Support configuration of multiple management roles

Closes gh-5045
2016-02-03 08:04:52 +01:00 · 2016-02-03 08:04:52 +01:00 · 20fa1b3b48
parent e9a226c8f8
commit 20fa1b3b48
5 changed files with 16 additions and 11 deletions
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/CrshAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/CrshAutoConfiguration.java
@ -196,8 +196,8 @@ public class CrshAutoConfiguration {
 			// overridden by ConfigurationProperties.
 			SpringAuthenticationProperties authenticationProperties = new SpringAuthenticationProperties();
 			if (this.management != null) {
-				authenticationProperties.setRoles(
-						new String[] { this.management.getSecurity().getRole() });
+				List<String> roles = this.management.getSecurity().getRole();
+				authenticationProperties.setRoles(roles.toArray(new String[roles.size()]));
 			}
 			return authenticationProperties;
 		}
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java
@ -17,6 +17,9 @@
 package org.springframework.boot.actuate.autoconfigure;

 import java.net.InetAddress;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;

 import javax.validation.constraints.NotNull;

@ -33,6 +36,7 @@ import org.springframework.util.StringUtils;
 *
 * @author Dave Syer
 * @author Stephane Nicoll
+ * @author Vedran Pavic
 * @see ServerProperties
 */
@ConfigurationProperties(prefix = "management", ignoreUnknownFields = true)
@ -160,9 +164,9 @@ public class ManagementServerProperties implements SecurityPrerequisite {
 		private boolean enabled = true;

 		/**
-		 * Role required to access the management endpoint.
+		 * Roles required to access the management endpoint.
 		 */
-		private String role = "ADMIN";
+		private List<String> role = new ArrayList<String>(Arrays.asList("ADMIN"));

 		/**
 		 * Session creating policy to use (always, never, if_required, stateless).
@ -177,11 +181,11 @@ public class ManagementServerProperties implements SecurityPrerequisite {
 			this.sessions = sessions;
 		}

-		public void setRole(String role) {
+		public void setRole(List<String> role) {
 			this.role = role;
 		}

-		public String getRole() {
+		public List<String> getRole() {
 			return this.role;
 		}

--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java
@ -124,7 +124,7 @@ public class ManagementWebSecurityAutoConfiguration {
 		public void init() {
 			if (this.management != null && this.security != null) {
 				this.security.getUser().getRole()
-						.add(this.management.getSecurity().getRole());
+						.addAll(this.management.getSecurity().getRole());
 			}
 		}

@ -296,8 +296,9 @@ public class ManagementWebSecurityAutoConfiguration {
 			// Permit access to the non-sensitive endpoints
 			requests.requestMatchers(new LazyEndpointPathRequestMatcher(
 					this.contextResolver, EndpointPaths.NON_SENSITIVE)).permitAll();
-			// Restrict the rest to the configured role
-			requests.anyRequest().hasRole(this.management.getSecurity().getRole());
+			// Restrict the rest to the configured roles
+			List<String> roles = this.management.getSecurity().getRole();
+			requests.anyRequest().hasAnyRole(roles.toArray(new String[roles.size()]));
 		}

 	}
--- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
+++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@ -996,7 +996,7 @@ content into your application; rather pick only the properties that you need.
 	management.context-path= # Management endpoint context-path. For instance `/actuator`
 	management.port= # Management endpoint HTTP port. Use the same port as the application by default.
 	management.security.enabled=true # Enable security.
-	management.security.role=ADMIN # Role required to access the management endpoint.
+	management.security.role=ADMIN # Roles required to access the management endpoint.
 	management.security.sessions=stateless # Session creating policy to use (always, never, if_required, stateless).

 	# HEALTH INDICATORS (previously health.*)
--- a/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc
+++ b/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc
@ -520,7 +520,7 @@ TIP: Generated passwords are logged as the application starts. Search for '`Usin
 security password`'.

 You can use Spring properties to change the username and password and to change the
-security role required to access the endpoints. For example, you might set the following
+security roles required to access the endpoints. For example, you might set the following
 in your `application.properties`:

 [source,properties,indent=0]