spring boot 1.5.10.RELEASE ,spring boot admin 1.5.7 添加 security
2024-10-21 13:33:09
生产环境的客户端actuator最好是加上security校验,不然配置信息不登录就能直接获取到
server端配置,参考官方 文档,https://codecentric.github.io/spring-boot-admin/1.5.7/#getting-started
代码参见,码云,https://gitee.com/xiongjinpeng/spring-boot-admin
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion> <groupId>com.xx</groupId>
<artifactId>spring-boot-admin</artifactId>
<version>0.0.1</version>
<packaging>jar</packaging> <name>spring-boot-admin</name> <parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.10.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent> <properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
<spring-boot-admin.version>1.5.7</spring-boot-admin.version>
</properties> <dependencies>
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-server</artifactId>
<version>1.5.7</version>
</dependency> <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency> <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-server-ui-login</artifactId>
<version>${spring-boot-admin.version}</version>
</dependency>
</dependencies> <build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<executable>true</executable>
<finalName>${project.name}</finalName>
</configuration>
</plugin>
</plugins>
</build> </project>
SecurityConfig.java,官方的配置
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* 基于安全认证的spring boot admin
*
* @author niugang
*
*/
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// Page with login form is served as /login.html and does a POST on /login
http.formLogin().loginPage("/login.html").loginProcessingUrl("/login").permitAll();
// The UI does a POST on /logout on logout
http.logout().logoutUrl("/logout");
// The ui currently doesn't support csrf
http.csrf().disable(); // Requests for the login page and the static assets are allowed
//允许登录页面和静态资源的请求
http.authorizeRequests()
.antMatchers("/login.html", "/**/*.css", "/img/**", "/third-party/**")
.permitAll();
// ... and any other request needs to be authorized
//这点重要:所有请求都需要认证
http.authorizeRequests().antMatchers("/**").authenticated(); // Enable so that the clients can authenticate via HTTP basic for registering
http.httpBasic();
}
}
application.properties
server.port=8011
#关闭原始的spring security 认证,不关闭的话,浏览器打开就会跳出弹出框
security.basic.enabled=false
#spring boot actuator某些端点的访问时需要权限的
management.security.enabled=false
#spring boot default user.name='user'
security.user.name=admin
#spring boot dafault user.password 在项目启动时打印在控制台中
security.user.password=123456
client端,客户端代码,
maven添加
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-client</artifactId>
<version>1.5.7</version>
</dependency> <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.10.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
SecuritySecureConfig.java
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter { @Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
//拦截所有endpoint,拥有ACTUATOR_ADMIN角色可访问,否则需登录
//静态文件允许访问
.antMatchers("/css/**", "/images/**","/js/**","/webjars/**","/**/favicon.ico").permitAll()
//根路径允许访问
.antMatchers("/").permitAll()
//所有请求路径可以访问
.antMatchers("/**").permitAll()
.and().httpBasic();
}
}
application.properties
spring.application.name=client
#要注册的Spring Boot Admin Server的URL
spring.boot.admin.url=http://localhost:8011
#从Spring Boot 1.5.x开始,默认情况下所有端点都是安全的。 为简洁起见,我们暂时禁用了安全性。 查看有关如何处理安全端点的安全性部分。
#management.security.enabled=false
#注册到server端用
spring.boot.admin.client.metadata.user.name=admin
spring.boot.admin.client.metadata.user.password=123456
#如果保护/api/applications端点,请不要忘记使用spring.boot.admin.username和spring.boot.admin.password在SBA客户端上配置用户名和密码【否则你的client端信息注册不到server端上】
#注册到server端用
spring.boot.admin.username=admin
spring.boot.admin.password=123456
#配置很重要,server端主动获取信息会用到
security.user.name=admin
security.user.password=123456
最新测试,还可以精简一下去掉代码
.antMatchers(
"/info",
"/info.json",
"/health",
"/health.json",
"/metrics",
"/metrics.json",
"/dump",
"/dump.json",
"/metrics/*",
"/beans",
"/beans.json",
"/configprops",
"/configprops.json",
"/auditevents",
"/auditevents.json",
"/heapdump",
"/heapdump.json",
"/trace",
"/trace.json",
"/env/*",
"/env",
"/env.json",
"/loggers/*",
"/loggers",
"/loggers.json",
"/mappings",
"/mappings.json",
"/jolokia/**"
).hasRole("ACTUATOR_ADMIN")
和
management.security.roles=ACTUATOR_ADMIN
去掉这2个,也可以达到效果。
最新文章
- Android study --- 广播
- 引入math模块中的log()方法,导致"TypeError: return arrays must be of ArrayType",什么原因?
- 数据标准化 Normalization
- .Net简单上传与下载
- soap 路由
- 超人学院Hadoop大数据资源共享
- testTenuringThreshold()方法的分析与问题处理
- angular2 学习笔记 ( Dynamic Component 动态组件)
- 2019南昌邀请赛网络预选赛 M. Subsequence
- Python开发 基础篇
- 数据库事务的四大特性以及事务的隔离级别(mysql)
- css fixed 失效问题解法
- java Date日期类和SimpleDateFormat日期类格式
- [leetcode tree]104. Maximum Depth of Binary Tree
- is_file,is_dir,file_exists
- C++ 模板特化以及Typelist的相关理解
- Linux下面变量的疑问处
- 20145312 《Java程序设计》第三周学习总结
- rocketmq总结(消息的高可用、中间件选型)
- DBMS_OUTPUT(用于输入和输出信息)