<h2>7. 服务 broker 安全</h2>

身份验证和授权服务代理程序端点未包含在Open Service Broker API规范中,但某些平台要求或允许在将服务代理程序注册到平台时提供基本身份验证或OAuth2凭据。spring-doc.cadn.net.cn

Spring Cloud Open Service Broker 项目没有实现任何安全配置。spring-doc.cadn.net.cn

spring-doc.cadn.net.cn

可以使用 Spring SecuritySpring Boot 安全配置 对服务代理程序应用端点进行安全防护,通过路径匹配模式对应用端点进行安全防护,如: /v2/** 所示。spring-doc.cadn.net.cn

spring-doc.cadn.net.cn

7.1. 示例配置

下面的例子在 Spring MVC 中实现了一个安全配置,即阻止web堆栈。对于一个 Spring WebFlux 响应式堆栈,需要类似配置,见 Spring security webflux支持 spring-doc.cadn.net.cn

package com.example.servicebroker;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class ExampleSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		return http.csrf(AbstractHttpConfigurer::disable)
				.authorizeHttpRequests(httpRequests -> httpRequests.requestMatchers("/v2/**").hasRole("ADMIN"))
				.httpBasic(Customizer.withDefaults())
				.build();
	}

	@Bean
	public InMemoryUserDetailsManager userDetailsService() {
		return new InMemoryUserDetailsManager(adminUser());
	}

	private UserDetails adminUser() {
		return User
				.withUsername("admin")
				.password("{noop}supersecret")
				.roles("ADMIN")
				.build();
	}
}