This is my Spring Boot 1.5.1 Actuator application.properties
:
#Spring Boot Actuator
management.contextPath: /actuator
management.security.roles=R_0
This is my WebSecurityConfig
:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Value("${logout.success.url}")
private String logoutSuccessUrl;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class);
http
.csrf().ignoringAntMatchers("/v1.0/**", "/logout")
.and()
.authorizeRequests()
.antMatchers("/oauth/authorize").authenticated()
//Anyone can access the urls
.antMatchers("/signin/**").permitAll()
.antMatchers("/v1.0/**").permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority("R_0")
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.failureUrl("/login?error=true")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl(logoutSuccessUrl)
.permitAll();
// @formatter:on
}
/**
* Configures the authentication manager bean which processes authentication requests.
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
Right now I'm successfully able to login in my application with a right user that has R_0
authorities but when I trying to access for example
http://localhost:8080/api/actuator/beans
I receive a following error:
There was an unexpected error (type=Forbidden, status=403).
Access is denied. User must have one of the these roles: R_0
How to correctly configure Spring Boot Actuator in order to be aware about the correct Authentication
?
Right now in order to get it workin I have to do the following trick:
management.security.enabled=false
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority("R_0")
Is any chance to configure Actuator in a right way ?
UPDATED
I'm using UserDetailsService.UserDetails.Authorities
public Collection<? extends GrantedAuthority> getAuthorities() {
String[] authorities = permissions.stream().map(p -> {
return p.getName();
}).toArray(String[]::new);
return AuthorityUtils.createAuthorityList(authorities);
}
You have to use prefix ROLE_
for your management.security.roles
for example management.security.roles=ROLE_SOMENAME
in order to solve this issue