ManagementWebSecurityConfigurerAdapter is not overridable #1901
Comments
|
@dsyer any suggestions? Should that condition change to |
|
Not the latter (since there might be many). I think copy-paste of all the code in there is actually the best solution for now (and set |
|
an alternative is to make |
|
Yes, that is an alternative, but it makes something public that we might not want or need to be. A more useful solution would be to add callbacks/customizers for some of the more common management security concerns. In the meantime you can take control and roll it yourself. |
|
@dsyer is there any plan to allow custom behavior for Management security? In our case, we have a custom WebSecurityConfigurerAdapter which integrates with Spring Security SAML project. I have all the relevant roles/authorities in control through that custom config. Having another class for Management security seems to be an overhead. |
|
I'm not sure I follow. If you want the management end points to have their own security (separate from the rest of the app), it kind of needs to be in a separate class. On, the other hand, if you want the same rules for management and other endpoints, then you already have something. |
|
@dsyer it is actual about the second scenario.. The only way it looks like to achieve thus is to have a dummy ManagementSecurityAutoConfiguration class with the endpoint security turned off.. Please let me know if this is wrong |
|
+1 I have same requirement about overriding Today I'm:
But it will be very appreciable to have some sort of configurer or public access to avoid copying source code. |
philwebb
added
the
for: team-attention
wilkinsona
added
team-meeting
and removed
for: team-attention
philwebb
added
for: team-attention
|
We don't think opening up |
dsyer
added
type: enhancement
|
@dsyer , it is fine that if Spring team does not want to open up management or the app web security configurer adapters. However, please do prioritize the @ConditionalOnMissingBean change. It will be clearer, customized security configurer replace default auto config completely. Instead of using @order trick. Thanks. |
|
There's already a |
|
what a pity, I don't think |
|
I don't think I follow that argument. My recommendation (which is reflected in docs I think) is not to disable the defaults anyway. You certainly shouldn't fee like you need to disable defaults just to add new rules. Maybe we can make it easier? |
|
@dsyer , could you please point to the docs section? my original request is more specific, I want to use other authentication for management endpoints yes, I can add customized security rule via |
Yes. You can add a |
|
@dsyer , Once I do this, looks like my own configuration is no longer valid and all management endpoints are accessible without any authentication @EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@ConditionalOnProperty(prefix = "swiss.security.kerb", name = "enabled", matchIfMissing = true)
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
public class KerberosSecurityConfig extends WebSecurityConfigurerAdapter
{
public static final int ACCESS_OVERRIDE_ORDER = ManagementServerProperties.ACCESS_OVERRIDE_ORDER - 1;
@Inject
protected void configureGlobal(AuthenticationManagerBuilder auth, KerberosAuthenticationProvider kerbProvider,
KerberosServiceAuthenticationProvider kerbServiceProvider)
{
auth
.authenticationProvider(kerbProvider)
.authenticationProvider(kerbServiceProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests()
.antMatchers("/manage/health","/manage/info").permitAll()
.antMatchers("/manage/*", "/debug/*").hasRole("ADMIN")
.and()
// .anonymous().disable()
.csrf().disable().logout().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(new SpnegoEntryPoint())
.and()
.addFilter(getBasicAuthenticationFilter(authenticationManagerBean()))
.addFilterBefore(
getSpnegoAuthenticationProcessingFilter(authenticationManagerBean()),
BasicAuthenticationFilter.class);
}
private BasicAuthenticationFilter getBasicAuthenticationFilter(AuthenticationManager authManager)
{
return new BasicAuthenticationFilter(authManager);
}
private SpnegoAuthenticationProcessingFilter getSpnegoAuthenticationProcessingFilter(AuthenticationManager authManager)
{
SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
filter.setFailureHandler((request, response, exception) ->
{
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.flushBuffer();
});
filter.setAuthenticationManager(authManager);
return filter;
}
} |
|
There are a couple of odd things about that code, but it's quite hard to put it in context. How about putting a minimal sample on github that illustrates your question/confusion? (I suspect you are making a mistake somewhere but it's hard to say for sure.) |
|
@dsyer sure, will do so tomorrow, thanks |
|
Hi @dsyer , When you un comment the management.security.enbaled=false you get the following output on health endpoint: {
"status":"UP","diskSpace":{"status":"UP","total":815336800256,"free":599872622592,"threshold":10485760}
}The problem is that this also ignoring our security configuration for the manage endpoint. But with the security enabled you will get only the overall status: {"status":"UP"}What we try to implement is to have the fully detailed response but still have our security configuration with the management endpoints. Thanks |
|
Hi @dsyer. any chance you had time to look on this? |
|
I haven't sorry, but the problem is probably easy to diagnose: you have to be fully authenticated to get the full endpoint response from /health (once spring security is present). We can't easily change that, and it certainly won't change in a bug fix release. Your only option is to authenticate those requests (it's not hard, just a bug of a weird thing to need to do). |
|
I suppose the other option is to disable the health endpoint and write your own. Also easy. |
|
Thanks @dsyer |
|
Can we consider to enable to configure this in future releases? |
|
We could, but the |
|
It would be great to have a callback to customize the authentication manager builder just for the management endpoints, without overriding the global authentication manager, and without overriding / replacing the (quite elaborate) HttpSecurity configuration for the management endpoints. Before I found this issue here, I asked this, needing exactly that: http://stackoverflow.com/questions/41140468/custom-actuator-authentication-and-different-custom-web-authentication-in-one |
|
This has been superseded by the security simplifications in M4. |
wilkinsona
added
status: duplicate
Despite having
user cannot override this bean because it's impossible to create a bean of type
ManagementWebSecurityConfigurerAdapteror extending it.In my project we have multiple instance of
AuthenticationManagerand the default one injected inManagementWebSecurityConfigurerAdapteris not the one we want to inject in it.We don't want to completely recreate a
WebSecurityConfigurerAdapterand copy/paste all its content just to inject a particularAuthenticationManager.Thanks
The text was updated successfully, but these errors were encountered: