阿里云安全警告
阿里云受工业和信息化部网络安全管理局委托通知您,您的资产:XX.XX.XX.XX,存在Spring Boot Admin 未授权访问漏洞,漏洞报告地址:…,详情请查阅邮件或站内信。请您参照修复建议尽快进行整改,避免漏洞被黑客利用,对于长期存在安全隐患但未整改的网络资源,监管部门可能会下达行政处罚(关停、约谈等),望您务必重视。
原因
Spring Boot监控系统一直没有加安全机制,被工信部点名了,需要加上账号密码验证。
Spring Boot Admin Server端
pom.xml中添加security1
2
3
4<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
项目里面添加配置类SecuritySecureConfig.java1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {
private final AdminServerProperties adminServer;
public SecuritySecureConfig(AdminServerProperties adminServer) {
this.adminServer = adminServer;
}
protected void configure(HttpSecurity http) throws Exception {
SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successHandler.setTargetUrlParameter("redirectTo");
successHandler.setDefaultTargetUrl(this.adminServer.path("/"));
http.authorizeRequests(
(authorizeRequests) -> authorizeRequests.antMatchers(this.adminServer.path("/assets/**")).permitAll()
.antMatchers(this.adminServer.path("/login")).permitAll().anyRequest().authenticated()
).formLogin(
(formLogin) -> formLogin.loginPage(this.adminServer.path("/login")).successHandler(successHandler).and()
).logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout"))).httpBasic(Customizer.withDefaults())
.csrf((csrf) -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringRequestMatchers(
new AntPathRequestMatcher(this.adminServer.path("/instances"),
HttpMethod.POST.toString()),
new AntPathRequestMatcher(this.adminServer.path("/instances/*"),
HttpMethod.DELETE.toString()),
new AntPathRequestMatcher(this.adminServer.path("/actuator/**"))
))
.rememberMe((rememberMe) -> rememberMe.key(UUID.randomUUID().toString()).tokenValiditySeconds(1209600));
}
// Required to provide UserDetailsService for "remember functionality"
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// 这里的账号密码改成自己需要的
auth.inMemoryAuthentication().withUser("user").password("{noop}password").roles("USER");
}
}
注意: 记录一下最后一个方法的账号密码,Client端需要填写相关的配置
Spring Boot Admin Client端
添加账号密码的配置1
2user =
password =
相关链接
Spring Boot Admin版本:2.3.0
官网相关文章: 保护Spring Boot Admin服务器