• Spring Cloud Security&Eureka安全认证(Greenwich版本)


    Spring Cloud Security&Eureka安全认证(Greenwich版本)


    一·安全

    Spring Cloud支持多种安全认证方式,比如OAuth等。而默认是可以直接添加spring-boot-starter-security来配置HTTP BASIC认证。如果没有配置用户和密码,那么默认的用户是user,并随机生成一个密码,在启动的控制台中显示出来。但是这种方式在实践中几乎无实际用途,所以最好还是需要显式设置(参数名为spring.security.user.password)

    二· 密码加密

    直接配置明文敏感信息是比较冒险的,所以一种可行的办法就是将明文加密成密文。密文是以{cipher}开头,系统会自动在使用之前将其解密。如果配置的属性(keyname)对应密文无法解密,那么系统将会将此属性移除,并增加一个属性invalid${keyname}: not applicable

    数据的加密解密可以通过接口/encrypt /decrypt完成,比如:

    $ curl localhost:8888/encrypt -d mysecret
    682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
    

    $ curl localhost:8888/decrypt -d 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
    mysecret

    如果安装了扩展Spring Cloud CLI extensions,那么可以直接Spring命令工具:

    $ spring encrypt mysecret --key foo
    682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
    $ spring decrypt --key foo 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
    mysecret
    

    也可以使用密钥文件加解密,文件路径参数前需要个特殊符号@,如下:

    $ spring encrypt mysecret --key @${HOME}/.ssh/id_rsa.pub
    AQAjPgt3eFZQXwt8tsHAVv/QHiY5sI2dRcR+...
    

    注意:要使用加密解密的功能,必须要下载JCE(Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files)。这些默认是不包含在JDK中的。

    三.Eureka Server配置HTTP BASIC

    在配置文件中增加spring-boot-starter-security,如下:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    

    注意,在最新版本Greenwich中,口令不是配置security.user.namesecurity.user.password属性中,它已被废弃不推荐使用,而是配置在Spring中(spring.security.user.namespring.security.user.password)。以下的是Eureka多集群的(Greenwich)的配置文件:

    USER: light
    PASSWORD: 123456
    

    spring:
    security:
    user:
    name: ${USER}
    password: ${PASSWORD}

    eureka:
    client:
    service-url:
    defaultZone: http://${USER}:${PASSWORD}@peer1.com:9801/eureka/,http://${USER}:${PASSWORD}@peer2.com:9802/eureka/,http://${USER}:${PASSWORD}@peer3.com:9803/eureka/


    spring:
    profiles: peer1
    application:
    name: application-peer1

    server:
    port: 9801

    eureka:
    environment: dev
    datacenter: hangzhou
    instance:
    hostname: peer1.com
    appname: lighthouse


    spring:
    profiles: peer2
    application:
    name: application-peer2

    server:
    port: 9802

    eureka:
    environment: dev
    datacenter: beijing
    instance:
    hostname: peer2.com
    appname: lighthouse


    spring:
    profiles: peer3
    application:
    name: application-peer3

    server:
    port: 9803

    eureka:
    environment: dev
    datacenter: guangzhou
    instance:
    hostname: peer3.com
    appname: lighthouse

    由于默认是开启CSRF,所以需要将其关闭,不然会出现如下错误:

    javax.ws.rs.WebApplicationException: com.fasterxml.jackson.databind.exc.MismatchedInputException: Root name 'timestamp' does not match expected ('instance') for type [simple type, class com.netflix.appinfo.InstanceInfo]
    

    创建一个WebSecurityConfig类,代码如下:

    // WebSecurityConfig.java
    

    @EnableWebSecurity
    @Configuration
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable(); //关闭csrf
    super.configure(http); //开启认证
    }
    }

    启动三个配置文件对应的三个实例,就可以看到已经启用HTTP BASIC认证:

    image
    image

    关于Eureka Server集群的配置,请参考另外一篇文章

    Spring Cloud Eureka集群配置及注意事项(Greenwich版本)

    Eureka Client和Service Provider配置方法类似,只需要在defaultZone中配置好含有认证信息的url即可,如下所示。


    USER: light PASSWORD: 123456

    eureka:
    client:
    service-url:
    defaultZone: http://${USER}:${PASSWORD}@peer1.com:9801/eureka/,http://${USER}:${PASSWORD}@peer2.com:9802/eureka/,http://${USER}:${PASSWORD}@peer3.com:9803/eureka/

    四·参考

    原文地址:http://www.easysb.cn/2019/06/429.html
  • 相关阅读:
    CBV进阶(一)
    uva 11748 Rigging Elections
    uva 11573 Ocean Currents(bfs+优先队列)
    无向图的欧拉路
    poj 3254 Corn Fields
    hdu 1114
    hdu 2639 (第k小的01背包)
    uva 1347 tour
    uva 437 The Tower of Babylon
    uva 1025 A Spy in the Metro(动态规划)
  • 原文地址:https://www.cnblogs.com/jpfss/p/11316241.html
走看看 - 开发者的网上家园