View Javadoc
1   package cn.home1.cloud.config.server.security;
2   
3   import static cn.home1.cloud.config.server.security.Role.ADMIN;
4   import static cn.home1.cloud.config.server.security.Role.HOOK;
5   import static org.springframework.boot.autoconfigure.security.SecurityProperties.ACCESS_OVERRIDE_ORDER;
6   
7   import org.springframework.beans.factory.annotation.Autowired;
8   import org.springframework.beans.factory.annotation.Value;
9   import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
10  import org.springframework.cloud.config.server.config.ConfigServerProperties;
11  import org.springframework.cloud.config.server.environment.EnvironmentController;
12  import org.springframework.context.annotation.Bean;
13  import org.springframework.context.annotation.Configuration;
14  import org.springframework.core.annotation.Order;
15  import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
16  import org.springframework.security.config.annotation.web.builders.HttpSecurity;
17  import org.springframework.security.config.annotation.web.builders.WebSecurity;
18  import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
19  import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
20  import org.springframework.security.crypto.password.NoOpPasswordEncoder;
21  
22  @ConditionalOnProperty(prefix = "security.basic", name = "enabled", havingValue = "true")
23  @Configuration
24  @EnableWebSecurity
25  @Order(ACCESS_OVERRIDE_ORDER)
26  public class ApplicationWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
27  
28      @Autowired
29      private ConfigSecurity configSecurity;
30  
31      @Autowired
32      private ConfigServerProperties configServerProperties;
33  
34      @Autowired
35      private EnvironmentController environmentController;
36  
37      @Value("${management.context-path:}")
38      private String managementContextPath;
39  
40      @Override
41      public void init(final WebSecurity web) throws Exception {
42          super.init(web);
43      }
44  
45      @Override
46      protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
47          auth.userDetailsService(this.userDetailsService()).passwordEncoder(NoOpPasswordEncoder.getInstance());
48      }
49  
50      @Override
51      protected void configure(final HttpSecurity http) throws Exception {
52          final String configServerPrefix = this.configServerProperties.getPrefix();
53          final String loginEndpoint = configServerPrefix + "/users/login";
54          final String monitorEndpoint = configServerPrefix + "/monitor";
55  
56          http //
57              .csrf().disable() //
58              .authorizeRequests() //
59              .antMatchers(configServerPrefix + "/").permitAll() //
60              .antMatchers(configServerPrefix + "/deployKeyPublic").permitAll() //
61              .antMatchers(configServerPrefix + "/decrypt").hasRole(ADMIN.toString()) //
62              .antMatchers(configServerPrefix + "/encrypt", monitorEndpoint).permitAll() //
63              .antMatchers(configServerPrefix + "/encryptParentPassword").hasRole(ADMIN.toString()) //
64              .antMatchers(configServerPrefix + "/monitor").hasAnyRole(ADMIN.toString(), HOOK.toString()) //
65              .antMatchers(new String[]{ //
66                  configServerPrefix + "/{application}/{profiles:.*[^-].*}", //
67                  configServerPrefix + "/{application}/{profiles}/{label:.*}", //
68                  configServerPrefix + "/{application}-{profiles}.json", //
69                  configServerPrefix + "/{label}/{application}-{profiles}.json", //
70                  configServerPrefix + "/{application}-{profiles}.properties", //
71                  configServerPrefix + "/{application}/{name}-{profiles}.properties", //
72                  configServerPrefix + "/{application}-{profiles}.yml", //
73                  configServerPrefix + "/{application}-{profiles}.yaml", //
74                  configServerPrefix + "/{label}/{application}-{profiles}.yml", //
75                  configServerPrefix + "/{label}/{application}-{profiles}.yaml", //
76                  configServerPrefix + "/{application}/{profiles}/{label}/**", //
77              }).access("@applicationConfigSecurity.checkAuthentication(#application,#profiles)")//
78              .anyRequest().hasRole(ADMIN.toString()) //
79              .and() //
80              .httpBasic();
81      }
82  
83      @Bean
84      public ApplicationConfigSecurity applicationConfigSecurity() {
85          return new ApplicationConfigSecurity();
86      }
87  
88      @Bean
89      public PrivilegedUserProperties privilegedUserProperties() {
90          return new PrivilegedUserProperties();
91      }
92  
93      @Bean
94      public GitFileConfigUserDetailsService userDetailsService() {
95          final GitFileConfigUserDetailsService userDetailsService = new GitFileConfigUserDetailsService();
96          userDetailsService.setConfigSecurity(this.configSecurity);
97          userDetailsService.setDefaultLabel(this.configServerProperties.getDefaultLabel());
98          userDetailsService.setPrivilegedUserProperties(this.privilegedUserProperties());
99          userDetailsService.setEnvironmentController(this.environmentController);
100         return userDetailsService;
101     }
102 }