clay
/
cloud-security-wiki
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
cloud-security-wiki/docs/use/spring-amin/README.md

3.3 KiB
Raw Blame History

监控模块使用

监控模块使用 Spring Boot Admin,配合客户端引入spring-boot-starter-actuator依赖就可以在监控模块中看到对应服务的情况,但是Spring Boot Admin没有权限拦截,所以需要二次权限认证。

实现原理

  • 引入 spring security
<!--security-->
<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-security</artifactId>
</dependency>
  • 配置 spring security
/**
 * 配置安全认证,以便其他服务注册
 *
 * @author Clay
 * @date 2022/11/10
 */
@Configuration
public class SecuritySecureConfig {

    /**
     * 应用上下文路径
     */
    private final String adminContextPath;

    public SecuritySecureConfig(AdminServerProperties adminServerProperties) {
        this.adminContextPath = adminServerProperties.getContextPath();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        successHandler.setTargetUrlParameter("redirectTo");
        successHandler.setDefaultTargetUrl(adminContextPath + "/");
        http.authorizeRequests()
                //1.配置所有静态资源和登录也可以公开访问
                .antMatchers(adminContextPath + "/assets/**")
                .permitAll()
                .antMatchers(adminContextPath + "/login")
                .permitAll()
                //2. 其他请求,必须经过认证
                .antMatchers("/actuator/**","/instances").permitAll()
                .anyRequest().authenticated()
                .and()
                //3. 配置登录和登出路径
                .formLogin().loginPage(adminContextPath + "/login")
                .successHandler(successHandler)
                .and()
                .logout().logoutUrl(adminContextPath + "/logout");


        return http.build();
    }

    @Bean
    public HttpHeadersProvider customHttpHeadersProvider() {
        return (instance) -> {
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.add(SecurityConstants.ACTUATOR_FROM, SecurityConstants.ACTUATOR_FROM_IN);
            return httpHeaders;
        };
    }
}
  • 在对应的monitor-运行环境.yml 配置用户
spring:
  security:
      user:
        name: root
        password: password

客户端配置

  • 在对应的application-运行环境.yml 配置actuator暴露信息
management:
  endpoints:
    web:
        # 设置是否暴露端点 默认只有health和info可见
      exposure:
        # include: env   # 方式1: 暴露端点env配置多个以,隔开
        include: "*"     # 方式2: 包括所有端点,注意需要添加引号
        # 排除端点
        exclude: shutdown
  server:
    port: 9595 # 开监控端口,不和应用用同一个端口, 服务端口,在使用k8s的情况下,每一个服务都是在单独的一个docker中,所以他们的端口是不会发生冲突的
  endpoint:
    health:
      show-details: always # 显示db、redis、rabbti连接情况等
    shutdown:
      enabled: true  #默认情况下除shutdown以外的所有端点均已启用。手动开启

效果图