簡介
之前一篇文章介紹了SpringBoot Admin 實現Actuator端點可視化監控, 但是沒有進行認證, 基本就是“裸奔”, 這在生產環境中是絕對不允許的!
下面, 從開啓客戶端Actuator認證, 到開啓SpringBoot Admin認證, 一步一步配置, 每配一步, 檢查對應的效果。
Note:
- SpringBoot版本:
2.1.4
- SpringBoot Admin版本:
2.1.5
客戶端認證: SpringBoot應用開啓Actuator認證
- 在Maven的pom.xml文件中添加
spring-boot-starter-security
依賴:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
- 配置
Spring Security
認證信息
spring:
security:
user:
name: user
password: password
- 測試客戶端認證
此時訪問 http://localhost:9000
, 顯示如下 Spring Security
默認的登錄頁面
- 測試管理端監控信息
訪問 http://localhost:8000
, 發現獲取到的數據並不完整, 這是因爲客戶的應用雖然註冊到了管理端, 但是管理端並未獲得客戶端的認證。 。
在 application.yml
中增加當前實例註冊到管理端的認證信息, 主要是metadata下的 user.name
與 user.password
;
management:
endpoints:
web:
exposure:
include: "*"
exclude: env,beans
endpoint:
health:
show-details: always # 訪問/actuator/health時,顯示詳細信息,而不是僅僅顯示"status": "UP"
spring:
security:
user:
name: user
password: password
boot:
admin:
client:
url: http://localhost:8000
instance:
name: ReactiveCrud
metadata: # 這個name與password用於在註冊到管理端時,使管理端有權限獲取客戶端端點數據
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
再次訪問 http://localhost:8000
, 得到如下信息:
管理端: SpringBoot Admin開啓認證
以上, 客戶端的Actuator通過 Spring Security
開啓認證, 而不是讓人隨便訪問, 同理, 管理端也不應該暴露在公網上。
- 同樣, 在Maven的pom.xml文件中添加
spring-boot-starter-security
依賴:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
- 配置
Spring Security
認證信息
spring:
security:
user:
name: admin
password: admin
- 添加
Spring Security
認證路由
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import de.codecentric.boot.admin.server.config.AdminServerProperties;
@Configuration
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {
private final String adminContextPath;
public SecuritySecureConfig(AdminServerProperties adminServerProperties) {
this.adminContextPath = adminServerProperties.getContextPath();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successHandler.setTargetUrlParameter("redirectTo");
successHandler.setDefaultTargetUrl(adminContextPath + "/");
http.authorizeRequests().antMatchers(adminContextPath + "/assets/**").permitAll()
.antMatchers(adminContextPath + "/login").permitAll().anyRequest().authenticated().and().formLogin()
.loginPage(adminContextPath + "/login").successHandler(successHandler).and().logout()
.logoutUrl(adminContextPath + "/logout").and().httpBasic().and().csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers(adminContextPath + "/instances", adminContextPath + "/actuator/**");
}
}
- 管理端登錄
http://localhost:8000
輸入配置的用戶信息後, 登錄後發現, 頁面是空的, 即沒有任何應用註冊上來! ! 這時, 由於管理端開啓了認證, 那麼客戶端要想註冊上來, 也必須提供認證信息。 。
在客戶端的 application.yml
中(注意, 是在客戶端的配置文件)添加:
最後, 登錄管理端 http://localhost:8000
, 成功後的信息如下, 注意右上角的用戶信息:
附: 客戶端 application.yml
完整配置
server:
port: 9000
management:
endpoints:
web:
exposure:
include: "*"
exclude: env,beans
endpoint:
health:
show-details: always
spring:
security:
user:
name: user
password: password
boot:
admin:
client:
url: http://localhost:8000
username: admin # 這個username與password用於註冊到管理端,使其通過認證
password: admin
instance:
name: ReactiveCrud
metadata: # 這個name與password用於在註冊到管理端時,使管理端有權限獲取客戶端端點數據
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
info:
app:
name: chapter-mogo
附: 管理端 application.yml
完整配置
server:
port: 8000
spring:
security:
user:
name: admin
password: admin
References
http://codecentric.github.io/spring-boot-admin/2.1.4/#_securing_spring_boot_admin_server
If you have any questions or any bugs are found, please feel free to contact me.
Your comments and suggestions are welcome!