From 20fa1b3b483d375f8bb15bbe2b9c0a83addfe209 Mon Sep 17 00:00:00 2001 From: Vedran Pavic Date: Wed, 3 Feb 2016 08:04:52 +0100 Subject: [PATCH] Support configuration of multiple management roles Closes gh-5045 --- .../actuate/autoconfigure/CrshAutoConfiguration.java | 4 ++-- .../autoconfigure/ManagementServerProperties.java | 12 ++++++++---- .../ManagementWebSecurityAutoConfiguration.java | 7 ++++--- .../asciidoc/appendix-application-properties.adoc | 2 +- .../src/main/asciidoc/production-ready-features.adoc | 2 +- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/CrshAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/CrshAutoConfiguration.java index f7fc6dd765a..235aa885728 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/CrshAutoConfiguration.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/CrshAutoConfiguration.java @@ -196,8 +196,8 @@ public class CrshAutoConfiguration { // overridden by ConfigurationProperties. SpringAuthenticationProperties authenticationProperties = new SpringAuthenticationProperties(); if (this.management != null) { - authenticationProperties.setRoles( - new String[] { this.management.getSecurity().getRole() }); + List roles = this.management.getSecurity().getRole(); + authenticationProperties.setRoles(roles.toArray(new String[roles.size()])); } return authenticationProperties; } diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java index f53f3d4fe5b..db13dd5ebd7 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java @@ -17,6 +17,9 @@ package org.springframework.boot.actuate.autoconfigure; import java.net.InetAddress; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; import javax.validation.constraints.NotNull; @@ -33,6 +36,7 @@ import org.springframework.util.StringUtils; * * @author Dave Syer * @author Stephane Nicoll + * @author Vedran Pavic * @see ServerProperties */ @ConfigurationProperties(prefix = "management", ignoreUnknownFields = true) @@ -160,9 +164,9 @@ public class ManagementServerProperties implements SecurityPrerequisite { private boolean enabled = true; /** - * Role required to access the management endpoint. + * Roles required to access the management endpoint. */ - private String role = "ADMIN"; + private List role = new ArrayList(Arrays.asList("ADMIN")); /** * Session creating policy to use (always, never, if_required, stateless). @@ -177,11 +181,11 @@ public class ManagementServerProperties implements SecurityPrerequisite { this.sessions = sessions; } - public void setRole(String role) { + public void setRole(List role) { this.role = role; } - public String getRole() { + public List getRole() { return this.role; } diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java index a4f5ab2be85..4030250622a 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java @@ -124,7 +124,7 @@ public class ManagementWebSecurityAutoConfiguration { public void init() { if (this.management != null && this.security != null) { this.security.getUser().getRole() - .add(this.management.getSecurity().getRole()); + .addAll(this.management.getSecurity().getRole()); } } @@ -296,8 +296,9 @@ public class ManagementWebSecurityAutoConfiguration { // Permit access to the non-sensitive endpoints requests.requestMatchers(new LazyEndpointPathRequestMatcher( this.contextResolver, EndpointPaths.NON_SENSITIVE)).permitAll(); - // Restrict the rest to the configured role - requests.anyRequest().hasRole(this.management.getSecurity().getRole()); + // Restrict the rest to the configured roles + List roles = this.management.getSecurity().getRole(); + requests.anyRequest().hasAnyRole(roles.toArray(new String[roles.size()])); } } diff --git a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc index e7a94864ab7..b31c92487f0 100644 --- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc +++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc @@ -996,7 +996,7 @@ content into your application; rather pick only the properties that you need. management.context-path= # Management endpoint context-path. For instance `/actuator` management.port= # Management endpoint HTTP port. Use the same port as the application by default. management.security.enabled=true # Enable security. - management.security.role=ADMIN # Role required to access the management endpoint. + management.security.role=ADMIN # Roles required to access the management endpoint. management.security.sessions=stateless # Session creating policy to use (always, never, if_required, stateless). # HEALTH INDICATORS (previously health.*) diff --git a/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc b/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc index cc680083e1b..60d8289cd17 100644 --- a/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc +++ b/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc @@ -520,7 +520,7 @@ TIP: Generated passwords are logged as the application starts. Search for '`Usin security password`'. You can use Spring properties to change the username and password and to change the -security role required to access the endpoints. For example, you might set the following +security roles required to access the endpoints. For example, you might set the following in your `application.properties`: [source,properties,indent=0]