生产环境的客户端actuator最好是加上security校验,不然配置信息不登录就能直接获取到
server端配置,参考官方 文档,https://codecentric.github.io/spring-boot-admin/1.5.7/#getting-started
代码参见,码云,https://gitee.com/xiongjinpeng/spring-boot-admin
pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.xx</groupId> <artifactId>spring-boot-admin</artifactId> <version>0.0.1</version> <packaging>jar</packaging> <name>spring-boot-admin</name> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.5.10.RELEASE</version> <relativePath/> <!-- lookup parent from repository --> </parent> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <java.version>1.8</java.version> <spring-boot-admin.version>1.5.7</spring-boot-admin.version> </properties> <dependencies> <dependency> <groupId>de.codecentric</groupId> <artifactId>spring-boot-admin-starter-server</artifactId> <version>1.5.7</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>de.codecentric</groupId> <artifactId>spring-boot-admin-server-ui-login</artifactId> <version>${spring-boot-admin.version}</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> <configuration> <executable>true</executable> <finalName>${project.name}</finalName> </configuration> </plugin> </plugins> </build> </project>
SecurityConfig.java,官方的配置
import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * 基于安全认证的spring boot admin * * @author niugang * */ @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // Page with login form is served as /login.html and does a POST on /login http.formLogin().loginPage("/login.html").loginProcessingUrl("/login").permitAll(); // The UI does a POST on /logout on logout http.logout().logoutUrl("/logout"); // The ui currently doesn't support csrf http.csrf().disable(); // Requests for the login page and the static assets are allowed //允许登录页面和静态资源的请求 http.authorizeRequests() .antMatchers("/login.html", "/**/*.css", "/img/**", "/third-party/**") .permitAll(); // ... and any other request needs to be authorized //这点重要:所有请求都需要认证 http.authorizeRequests().antMatchers("/**").authenticated(); // Enable so that the clients can authenticate via HTTP basic for registering http.httpBasic(); } }
application.properties
server.port=8011 #关闭原始的spring security 认证,不关闭的话,浏览器打开就会跳出弹出框 security.basic.enabled=false #spring boot actuator某些端点的访问时需要权限的 management.security.enabled=false #spring boot default user.name='user' security.user.name=admin #spring boot dafault user.password 在项目启动时打印在控制台中 security.user.password=123456
client端,客户端代码,
maven添加
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-client</artifactId>
<version>1.5.7</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.10.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
SecuritySecureConfig.java
import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration public class SecuritySecureConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests() //拦截所有endpoint,拥有ACTUATOR_ADMIN角色可访问,否则需登录 //静态文件允许访问 .antMatchers("/css/**", "/images/**","/js/**","/webjars/**","/**/favicon.ico").permitAll() //根路径允许访问 .antMatchers("/").permitAll() //所有请求路径可以访问 .antMatchers("/**").permitAll() .and().httpBasic(); } }
application.properties
spring.application.name=client #要注册的Spring Boot Admin Server的URL spring.boot.admin.url=http://localhost:8011 #从Spring Boot 1.5.x开始,默认情况下所有端点都是安全的。 为简洁起见,我们暂时禁用了安全性。 查看有关如何处理安全端点的安全性部分。 #management.security.enabled=false
#注册到server端用 spring.boot.admin.client.metadata.user.name=admin spring.boot.admin.client.metadata.user.password=123456 #如果保护/api/applications端点,请不要忘记使用spring.boot.admin.username和spring.boot.admin.password在SBA客户端上配置用户名和密码【否则你的client端信息注册不到server端上】
#注册到server端用 spring.boot.admin.username=admin spring.boot.admin.password=123456
#配置很重要,server端主动获取信息会用到 security.user.name=admin security.user.password=123456
最新测试,还可以精简一下去掉代码
.antMatchers( "/info", "/info.json", "/health", "/health.json", "/metrics", "/metrics.json", "/dump", "/dump.json", "/metrics/*", "/beans", "/beans.json", "/configprops", "/configprops.json", "/auditevents", "/auditevents.json", "/heapdump", "/heapdump.json", "/trace", "/trace.json", "/env/*", "/env", "/env.json", "/loggers/*", "/loggers", "/loggers.json", "/mappings", "/mappings.json", "/jolokia/**" ).hasRole("ACTUATOR_ADMIN")
和
management.security.roles=ACTUATOR_ADMIN
去掉这2个,也可以达到效果。