Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

admin-service.access.control.enabled开启后,adminservice的接口/server/config/find-all-config还可以不用access token访问 #5290

Closed
3 tasks
a517363523 opened this issue Dec 4, 2024 · 0 comments · Fixed by #5291
Closed
3 tasks

admin-service.access.control.enabled开启后,adminservice的接口/server/config/find-all-config还可以不用access token访问 #5290

a517363523 opened this issue Dec 4, 2024 · 0 comments · Fixed by #5291

Comments

@a517363523
Copy link

描述bug

admin-service.access.control.enabled开启后,adminservice的接口/server/config/find-all-config还可以不用access_token就能访问,
这个接口里面暴露了配置的admin-service.access.tokens,如果adminservice暴露了公网地址,在admin-service.access.control.enabled开启的情况,任何人都可以通过这个接口查看到admin-service.access.tokens,那就不安全了

复现

通过如下步骤可以复现:

  1. ConfigDB的ServerConfig新增配置admin-service.access.control.enabled为true和admin-service.access.tokens设置不为空的字符串
  2. PortalDB的ServerConfig新增配置admin-service.access.tokens
  3. 请求adminservice的接口/server/config/find-all-config 可以获取到ConfigDB的ServerConfig数据
  4. 其他adminservice服务/apps开头的接口在不带access token的情况下可以正常被阻挡

期望

简介明了地描述你希望正常情况下应该发生什么

截图

如果可以,附上截图来描述你的问题

额外的细节和日志

  • 版本:
  • 错误日志
  • 配置:
  • 平台和操作系统
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add missing url patterns for AdminServiceAuthenticationFilter nobodyiam/apollo
1 participant
@a517363523