search

dmahapatro / grails-actuator-ui

UI representation of Spring Boot Actuator in a Grails 3 app
Apache License 2.0
36 stars 14 forks source link

Issue securing /actuator/dashboard #8

Closed pjdvmalan closed 6 years ago

pjdvmalan commented 8 years ago

Great plugin!

With securityConfigType = "Annotation", I cannot seem to secure http://localhost:8080/actuator/dashboard/

if I use: grails.plugin.springsecurity.controllerAnnotations.staticRules = [ [pattern: '/', access: ['permitAll']], [pattern: '/error', access: ['permitAll']], [pattern: '/index', access: ['permitAll']], [pattern: '/index.gsp', access: ['permitAll']], [pattern: '/shutdown', access: ['permitAll']], [pattern: '/assets/', access: ['permitAll']], [pattern: '//js/', access: ['permitAll']], [pattern: '//css/', access: ['permitAll']], [pattern: '//images/', access: ['permitAll']], [pattern: '//favicon.ico', access: ['permitAll']], [pattern: '/login/impersonate', access: ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY']], [pattern: '/logout/impersonate', access: ['permitAll']], [pattern: '/console/', access: ['ROLE_ADMIN']], [pattern: '/metrics/', access: ['ROLE_ADMIN']], [pattern: '/trace/', access: ['ROLE_ADMIN']], [pattern: '/monitoring', access: ['ROLE_ADMIN']], [pattern: '//installer/', access: ['denyAll']], [pattern: '/persistentLogin/', access: ['ROLE_ADMIN']], [pattern: '/role/', access: ['ROLE_ADMIN']], [pattern: '/registrationCode/', access: ['ROLE_ADMIN']], [pattern: '/securityInfo/', access: ['ROLE_ADMIN']], [pattern: '/dump/', access: ['ROLE_ADMIN']], [pattern: '/actuator/', access: ['ROLE_ADMIN']], [pattern: '/actuatordashboard/', access: ['ROLE_ADMIN']] ]

Stack:

Plugins:

Am I missing something obvious?

rpalcolea commented 8 years ago

From the README

grails:
    plugin:
        springsecurity:
            userLookup:
                userDomainClassName: auth.User
                authorityJoinClassName: auth.UserRole
            authority:
                className: auth.Role
            controllerAnnotations:
                staticRules:
                    - pattern: '/actuatordashboard/**'
                      access: ['hasRole("ROLE_ADMIN")']
                    - pattern: '/actuator/**'
                      access: ['hasRole("ROLE_ADMIN")']

Perhaps you are missing the /**? Just an idea

dmahapatro commented 8 years ago

With securityConfigType = Annotation, you will not have control to annotate the Controller (ActuatorDashboardController) which is present in the plugin. Only way would be to use controller annotation static rules as shown in the readme and highlighted above by @rpalcolea .

Refer Spring Security Plugin Doc for additional detail.

pjdvmalan commented 8 years ago

Somehow that was removed in my initial report above, I have:

 [pattern: '/actuator/**',           access: ['ROLE_ADMIN']],
 [pattern: '/actuatordashboard/**',  access: ['ROLE_ADMIN']]
daptordarattler commented 7 years ago

Any solutions to this issue?. I have the same problem. Changed to the "InterceptUrlMap", but the issue still persists:

grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugin.springsecurity.interceptUrlMap = [
        [pattern: '/',               access: ['permitAll']],
        [pattern: '/error',          access: ['permitAll']],
        [pattern: '/index',          access: ['permitAll']],
        [pattern: '/index.gsp',      access: ['permitAll']],
        [pattern: '/shutdown',       access: ['permitAll']],
        [pattern: '/assets/**',      access: ['permitAll']],
        [pattern: '/**/js/**',       access: ['permitAll']],
        [pattern: '/**/css/**',      access: ['permitAll']],
        [pattern: '/**/images/**',   access: ['permitAll']],
        [pattern: '/**/favicon.ico', access: ['permitAll']],
        [pattern: '/login',          access: ['permitAll']],
        [pattern: '/login/**',       access: ['permitAll']],
        [pattern: '/logout',         access: ['permitAll']],
        [pattern: '/logout/**',      access: ['permitAll']],
        [pattern: '/actuatorDashboard/**',   access: ["ROLE_ADMIN"]],
        [pattern: '/actuator/**',   access: ["ROLE_ADMIN"]]
]
tkvw commented 7 years ago

Try: 

[pattern: '/actuator:actuatordashboard/**',        access: ['ROLE_ADMIN']],

The plugin uses the namespace actuator, apparently grails includes the namespace in in the final url.

beechovsky commented 7 years ago

Has there been any progress on this? I am encountering the same issue, and tkvw's answer didn't resolve it.

martinduris commented 7 years ago

@tkvw thanks, your idea help me ! i could see only dashboard - for other pages i dont have privileges (whatever chnages i have made to static rules). With '/actuator:actuatordashboard/**' i am able to controll access to ui page.