生產環境的客戶端actuator最好是加上security校驗,不然配置信息不登錄就能直接獲取到
server端配置,參考官方 文檔,https://codecentric.github.io/spring-boot-admin/1.5.7/#getting-started
代碼參見,碼雲,https://gitee.com/xiongjinpeng/spring-boot-admin
pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.xx</groupId> <artifactId>spring-boot-admin</artifactId> <version>0.0.1</version> <packaging>jar</packaging> <name>spring-boot-admin</name> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.5.10.RELEASE</version> <relativePath/> <!-- lookup parent from repository --> </parent> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <java.version>1.8</java.version> <spring-boot-admin.version>1.5.7</spring-boot-admin.version> </properties> <dependencies> <dependency> <groupId>de.codecentric</groupId> <artifactId>spring-boot-admin-starter-server</artifactId> <version>1.5.7</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>de.codecentric</groupId> <artifactId>spring-boot-admin-server-ui-login</artifactId> <version>${spring-boot-admin.version}</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> <configuration> <executable>true</executable> <finalName>${project.name}</finalName> </configuration> </plugin> </plugins> </build> </project>
SecurityConfig.java,官方的配置
import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * 基於安全認證的spring boot admin * * @author niugang * */ @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // Page with login form is served as /login.html and does a POST on /login http.formLogin().loginPage("/login.html").loginProcessingUrl("/login").permitAll(); // The UI does a POST on /logout on logout http.logout().logoutUrl("/logout"); // The ui currently doesn't support csrf http.csrf().disable(); // Requests for the login page and the static assets are allowed //允許登錄頁面和靜態資源的請求 http.authorizeRequests() .antMatchers("/login.html", "/**/*.css", "/img/**", "/third-party/**") .permitAll(); // ... and any other request needs to be authorized //這點重要:所有請求都需要認證 http.authorizeRequests().antMatchers("/**").authenticated(); // Enable so that the clients can authenticate via HTTP basic for registering http.httpBasic(); } }
application.properties
server.port=8011 #關閉原始的spring security 認證,不關閉的話,瀏覽器打開就會跳出彈出框 security.basic.enabled=false #spring boot actuator某些端點的訪問時需要權限的 management.security.enabled=false #spring boot default user.name='user' security.user.name=admin #spring boot dafault user.password 在項目啟動時打印在控制台中 security.user.password=123456
client端,客戶端代碼,
maven添加
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-client</artifactId>
<version>1.5.7</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.10.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
SecuritySecureConfig.java
import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration public class SecuritySecureConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests() //攔截所有endpoint,擁有ACTUATOR_ADMIN角色可訪問,否則需登錄 //靜態文件允許訪問 .antMatchers("/css/**", "/images/**","/js/**","/webjars/**","/**/favicon.ico").permitAll() //根路徑允許訪問 .antMatchers("/").permitAll() //所有請求路徑可以訪問 .antMatchers("/**").permitAll() .and().httpBasic(); } }
application.properties
spring.application.name=client #要注冊的Spring Boot Admin Server的URL spring.boot.admin.url=http://localhost:8011 #從Spring Boot 1.5.x開始,默認情況下所有端點都是安全的。 為簡潔起見,我們暫時禁用了安全性。 查看有關如何處理安全端點的安全性部分。 #management.security.enabled=false
#注冊到server端用 spring.boot.admin.client.metadata.user.name=admin spring.boot.admin.client.metadata.user.password=123456 #如果保護/api/applications端點,請不要忘記使用spring.boot.admin.username和spring.boot.admin.password在SBA客戶端上配置用戶名和密碼【否則你的client端信息注冊不到server端上】
#注冊到server端用 spring.boot.admin.username=admin spring.boot.admin.password=123456
#配置很重要,server端主動獲取信息會用到 security.user.name=admin security.user.password=123456
最新測試,還可以精簡一下去掉代碼
.antMatchers( "/info", "/info.json", "/health", "/health.json", "/metrics", "/metrics.json", "/dump", "/dump.json", "/metrics/*", "/beans", "/beans.json", "/configprops", "/configprops.json", "/auditevents", "/auditevents.json", "/heapdump", "/heapdump.json", "/trace", "/trace.json", "/env/*", "/env", "/env.json", "/loggers/*", "/loggers", "/loggers.json", "/mappings", "/mappings.json", "/jolokia/**" ).hasRole("ACTUATOR_ADMIN")
和
management.security.roles=ACTUATOR_ADMIN
去掉這2個,也可以達到效果。