Spring boot admin 安全配置(非注册中心模式)
之前我们讲过如何使用SpringBoot Admin监控微服务,但是这种情况下,所有的服务都会暴露给外部,一旦SBD地址泄露,那我们的服务将毫无安全可言,所以我们需要给SBD配置安全策略。Web应用的身份认证和授权方式有多种方法,Spring Boot Admin不提供默认方法。默认情况下,spring-boot-admin-server-ui提供登录页面和注销按钮,我们使用Spring Security实现安全认证。
一、服务端
1.引入Spring Security依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
1
2
3
4
2
3
4
2.在application.yml文件中配置安全认证信息
spring:
security:
user:
name: <user name>
password: <Password for user name>
1
2
3
4
5
6
2
3
4
5
6
3.创建认证策略管理类
该类继承自WebSecurityConfigurerAdapter,具体代码如下:
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import de.codecentric.boot.admin.server.config.AdminServerProperties;
/**
* 安全配置类
*
* @author chuan
*/
@Configuration
@EnableWebSecurity
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {
private final String adminContextPath;
public SecuritySecureConfig(AdminServerProperties adminServerProperties) {
this.adminContextPath = adminServerProperties.getContextPath();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
SavedRequestAwareAuthenticationSuccessHandler handler = new SavedRequestAwareAuthenticationSuccessHandler();
handler.setTargetUrlParameter("redirectTo");
handler.setDefaultTargetUrl(this.adminContextPath + "/");
// 启用HTTP-Basic支持。这是Spring Boot Admin Client注册所必需的
http.httpBasic().and()
// 授予对所有静态资产和登录页面的公共访问权限
.authorizeRequests().antMatchers(this.adminContextPath + "/assets/**").permitAll()
// 授予对所有静态资产和登录页面的公共访问权限
.antMatchers(this.adminContextPath + "/login").permitAll().and()
// 所有请求都需要验证登录
.authorizeRequests().anyRequest().authenticated().and()
// 登录表单
.formLogin().loginPage(this.adminContextPath + "/login").successHandler(handler).and()
// 登出表单
.logout().logoutUrl(this.adminContextPath + "/logout").and().csrf()
// Enables CSRF-Protection using Cookies
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringAntMatchers(
// 将服务注册的接口暴露出去.
this.adminContextPath + "/instances",
this.adminContextPath + "/actuator/**");
;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
- 重启服务即可
二、客户端
讲了半天如何配置server端的安全,难道客户端的安全就不重要了吗?当然不是,服务端是访问权限的控制,而客户端是操作权限的控制,这里才是安全配置的重中之重,因为服务端也仅仅是通过客户端actuator的接口实现通信的,所以将客户端的权限配置稳固,也是我们必须要做的,否则别人直接通过actuator接口调用我们的actuator/shutdown接口,服务就翘了,开发要祭天了,产品要疯了,运营要炸了。
1.暴露端口
management:
endpoints:
web:
exposure:
include: '*'
endpoint:
health:
show-details: ALWAYS
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
2.引入依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency
1
2
3
4
2
3
4
3.配置权限
spring:
security:
user:
name: <actuator user>
password: <password for actuator user>
1
2
3
4
5
6
2
3
4
5
6
4.告知服务端
权限开通了,那么我们就需要将权限告知SBD Server端,否则server端将会无权限访问,告知方式也是在配置文件中设置:
spring:
boot:
admin:
client:
url: <sbd server url>
username: <sbd server username>
password: <password for sbd server user>
instance:
metadata:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
5.配置适配器
设置OK,启动我们的client服务, 发现服务监控成功了,但是其他的接口都访问不了了,业务跪了,这是因为我们的Security默认是拦截所有的请求,但是我们这里指需要让它拦截actuator的接口即可,业务相关的接口由业务权限系统去控制,所以我们需要单独配置一下WebSecurityConfigurerAdapter
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests().antMatchers("/actuator/**").authenticated().anyRequest().permitAll();
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
编辑 (opens new window)
上次更新: 2024/01/26, 05:03:22
- 01
- python使用生成器读取大文件-500g09-24
- 02
- Windows环境下 Docker Desktop 安装 Nginx04-10
- 03
- 使用nginx部署多个前端项目(三种方式)04-10