Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sample doesn't take adminContextPath in to account for csrf config #894

Closed
murilolocatelli opened this issue Aug 22, 2018 · 9 comments
Closed

Sample doesn't take adminContextPath in to account for csrf config #894

murilolocatelli opened this issue Aug 22, 2018 · 9 comments
Labels
documentation
Milestone
2.0.3

Comments

@murilolocatelli
Copy link

murilolocatelli commented Aug 22, 2018
edited
Loading

I am developing according with documentation: https://codecentric.github.io/spring-boot-admin/2.0.2, but i don't getting register a client in a secure application.

My configuration are:

application.yml

# Security config
spring.security.user:
  name: admin
  password: admin

# Actuator config
management:
  endpoint:
    shutdown.enabled: true
    health.show-details: always
  endpoints.web.exposure.include: '*'

# Spring boot admin config
spring.boot.admin:
  context-path: /admin
  client:
    url: http://localhost:8080/admin
    username: ${spring.security.user.name}
    password: ${spring.security.user.password}
    instance:
      name: ${app.name}
      metadata.user:
        name: ${spring.security.user.name}
        password: ${spring.security.user.password}

WebSecurityConfiguration

@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    private final String adminContextPath;

    public WebSecurityConfiguration(AdminServerProperties adminServerProperties) {
        this.adminContextPath = adminServerProperties.getContextPath();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        successHandler.setTargetUrlParameter("redirectTo");
        successHandler.setDefaultTargetUrl(adminContextPath + "/");

        http.authorizeRequests()
                .antMatchers(adminContextPath + "/assets/**").permitAll()
                .antMatchers(adminContextPath + "/login").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
                .logout().logoutUrl(adminContextPath + "/logout").and()
                .httpBasic().and()
                .csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                .ignoringAntMatchers("/instances", "/actuator/**");
    }

}

And the error is occurring:

2018-08-22 00:44:21.770 DEBUG 9616 --- [gistrationTask1] d.c.b.a.c.r.ApplicationRegistrator: Failed to register application as Application(name=template-api, managementUrl=http://localhost:8080/actuator, healthUrl=http://localhost:8080/actuator/health, serviceUrl=http://localhost:8080/) at spring-boot-admin ([http://localhost:8080/admin/instances]): 401 null

Can someone please help with this 401?
@harishkadamudi
Copy link

What version of springboot you are running with?

@murilolocatelli
Copy link
Author

I'm using 2.0.4.RELEASE

@joshiste
Copy link
Collaborator

joshiste commented Aug 24, 2018
edited
Loading

I'd guess

      metadata.user:
        name: ${spring.security.user.name}
        password: ${spring.security.user.password}

must be:

      metadata:
        user.name: ${spring.security.user.name}
        user.password: ${spring.security.user.password}

due to the fact, that metadata is a map of strings...

@murilolocatelli
Copy link
Author

I tried this way:

      metadata:
        user.name: ${spring.security.user.name}
        user.password: ${spring.security.user.password}

But the same error occurs

@joshiste
Copy link
Collaborator

Without a project to reproduce the issue it's hard to tell where you made a mistake. Please provide a project to reproduce the issue.

@murilolocatelli
Copy link
Author

I cleaned the project, keeping only the spring boot admin configs. The error remains. The project follows:

template-api.zip

@joshiste
Copy link
Collaborator

joshiste commented Sep 2, 2018

.ignoringAntMatchers("/instances", "/actuator/**");
must read
.ignoringAntMatchers(adminContextPath + "/instances", adminContextPath + "/actuator/**");

It's also wrong in the docs. I'll fix that

@joshiste joshiste changed the title Cannot register a client - Spring Boot Admin 2.0.2 Sample doesn't take adminContextPath in to account for csrf config Sep 2, 2018
@joshiste joshiste added this to the 2.0.3 milestone Sep 2, 2018
@murilolocatelli
Copy link
Author

Now it works. Thanks @joshiste

@joshiste joshiste mentioned this issue Sep 10, 2018
Closed
@CrazyZfp
Copy link

CrazyZfp commented Dec 5, 2018
edited
Loading

.ignoringAntMatchers("/instances", "/actuator/**");
must read
.ignoringAntMatchers(adminContextPath + "/instances", adminContextPath + "/actuator/**");

It's also wrong in the docs. I'll fix that

@joshiste
I have a similar issue.

My dependencies version info:
org.springframework.boot:spring-boot-starter-security:2.1.0.RELEASE
de.codecentric:spring-boot-admin-starter-server:2.1.1

I use .ignoringAntMatchers(adminContextPath + "/instances", adminContextPath + "/actuator/**"); instead of .ignoringAntMatchers("/instances", "/actuator/**");

But sba client still failed to register application for the same reason 401 null.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
2.0.3
Development

No branches or pull requests
4 participants
@harishkadamudi @murilolocatelli @joshiste @CrazyZfp