-
-
Notifications
You must be signed in to change notification settings - Fork 734
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recommendation for securing /monitoring while allowing access to boomerang.js #1224
Comments
If you use the If you use security-constraint in web.xml for securing /monitoring, I do not think that there is a solution to allow access to /monitoring?resource=boomerang.min.js. If you use spring-security for securing /monitoring for example with the javamelody-spring-boot-starter, then you can secure /monitoring and allow access to /monitoring?resource=boomerang.min.js using a custom request matcher, that is something like: @Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(requests -> requests
// custom request matcher to allow access to /monitoring?resource=boomerang.min.js
.requestMatchers(request ->
request.getRequestURI().equals(request.getContextPath() + "/monitoring")
&& "boomerang.min.js".equals(request.getParameter("resource"))
).permitAll()
// request matcher to secure access to /monitoring
.requestMatchers("/monitoring").hasAuthority("ROLE_MONITORING")
// anything else as you want
.anyRequest().authenticated()
)
...;
return http.build();
}
} |
Of course, you need access to boomerang.min.js only if you use the Real User Monitoring |
I'm trying to find recommendations for securing /monitoring while still allowing access to the URL parameter /monitoring?resource=boomerang.min.js. The documentation doesn't discuss this.
The text was updated successfully, but these errors were encountered: