碼上快樂

相關內容    簡體    繁體

spring boot:用spring security加強spring boot admin的安全(spring boot admin 2.3.0 / spring boot 2.3.3)

本文轉載自   查看原文   2020-08-27 17:59   986    spring/ spring boot/ security/ actuator/ java/ spring security/ 安全/ spring boot 安全/ ip地址/ spring boot admin/ ip限制

一,spring boot admin的安全環節:

1,修改context-path,默認時首頁就是admin,

  我們修改這個地址可以更安全

 

2,配置ip地址白名單,有ip限制才安全,

  我們使用了spring security,

  可以在防火牆中也配置上ip限制

 

3,登錄用戶有相應的role授權才能訪問

 

4,actuator端也要配置ip/路徑/權限

 

說明:劉宏締的架構森林是一個專注架構的博客,地址:https://www.cnblogs.com/architectforest

         對應的源碼可以訪問這里獲取: https://github.com/liuhongdi/

說明:作者:劉宏締 郵箱: 371125307@qq.com


二,演示項目的相關信息

1,項目地址:

https://github.com/liuhongdi/bootadmin

 

2,項目功能說明:

        演示了spring boot admin 服務端和actuator客戶端的安全配置

 

3,項目結構;如圖:

三,配置文件說明

1,admin模塊的pom.xml

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <!--admin sever-->
        <dependency>
            <groupId>de.codecentric</groupId>
            <artifactId>spring-boot-admin-starter-server</artifactId>
            <version>2.3.0</version>
        </dependency>
        <!-- spring security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

 

2,actuator模塊的pom.xml

        <!--admin client-->
        <dependency>
            <groupId>de.codecentric</groupId>
            <artifactId>spring-boot-admin-starter-client</artifactId>
            <version>2.3.0</version>
        </dependency>
        <!--actuator begin-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <!-- spring security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

 

3,admin模塊的application.properties

#admin context-path
spring.boot.admin.context-path=/lhdadmin
#admin white ip list
spring.boot.admin.access.iplist=192.168.3.1,127.0.0.1
#admin status intertal
spring.boot.admin.monitor.status-interval=60000ms
spring.boot.admin.monitor.status-lifetime=60000ms

#error
server.error.include-stacktrace=always
#error
logging.level.org.springframework.web=trace

 

4,actuator模塊的application.properties

#admin url
spring.boot.admin.client.url=http://localhost:8080/lhdadmin
spring.boot.admin.client.username=lhdadmin
spring.boot.admin.client.password=123456
spring.boot.admin.client.connect-timeout=5000ms
spring.boot.admin.client.period=60000ms
spring.boot.admin.client.instance.metadata.user.name=lhdadmin
spring.boot.admin.client.instance.metadata.user.password=123456
#port
server.port=8081
#exposure
management.endpoints.web.exposure.include=*
#路徑映射
management.endpoints.web.base-path=/lhdmon
#health顯示
management.endpoint.health.show-details=always
#允許訪問的ip列表
management.access.iplist = 127.0.0.1,192.168.1.100,192.168.2.3/24,192.168.1.6,localhost
#error
server.error.include-stacktrace=always
#error
logging.level.org.springframework.web=trace

說明:

spring.boot.admin.client.username=lhdadmin
spring.boot.admin.client.password=123456

這兩項是用來訪問server的賬號

 

spring.boot.admin.client.instance.metadata.user.name=lhdadmin
spring.boot.admin.client.instance.metadata.user.password=123456

這兩項是供server訪問actuator時使用

 

spring.boot.admin.client.url=http://localhost:8080/lhdadmin

此處注意使用服務端設置的context-path

 

四,java代碼說明

1,admin模塊的application:DemoApplication.java

@SpringBootApplication
@EnableAdminServer
public class DemoApplication {
    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }
}

注意添加了@EnableAdminServer注解,用來啟動admin sever

 

2,admin模塊的SecurityConfig.java

@Configuration
@EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {

     @Value("${spring.boot.admin.access.iplist}")
     private String iplist;

