Spring Boot Admin 安全访问 Actuator_spring.boot.admin访问

作者：繁依Fanyi0 | 2024-02-17 22:42:36

踩

spring.boot.admin访问

一、pom依赖

1：admin模块pom


<dependencies>
        <dependency>
            <groupId>de.codecentric</groupId>
            <artifactId>spring-boot-admin-starter-server</artifactId>
            <version>${spring-boot-admin}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
 
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>net.logstash.logback</groupId>
            <artifactId>logstash-logback-encoder</artifactId>
            <version>${logstash-logback-encoder}</version>
        </dependency>
<!--        <dependency>-->
<!--            <groupId>org.springframework.boot</groupId>-->
<!--            <artifactId>spring-boot-starter-mail</artifactId>-->
<!--        </dependency> -->
    </dependencies>

2：actuator模块pom


<dependencies>
        <!--admin client-->
        <dependency>
            <groupId>de.codecentric</groupId>
            <artifactId>spring-boot-admin-starter-client</artifactId>
            <version>${de.codecentric}</version>
        </dependency>
        <!--actuator begin-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <!-- spring security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
</dependencies>

二、配置文件

1：admin配置


#spring boot admin 账号密码
spring:
  security:
    user:
      name: admin
      password: ***


# 要在其中注册的Spring Boot Admin Server的安全信息。
spring:
  boot:
    admin:
      client:
        url: http://ip:port
        instance:
          name: ${spring.application.name}
          #          service-url: http://10.206.65.132:25245
          prefer-ip: true # true 注册时 admin 中显示IP地址不显示主机名
        port: 8000
        username: admin
        password: ***
# 与Spring Boot 2一样，默认情况下，大多数端点都不通过http公开，我们公开了所有端点。对于生产，您应该仔细选择要公开的端点。
# health显示 management.endpoint.health.show-details=always
management:
  endpoints:
    web:
      exposure:
        include: '*'

三、admin安全配置


@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AdminServiceSecurityConfig extends WebSecurityConfigurerAdapter {
 
    private final AdminServerProperties adminServer;
 
    public AdminServiceSecurityConfig(AdminServerProperties adminServer) {
        this.adminServer = adminServer;
    }
 
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        successHandler.setTargetUrlParameter("redirectTo");
        successHandler.setDefaultTargetUrl(this.adminServer.path("/"));
        // http.authorizeRequests().antMatchers("/instances**").permitAll();
        http.authorizeRequests(
                //授予公众对所有静态资产和登录页面的访问权限。
                (authorizeRequests) -> authorizeRequests.antMatchers(this.adminServer.path("/assets/**")).permitAll()
                        .antMatchers(this.adminServer.path("/login")).permitAll().anyRequest().authenticated() //其他所有请求都必须经过验证。
        ).formLogin(
                //配置登录和注销。
                (formLogin) -> formLogin.loginPage(this.adminServer.path("/login")).successHandler(successHandler).and()
                //启用HTTP基本支持。这是Spring Boot Admin Client注册所必需的。
        ).logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout"))).httpBasic(Customizer.withDefaults())
//                    .csrf().disable()
                .rememberMe((rememberMe) -> rememberMe.key(UUID.randomUUID().toString()).tokenValiditySeconds(1209600))
                .csrf()
                //开启基于cookie的csrf保护
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                //忽略这些路径的csrf保护以便Spring Boot Admin Client注册
                .ignoringAntMatchers(
                        this.adminServer.path("/instances"),
                        this.adminServer.path("/actuator/**")
                );
    }
 
}

四、admin添加自定义请求头


@Component
public class HttpHeadersProviderConfig implements HttpHeadersProvider {
 
    @Value("${server.port}")
    private String port;
 
    @Override
    public HttpHeaders getHeaders(Instance instance) {
        HttpHeaders httpHeaders = new HttpHeaders();
        //设置请求头参数
        httpHeaders.add("spring-boot-admin-service", port);
        return httpHeaders;
    }
 
}

五、actuator配置安全校验


@WebFilter
@ServletComponentScan
@Component
public class ActuatorFilter implements Filter {
    @Value("${spring.boot.admin.client.port}")
    private String adminServicePort;
 
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String headerKey = "spring-boot-admin-service";
        String uriKey = "/actuator";
        HttpServletRequest request = (HttpServletRequest) servletRequest;
 
        if (request.getRequestURI().contains(uriKey) && !adminServicePort.equals(request.getHeader(headerKey))) {
            throw new RuntimeException("无权限访问Actuator端口");
        }
 
        filterChain.doFilter(servletRequest, servletResponse);
    }
}

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/繁依Fanyi0/article/detail/102014