search

codecentric / spring-boot-admin

Admin UI for administration of spring boot applications
Apache License 2.0
12.37k stars 3.08k forks source link

Sample doesn't take `adminContextPath` in to account for csrf config #894

Closed murilolocatelli closed 6 years ago

murilolocatelli commented 6 years ago

I am developing according with documentation: https://codecentric.github.io/spring-boot-admin/2.0.2, but i don't getting register a client in a secure application.

My configuration are:

application.yml

# Security config
spring.security.user:
  name: admin
  password: admin

# Actuator config
management:
  endpoint:
    shutdown.enabled: true
    health.show-details: always
  endpoints.web.exposure.include: '*'

# Spring boot admin config
spring.boot.admin:
  context-path: /admin
  client:
    url: http://localhost:8080/admin
    username: ${spring.security.user.name}
    password: ${spring.security.user.password}
    instance:
      name: ${app.name}
      metadata.user:
        name: ${spring.security.user.name}
        password: ${spring.security.user.password}

WebSecurityConfiguration

@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    private final String adminContextPath;

    public WebSecurityConfiguration(AdminServerProperties adminServerProperties) {
        this.adminContextPath = adminServerProperties.getContextPath();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        successHandler.setTargetUrlParameter("redirectTo");
        successHandler.setDefaultTargetUrl(adminContextPath + "/");

        http.authorizeRequests()
                .antMatchers(adminContextPath + "/assets/**").permitAll()
                .antMatchers(adminContextPath + "/login").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
                .logout().logoutUrl(adminContextPath + "/logout").and()
                .httpBasic().and()
                .csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                .ignoringAntMatchers("/instances", "/actuator/**");
    }

}

And the error is occurring:

2018-08-22 00:44:21.770 DEBUG 9616 --- [gistrationTask1] d.c.b.a.c.r.ApplicationRegistrator: Failed to register application as Application(name=template-api, managementUrl=http://localhost:8080/actuator, healthUrl=http://localhost:8080/actuator/health, serviceUrl=http://localhost:8080/) at spring-boot-admin ([http://localhost:8080/admin/instances]): 401 null

Can someone please help with this 401?

harishkadamudi commented 6 years ago

What version of springboot you are running with?

murilolocatelli commented 6 years ago

I'm using 2.0.4.RELEASE

joshiste commented 6 years ago

I'd guess

      metadata.user:
        name: ${spring.security.user.name}
        password: ${spring.security.user.password}

must be:

      metadata:
        user.name: ${spring.security.user.name}
        user.password: ${spring.security.user.password}

due to the fact, that metadata is a map of strings...

murilolocatelli commented 6 years ago

I tried this way:

      metadata:
        user.name: ${spring.security.user.name}
        user.password: ${spring.security.user.password}

But the same error occurs

joshiste commented 6 years ago

Without a project to reproduce the issue it's hard to tell where you made a mistake. Please provide a project to reproduce the issue.

murilolocatelli commented 6 years ago

I cleaned the project, keeping only the spring boot admin configs. The error remains. The project follows:

template-api.zip

joshiste commented 6 years ago

.ignoringAntMatchers("/instances", "/actuator/**"); must read .ignoringAntMatchers(adminContextPath + "/instances", adminContextPath + "/actuator/**");

It's also wrong in the docs. I'll fix that

murilolocatelli commented 6 years ago

Now it works. Thanks @joshiste

CrazyZfp commented 5 years ago

.ignoringAntMatchers("/instances", "/actuator/**"); must read .ignoringAntMatchers(adminContextPath + "/instances", adminContextPath + "/actuator/**");

It's also wrong in the docs. I'll fix that

@joshiste I have a similar issue.

My dependencies version info: org.springframework.boot:spring-boot-starter-security:2.1.0.RELEASE de.codecentric:spring-boot-admin-starter-server:2.1.1

I use .ignoringAntMatchers(adminContextPath + "/instances", adminContextPath + "/actuator/**"); instead of .ignoringAntMatchers("/instances", "/actuator/**");

But sba client still failed to register application for the same reason 401 null.