Spring Boot Admin添加安全验证

技术总结

阿里云安全警告

阿里云受工业和信息化部网络安全管理局委托通知您,您的资产:XX.XX.XX.XX,存在Spring Boot Admin 未授权访问漏洞,漏洞报告地址:…,详情请查阅邮件或站内信。请您参照修复建议尽快进行整改,避免漏洞被黑客利用,对于长期存在安全隐患但未整改的网络资源,监管部门可能会下达行政处罚(关停、约谈等),望您务必重视。

原因

Spring Boot监控系统一直没有加安全机制,被工信部点名了,需要加上账号密码验证。

Spring Boot Admin Server端

pom.xml中添加security

1
2
3
4
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

项目里面添加配置类SecuritySecureConfig.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
@Configuration(proxyBeanMethods = false)
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {

  private final AdminServerProperties adminServer;

  public SecuritySecureConfig(AdminServerProperties adminServer) {
    this.adminServer = adminServer;
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("redirectTo");
    successHandler.setDefaultTargetUrl(this.adminServer.path("/"));

    http.authorizeRequests(
        (authorizeRequests) -> authorizeRequests.antMatchers(this.adminServer.path("/assets/**")).permitAll() 
            .antMatchers(this.adminServer.path("/login")).permitAll().anyRequest().authenticated() 
    ).formLogin(
        (formLogin) -> formLogin.loginPage(this.adminServer.path("/login")).successHandler(successHandler).and() 
    ).logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout"))).httpBasic(Customizer.withDefaults()) 
        .csrf((csrf) -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) 
            .ignoringRequestMatchers(
                new AntPathRequestMatcher(this.adminServer.path("/instances"),
                    HttpMethod.POST.toString()), 
                new AntPathRequestMatcher(this.adminServer.path("/instances/*"),
                    HttpMethod.DELETE.toString()), 
                new AntPathRequestMatcher(this.adminServer.path("/actuator/**")) 
            ))
        .rememberMe((rememberMe) -> rememberMe.key(UUID.randomUUID().toString()).tokenValiditySeconds(1209600));
  }

  // Required to provide UserDetailsService for "remember functionality"
  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    // 这里的账号密码改成自己需要的        
    auth.inMemoryAuthentication().withUser("user").password("{noop}password").roles("USER");
  }

}

注意: 记录一下最后一个方法的账号密码,Client端需要填写相关的配置

Spring Boot Admin Client端

添加账号密码的配置

1
2
spring.boot.admin.client.username=user
spring.boot.admin.client.password=password

相关链接

Spring Boot Admin版本:2.3.0
官网相关文章: 保护Spring Boot Admin服务器

本文标题:Spring Boot Admin添加安全验证

文章作者:

发布时间:2021-01-27, 17:02:54

最后更新:2022-01-20, 10:23:10

更新历史: Blame, History文本模式: .md Raw

原始链接:https://www.chenb.top/2021/01/27/securing-spring-boot-admin/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

文章目录
  1. 1. 阿里云安全警告
  2. 2. 原因
  3. 3. Spring Boot Admin Server端
  4. 4. Spring Boot Admin Client端
  5. 5. 相关链接