问题
Within my project, I have the following bootstrap.properties file:
spring.application.name=vault-demo
management.endpoints.web.exposure.include=*
Additionally to that, I defined the following dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-actuator</artifactId>
</dependency>
The config server is able to access the property but when I update that property in GitHub and POST to /refresh I get a 403: Forbidden. Do I need to make any change in my application or bootstrap.properties?
回答1:
I got the solution, I needed to add a security configuration, for example:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
Additionally, I had to add the following dependency:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-rsa</artifactId>
<version>1.0.5.RELEASE</version>
</dependency>
I found this solution within the following GitHub issue: https://github.com/spring-cloud/spring-cloud-config/issues/950
回答2:
I notice that Spring Boot 2 cloud config dont need to be "hooked to /refresh endpoint" after commit (or other events), because the new version always request to remote git Server and compare the last commitId and if is diferrent commitId start to fetch the changes.
If debug and see the log traces, after request http://host:8888/{service}/{profile}/{label_branch} always ask github, and you will notice that if exist changes a "fetch proccess is started " , look at traces like github negotiation:
o.e.jgit.transport.PacketLineOut - git> want 4a766a1677.... o.e.jgit.transport.PacketLineOut - git> have 93cd4a98b5b3bb7d895... and finally o.e.jgit.transport.PacketLineOut - git> done
And after, the download: o.e.jgit.transport.PacketLineIn - git< ACK 0f8d2413183d5.... common and so on.
If you look traces and not exist changes (the last commitId is the same, the negotiation and download traces are not shown).
I think that is not a good performance behaviour, so would exist a property that disable it and therefore need a "forced refresh hook behaviour", but i couldn't find it on Spring boot 2. On the other hand, I like it because you dont need to enable HTTP access to your config server to be notified, so the security configuration is not compromised.
I tried with Greenwich.RELEASE
Hope this helps and clarify this behaviour.
来源:https://stackoverflow.com/questions/52299072/whyi-am-getting-403-forbidden-error-for-actuator-refresh-endpoint-on-spring-boo