Spring客户端发布到管理员/实例，配置了用户和密码，引发403，禁止所有客户端使用

Question

我已经把SBA整合到这个项目中了。在没有任何身份验证的情况下，所有客户端都为SBA服务器注册，我可以看到所有执行器端点，我已经打开了这些端点。我希望在SBA管理页面有登录页面，并希望只为具有适当权限的SBA客户端打开注册。根据SBA文档，我在双方都添加了用户/密码属性。如果我只是在SBA服务器上添加用户和密码，以及我为所有SBA客户端配置的相同的用户和密码，那么所有客户端得到的响应403都被禁止注册为Application() SBA服务器部件: application.properties

    spring.security.user.name=admin
    spring.security.user.password=admin

    spring.boot.admin.client.instance.metadata.user.name=admin
    spring.boot.admin.client.instance.metadata.user.password=admin
    server.port=8090

    management.endpoints.web.exposure.include=
    management.endpoints.web.base-path=/_manage
    management.endpoints.jmx.exposure.include=
    management.endpoint.shutdown.enabled=true
    management.server.port=8090

具有打开的/instances权限的安全配置

    @Configuration
    @ConditionalOnProperty(value = "spring.security.enabled", havingValue = "true")
    @EnableWebSecurity
    public class WebSecurityConfig  extends WebSecurityConfigurerAdapter {

      @Override
      protected void configure(HttpSecurity http) throws Exception {
        http
            .formLogin()
            .loginPage("/login.html")
            .loginProcessingUrl("/login")
            .permitAll();
        http
            .logout().logoutUrl("/logout");
        http
            .csrf().disable();
        http
            .authorizeRequests()
            .antMatchers("/login.html", "/** ** /** .css", "/img/** ** ", "/third-party/** ** ")
            .permitAll();
        http
            .authorizeRequests()
            .antMatchers("/instances")
            .permitAll();
            //.authenticated();
        http.httpBasic();
      }
    }

SBA客户端具有相同的用户和密码，可以在SBA服务器上注册: application.properties。

    instance.name=clientdemo
    feed.generation.type=CLIENTDEMO

    spring.boot.admin.url=http://localhost:8090
    spring.boot.admin.client.url=http://localhost:8090  

    spring.boot.admin.client.username=admin
    spring.boot.admin.client.password=admin
    spring.security.user.name=admin
    spring.security.user.password=admin

    server.port=8091
    # ACTUATOR
    management.endpoints.web.exposure.include=*
    #management.endpoints.web.base-path=/_manage
    management.endpoint.shutdown.enabled=true
    management.server.port=8091

因此，在SBA客户端，我从日志中看到一个错误：

    : Writing [Application(name=demo-worker, managementUrl=http://http://localhost:8091/actuator, healthUrl=http://localhost:8091/actuator/health, serviceUrl=http://localhost:8091/)] as "application/json"
    : sun.net.www.MessageHeader@4089d6fd8 pairs: {POST /instances HTTP/1.1: null}{Accept: application/json}{Content-Type: application/json}{Authorization: Basic YWRtaW46YWRtaW4=}{User-Agent: Java/1.8.0_211}{Host: localhost:8090}{Connection: keep-alive}{Content-Length: 267}
    : sun.net.www.MessageHeader@50cf05ff11 pairs: {null: HTTP/1.1 403}{Content-Type: text/plain}{Cache-Control: no-cache, no-store, max-age=0, must-revalidate}{Pragma: no-cache}{Expires: 0}{X-Content-Type-Options: nosniff}{X-Frame-Options: DENY}{X-XSS-Protection: 1 ; mode=block}{Referrer-Policy: no-referrer}{Transfer-Encoding: chunked}{Date: Wed, 13 Nov 2019 12:48:32 GMT}
    : Response 403 FORBIDDEN
    : Failed to register application as Application(name=demo-worker, managementUrl=http://localhost:8091/actuator, healthUrl=http://localhost:8091/actuator/health, serviceUrl=http://localhost:8091/) at spring-boot-admin ([http://localhost:8090/instances]): 403 null
    : HTTP POST http://localhost:8090/instances
    : Accept=[application/json, application/*+json]

从SBA服务器端，我在日志中看到：

    {"name":"demo-worker","managementUrl":"http://localhost:8091/actuator","healthUrl":"http://localhost:8091/actuator/health","serviceUrl":"http://localhost:8091/","metadata":o.a.c.a.AuthenticatorBase: Security checking request POST /instances

我的SBA服务器在端口8090注册，SBA客户端在端口8091注册。

Answer 1

您应该添加以下内容：.antMatchers(HttpMethod.POST，“/致动器/**”) .permitAll()