0

I have a spring boot web application with security configurations to forward all unauthorized requests to /login. I set up a spring boot management port different from my application port. When I go to the management port and try to access /health, it tries to send me to /login on that port and I get this response:

''' {"timestamp":1435680239995,"status":404,"error":"Not Found","message":"No message available","path":"/login"} '''

I found this question but I couldn't make it work in my application: Spring Boot Management security works differently with port set

What's the right way of making this pretty basic Spring Security config work with Spring Boot when trying to set a separate management port??

Here is the pertinent part of my spring security configs:

```

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable()       //temporary
        .authorizeRequests()
        .antMatchers("/public/**").permitAll()
        .antMatchers("/private*/**").access("hasRole('ADMIN')")
        .antMatchers("/**").access("hasRole('USER')");

    http
      .formLogin().failureUrl("/login?error")
      .defaultSuccessUrl("/")
      .loginPage("/login")
      .permitAll()
      .and()
      .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login")
      .permitAll();
}
}

```

Thank you!

UPDATE:

I couldn't make the solution above to work but I found a workaround by putting my management endpoints under what spring security thinks is the public (permitAll) route. Then exposed that behind a different port. This works for my purposes which was to be able to expose a health check to my ELB on a port that is only exposed to the ELB.

management: port: 8081 context-path: /public security: enabled: false

Community
  • 1
  • 1
pastafarian
  • 950
  • 2
  • 15
  • 29
  • By following the post you refer to. Make sure you are setting the correct `@Order` values. – M. Deinum Jul 01 '15 at 07:01
  • I did try to integrate that code and I put Order(0) on top... I will go through it again and see if I can get it to work. Had no luck the first time. – pastafarian Jul 01 '15 at 13:16
  • There are some specific orders you need to override as mentioned in the linked answer, there are 2 different for the normal part of the site and the management part of the site. – M. Deinum Jul 01 '15 at 13:17

1 Answers1

1

Following the other question you posted, I managed to find my solution and it is the basically the same as the provided.

So you will have 2 classes implemented this WebSecurityConfigurerAdapter and compare those requeset path and make every request to be authenticated. Make sure to use @Order(0) as there will be conflicted.

@Order(0)
@Configuration
public class ManagementSecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Autowired
  private ManagementServerProperties managementProperties;

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().formLogin().disable()
        .httpBasic()
        .authenticationEntryPoint(new NoPopupBasicAuthenticationEntryPoint())
        .and()
        .requestMatchers()
        .requestMatchers(new RequestMatcher() {
          @Override
          public boolean matches(HttpServletRequest request) {
            return managementProperties.getServlet().getContextPath().equals(request.getContextPath());
          }
        })
        .and()
        .authorizeRequests()
        .anyRequest().hasRole("ADMIN")
        .and()
        .sessionManagement().maximumSessions(1);
  }

}
Alan Ho
  • 351
  • 3
  • 4