Spring Cloud Security&Eureka安全認證(Greenwich版本)
一·安全
Spring Cloud支持多種安全認證方式,比如OAuth等。而默認是可以直接添加spring-boot-starter-security來配置HTTP BASIC認證。如果沒有配置用戶和密碼,那么默認的用戶是user,並隨機生成一個密碼,在啟動的控制台中顯示出來。但是這種方式在實踐中幾乎無實際用途,所以最好還是需要顯式設置(參數名為spring.security.user.password)
二· 密碼加密
直接配置明文敏感信息是比較冒險的,所以一種可行的辦法就是將明文加密成密文。密文是以{cipher}開頭,系統會自動在使用之前將其解密。如果配置的屬性(keyname)對應密文無法解密,那么系統將會將此屬性移除,並增加一個屬性invalid${keyname}: not applicable。
數據的加密解密可以通過接口/encrypt 和 /decrypt完成,比如:
$ curl localhost:8888/encrypt -d mysecret 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
$ curl localhost:8888/decrypt -d 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
mysecret
如果安裝了擴展Spring Cloud CLI extensions,那么可以直接Spring命令工具:
$ spring encrypt mysecret --key foo
682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
$ spring decrypt --key foo 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
mysecret
也可以使用密鑰文件加解密,文件路徑參數前需要個特殊符號@,如下:
$ spring encrypt mysecret --key @${HOME}/.ssh/id_rsa.pub
AQAjPgt3eFZQXwt8tsHAVv/QHiY5sI2dRcR+...
注意:要使用加密解密的功能,必須要下載JCE(Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files)。這些默認是不包含在JDK中的。
三.Eureka Server配置HTTP BASIC
在配置文件中增加spring-boot-starter-security,如下:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
注意,在最新版本Greenwich中,口令不是配置security.user.name和security.user.password屬性中,它已被廢棄不推薦使用,而是配置在Spring中(spring.security.user.name和spring.security.user.password)。以下的是Eureka多集群的(Greenwich)的配置文件:
USER: light PASSWORD: 123456spring:
security:
user:
name: ${USER}
password: ${PASSWORD}eureka:
client:
service-url:
defaultZone: http://${USER}:${PASSWORD}@peer1.com:9801/eureka/,http://${USER}:${PASSWORD}@peer2.com:9802/eureka/,http://${USER}:${PASSWORD}@peer3.com:9803/eureka/
spring:
profiles: peer1
application:
name: application-peer1server:
port: 9801eureka:
environment: dev
datacenter: hangzhou
instance:
hostname: peer1.com
appname: lighthouse
spring:
profiles: peer2
application:
name: application-peer2server:
port: 9802eureka:
environment: dev
datacenter: beijing
instance:
hostname: peer2.com
appname: lighthouse
spring:
profiles: peer3
application:
name: application-peer3server:
port: 9803eureka:
environment: dev
datacenter: guangzhou
instance:
hostname: peer3.com
appname: lighthouse
由於默認是開啟CSRF,所以需要將其關閉,不然會出現如下錯誤:
javax.ws.rs.WebApplicationException: com.fasterxml.jackson.databind.exc.MismatchedInputException: Root name 'timestamp' does not match expected ('instance') for type [simple type, class com.netflix.appinfo.InstanceInfo]
創建一個WebSecurityConfig類,代碼如下:
// WebSecurityConfig.java@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable(); //關閉csrf
super.configure(http); //開啟認證
}
}
啟動三個配置文件對應的三個實例,就可以看到已經啟用HTTP BASIC認證:
關於Eureka Server集群的配置,請參考另外一篇文章
–Spring Cloud Eureka集群配置及注意事項(Greenwich版本)
Eureka Client和Service Provider配置方法類似,只需要在defaultZone中配置好含有認證信息的url即可,如下所示。
USER: light PASSWORD: 123456eureka:
client:
service-url:
defaultZone: http://${USER}:${PASSWORD}@peer1.com:9801/eureka/,http://${USER}:${PASSWORD}@peer2.com:9802/eureka/,http://${USER}:${PASSWORD}@peer3.com:9803/eureka/