前提条件(Prerequisite)

1.你的项目里引进了Spring web security 

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>

<version>1.5.19.RELEASE</version
</dependency>

2. application.properties

management.context-path=/mgmt

3. 给Actuator相关的URL 加了另外的权限

http.authorizeRequests()
.antMatchers("/mgmt/**").hasAnyRole(ADMIN, SUPPORT, ACTUATOR)
.antMatchers("/**").hasRole(USER)
.and().formLogin().and().httpBasic();

出现的问题(Issue )-- 当登陆你的username and password 时 而且你这个user 是 ADMIN 或SUPPORT时, 出现下面错误页面。

Access is denied. User must have one of the these roles: ACTUATOR

解决方法(Solution)

disable manangement security in application.properties 或系统参数

management.security.enabled=false

原因(Cause)

Spring 会用一个MvcEndpointSecurityInterceptor 阻止所有非actuator角色的用户, 及时你已经重新自定义自己的权限管理。

private void sendFailureResponse(HttpServletRequest request,
HttpServletResponse response) throws Exception {
if (request.getUserPrincipal() != null) {
String roles = StringUtils.collectionToDelimitedString(this.roles, " ");
response.sendError(HttpStatus.FORBIDDEN.value(),
"Access is denied. User must have one of the these roles: " + roles);
}

 

扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