前提条件(Prerequisite)
1.你的项目里引进了Spring web security
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>1.5.19.RELEASE</version
</dependency>
2. application.properties
management.context-path=/mgmt
3. 给Actuator相关的URL 加了另外的权限
http.authorizeRequests()
.antMatchers("/mgmt/**").hasAnyRole(ADMIN, SUPPORT, ACTUATOR)
.antMatchers("/**").hasRole(USER)
.and().formLogin().and().httpBasic();
出现的问题(Issue )-- 当登陆你的username and password 时 而且你这个user 是 ADMIN 或SUPPORT时, 出现下面错误页面。
Access is denied. User must have one of the these roles: ACTUATOR
解决方法(Solution)
disable manangement security in application.properties 或系统参数
management.security.enabled=false
原因(Cause)
Spring 会用一个MvcEndpointSecurityInterceptor 阻止所有非actuator角色的用户, 及时你已经重新自定义自己的权限管理。
private void sendFailureResponse(HttpServletRequest request,
HttpServletResponse response) throws Exception {
if (request.getUserPrincipal() != null) {
String roles = StringUtils.collectionToDelimitedString(this.roles, " ");
response.sendError(HttpStatus.FORBIDDEN.value(),
"Access is denied. User must have one of the these roles: " + roles);
}