health.rabbit.enabled=false
spring.boot.admin.client.url[0]=http://localhost:8080
spring.boot.admin.client.username=user
spring.boot.admin.client.password=password
spring.boot.admin.client.instance.management-url=http://localhost:8081/actuator
spring.boot.admin.client.instance.health-url=http://localhost:8081/actuator/health
spring.boot.admin.client.instance.service-url=http://localhost:8081
My Custom WebSecurityConfigurer is given below
@Order(1)
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
public WebSecurityConfigurer() {
super(true);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/actuator/**");
web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**", "/actuator/**");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.anonymous().and().antMatcher("/user").authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll().
antMatchers("/actuator/**").permitAll().
anyRequest().authenticated()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers("/instances", "/actuator/**");
}
}
Can anyone please help me on this