cloud-security-wiki/docs/use/spring-amin/README.md

# 监控模块使用

监控模块使用 Spring Boot Admin,配合客户端引入spring-boot-starter-actuator依赖就可以在监控模块中看到对应服务的情况,但是Spring Boot Admin没有权限拦截,所以需要二次权限认证。

## 实现原理
- 引入 spring security

```xml
<!--security-->
<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-security</artifactId>
</dependency>
```

- 配置 spring security
```java
/**
 * 配置安全认证,以便其他服务注册
 *
 * @author Clay
 * @date 2022/11/10
 */
@Configuration
public class SecuritySecureConfig {

    /**
     * 应用上下文路径
     */
    private final String adminContextPath;

    public SecuritySecureConfig(AdminServerProperties adminServerProperties) {
        this.adminContextPath = adminServerProperties.getContextPath();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        successHandler.setTargetUrlParameter("redirectTo");
        successHandler.setDefaultTargetUrl(adminContextPath + "/");
        http.authorizeRequests()
                //1.配置所有静态资源和登录也可以公开访问
                .antMatchers(adminContextPath + "/assets/**")
                .permitAll()
                .antMatchers(adminContextPath + "/login")
                .permitAll()
                //2. 其他请求,必须经过认证
                .antMatchers("/actuator/**","/instances").permitAll()
                .anyRequest().authenticated()
                .and()
                //3. 配置登录和登出路径
                .formLogin().loginPage(adminContextPath + "/login")
                .successHandler(successHandler)
                .and()
                .logout().logoutUrl(adminContextPath + "/logout");


        return http.build();
    }

    @Bean
    public HttpHeadersProvider customHttpHeadersProvider() {
        return (instance) -> {
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.add(SecurityConstants.ACTUATOR_FROM, SecurityConstants.ACTUATOR_FROM_IN);
            return httpHeaders;
        };
    }
}
```
- 在对应的monitor-运行环境.yml 配置用户
```yaml
spring:
  security:
      user:
        name: root
        password: password
```

## 客户端配置
- 在对应的application-运行环境.yml 配置actuator暴露信息
```yaml
management:
  endpoints:
    web:
        # 设置是否暴露端点 默认只有health和info可见
      exposure:
        # include: env   # 方式1: 暴露端点env，配置多个以,隔开
        include: "*"     # 方式2: 包括所有端点，注意需要添加引号
        # 排除端点
        exclude: shutdown
  server:
    port: 9595 # 开监控端口，不和应用用同一个端口, 服务端口,在使用k8s的情况下,每一个服务都是在单独的一个docker中,所以他们的端口是不会发生冲突的
  endpoint:
    health:
      show-details: always # 显示db、redis、rabbti连接情况等
    shutdown:
      enabled: true  #默认情况下，除shutdown以外的所有端点均已启用。手动开启
```

## 效果图
![](./login.png)
![](./application.png)
![](./wallboard.png)
![](./instances.png)