/** * Returns a matcher that includes the specified {@link Endpoint actuator endpoints}. * For example: <pre class="code"> * EndpointRequest.to(ShutdownEndpoint.class, HealthEndpoint.class) * </pre> * @param endpoints the endpoints to include * @return the configured {@link RequestMatcher} */ public static EndpointRequestMatcher to(Class<?>... endpoints) { return new EndpointRequestMatcher(endpoints, false); }
protected abstract RequestMatcher createDelegate(WebApplicationContext context, RequestMatcherFactory requestMatcherFactory);
/** * Returns a matcher that matches only on the links endpoint. It can be used when * security configuration for the links endpoint is different from the other * {@link Endpoint actuator endpoints}. The * {@link EndpointRequestMatcher#excludingLinks() excludingLinks} method can be used * in combination with this to remove the links endpoint from * {@link EndpointRequest#toAnyEndpoint() toAnyEndpoint}. For example: * <pre class="code"> * EndpointRequest.toLinks() * </pre> * @return the configured {@link RequestMatcher} */ public static LinksRequestMatcher toLinks() { return new LinksRequestMatcher(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.requestMatcher(EndpointRequest.toAnyEndpoint()) .authorizeRequests().anyRequest().hasRole("ENDPOINT_ADMIN") .and() .httpBasic(); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .mvcMatchers("/admin").hasRole("ADMIN") .requestMatchers(EndpointRequest.to("info", "health")).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR") .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() .antMatchers("/events/**").hasRole("USER") .antMatchers("/**").permitAll() .and().httpBasic(); } }
/** * Configure endpoint access to deny undefined. * * @param http the http * @param requests the requests */ protected void configureEndpointAccessToDenyUndefined(final HttpSecurity http, final ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry requests) { val endpoints = casProperties.getMonitor().getEndpoints().getEndpoint().keySet(); val configuredEndpoints = endpoints.toArray(ArrayUtils.EMPTY_STRING_ARRAY); val endpointDefaults = casProperties.getMonitor().getEndpoints().getDefaultEndpointProperties(); endpointDefaults.getAccess().forEach(Unchecked.consumer(access -> configureEndpointAccess(http, requests, access, endpointDefaults, EndpointRequest.toAnyEndpoint().excluding(configuredEndpoints).excludingLinks()))); }
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .requestMatchers( EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)) .permitAll().anyRequest().authenticated().and().formLogin().and() .httpBasic(); }
@Override protected RequestMatcher createDelegate(WebApplicationContext context, RequestMatcherFactory requestMatcherFactory) { WebEndpointProperties properties = context .getBean(WebEndpointProperties.class); String basePath = properties.getBasePath(); if (StringUtils.hasText(basePath)) { return new OrRequestMatcher(getLinksMatchers(requestMatcherFactory, getRequestMatcherProvider(context), basePath)); } return EMPTY_MATCHER; }
protected List<RequestMatcher> getLinksMatchers( RequestMatcherFactory requestMatcherFactory, RequestMatcherProvider matcherProvider, String basePath) { List<RequestMatcher> linksMatchers = new ArrayList<>(); linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, basePath)); linksMatchers .add(requestMatcherFactory.antPath(matcherProvider, basePath, "/")); return linksMatchers; }
@Override protected final void initialized(Supplier<WebApplicationContext> context) { this.delegate = createDelegate(context.get()); }
private EndpointId getEndpointId(Object source) { if (source instanceof EndpointId) { return (EndpointId) source; } if (source instanceof String) { return (EndpointId.of((String) source)); } if (source instanceof Class) { return getEndpointId((Class<?>) source); } throw new IllegalStateException("Unsupported source " + source); }
@Override public void configure(HttpSecurity http) throws Exception { http.anonymous().and().antMatcher("/user").authorizeRequests() .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(). antMatchers(AUTH_WHITELIST).permitAll(). anyRequest().authenticated() .and() .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
/** * Returns a matcher that includes the specified {@link Endpoint actuator endpoints}. * For example: <pre class="code"> * EndpointRequest.to("shutdown", "health") * </pre> * @param endpoints the endpoints to include * @return the configured {@link RequestMatcher} */ public static EndpointRequestMatcher to(String... endpoints) { return new EndpointRequestMatcher(endpoints, false); }
private List<RequestMatcher> getDelegateMatchers( RequestMatcherFactory requestMatcherFactory, RequestMatcherProvider matcherProvider, Set<String> paths) { return paths.stream().map( (path) -> requestMatcherFactory.antPath(matcherProvider, path, "/**")) .collect(Collectors.toList()); }
@Override public void configure(HttpSecurity http) throws Exception { http.anonymous().and().antMatcher("/user").authorizeRequests() .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(). antMatchers(AUTH_WHITELIST).permitAll(). anyRequest().authenticated() .and() .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
/** * Returns a matcher that includes all {@link Endpoint actuator endpoints}. It also * includes the links endpoint which is present at the base path of the actuator * endpoints. The {@link EndpointRequestMatcher#excluding(Class...) excluding} method * can be used to further remove specific endpoints if required. For example: * <pre class="code"> * EndpointRequest.toAnyEndpoint().excluding(ShutdownEndpoint.class) * </pre> * @return the configured {@link RequestMatcher} */ public static EndpointRequestMatcher toAnyEndpoint() { return new EndpointRequestMatcher(true); }
@Override public void configure(HttpSecurity http) throws Exception { http.anonymous().and().antMatcher("/user").authorizeRequests() .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(). antMatchers(AUTH_WHITELIST).permitAll(). anyRequest().authenticated() .and() .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
public EndpointRequestMatcher excludingLinks() { return new EndpointRequestMatcher(this.includes, this.excludes, false); }
public EndpointRequestMatcher excluding(Class<?>... endpoints) { List<Object> excludes = new ArrayList<>(this.excludes); excludes.addAll(Arrays.asList((Object[]) endpoints)); return new EndpointRequestMatcher(this.includes, excludes, this.includeLinks); }
public EndpointRequestMatcher excluding(String... endpoints) { List<Object> excludes = new ArrayList<>(this.excludes); excludes.addAll(Arrays.asList((Object[]) endpoints)); return new EndpointRequestMatcher(this.includes, excludes, this.includeLinks); }