     @Override
     protected void configure(HttpSecurity http) throws Exception {

                 //得到iplist列表
                String iprule = "";
                //hasIpAddress('10.0.0.0/16') or hasIpAddress('127.0.0.1/32')
                String[] splitAddress=iplist.split(",");
                for(String ip : splitAddress){
                     if (iprule.equals("")) {
                         iprule = "hasIpAddress('"+ip+"')";
                     } else {
                         iprule += " or hasIpAddress('"+ip+"')";
                     }
                }
                String adminRule = "hasAnyRole('ADMIN','DEV') and ("+iprule+")";
                  //login和logout
                  http.formLogin()
                          .loginPage("/lhdadmin/login")
                         .defaultSuccessUrl("/lhdadmin/wallboard")
                        .failureUrl("/login-error.html")
                        .permitAll()
                       .and()
                       .logout().logoutUrl("/lhdadmin/logout").permitAll()
                       .and()
                       .httpBasic();

         http.csrf()
                 .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                 .ignoringAntMatchers(
                         "/lhdadmin/**",
                         "/actuator/**"
                 );
                  //匹配的頁面,符合限制才可訪問
                  http.authorizeRequests()
                  .antMatchers("/lhdadmin/login/**","/lhdadmin/assets/**").access(iprule)
                  .antMatchers("/lhdadmin/**").access(adminRule);
                  //剩下的頁面,允許訪問
                 http.authorizeRequests().anyRequest().permitAll();
             }
             
     @Autowired
     public  void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
         //添加兩個賬號用來做測試
         auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
                 .withUser("lhdadmin")
                 .password(new BCryptPasswordEncoder().encode("123456"))
                 .roles("ADMIN","USER")
                 .and()
                 .withUser("lhduser")
                 .password(new BCryptPasswordEncoder().encode("123456"))
                 .roles("USER");
     }
 }

 

3,actuator模塊的SecurityConfig.java

@Configuration
@EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {


     @Value("${management.access.iplist}")
     private String iplist;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        
        //得到iplist列表
        String iprule = "";
        String[] splitAddress=iplist.split(",");
        for(String ip : splitAddress){
            if (iprule.equals("")) {
                iprule = "hasIpAddress('"+ip+"')";
            } else {
                iprule += " or hasIpAddress('"+ip+"')";
            }
        }
        String actuatorRule = "hasAnyRole('ADMIN','DEV') and ("+iprule+")";

        //login和logout
        http.formLogin()
                .defaultSuccessUrl("/lhdmon")
                .failureUrl("/login-error.html")
                .permitAll()
                .and()
                .logout()
                .and()
                .httpBasic();
        //匹配的頁面,符合限制才可訪問
        http.authorizeRequests()
                .antMatchers("/lhdmon/**").access(actuatorRule);
        //剩下的頁面,允許訪問
        http.authorizeRequests().anyRequest().permitAll();
    }
    
    @Autowired
    public  void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        //添加兩個賬號用來做測試
        auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
                .withUser("lhdadmin")
                .password(new BCryptPasswordEncoder().encode("123456"))
                .roles("ADMIN","USER")
                .and()
                .withUser("lhduser")
                .password(new BCryptPasswordEncoder().encode("123456"))
                .roles("USER");
    }
 }

 

五,測試效果

1,spring boot admin 非授權ip地址訪問

http://192.168.3.182:8080/lhdadmin/wallboard

登錄后返回:

2,spring boot admin 非授權賬號訪問

http://127.0.0.1:8080/lhdadmin/login

頁面:用lhduser登錄

lhduser這個賬號無權訪問

3,spring boot admin從授權ip用有授權賬號登錄:

http://127.0.0.1:8080/lhdadmin/login

用lhdadmin這個賬號登錄:

 跳轉到了wallboard

 

 點擊進入:

六,查看spring boot的版本

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v2.3.3.RELEASE)

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 spring boot:spring security用mysql實現動態權限管理(spring boot 2.3.3) Spring Boot Admin基於security認證注冊中心版 spring boot:多模塊項目生成jar包(spring boot 2.3.3) Spring Boot Admin的使用 Spring Boot 集成 Spring Security 使用自定義的安全數據源 Spring Boot admin 2.0 詳解 Spring Boot Admin簡介及實踐 Spring Boot Admin簡介及實踐 Spring Boot Admin 離線實例 Spring Boot Admin,賊好使!
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM