[英]How to Secure Spring Cloud Config Server
我知道 Spring Cloud Config Server 可以使用用户名和密码来保护,必须由访问客户端提供。
如何防止客户端将这些用户名和密码以明文形式存储在客户端应用程序/服务的 bootstrap.yml 文件中?
非常基本的“基本身份验证”(来自这里https://github.com/spring-cloud-samples/configserver )
您可以通过包含对 Spring Security 的额外依赖来添加 HTTP Basic 身份验证(例如,通过 spring-boot-starter-security)。 用户名为“user”,密码在启动时打印在控制台上(标准 Spring Boot 方法)。 如果使用 maven ( pom.xml
):
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
如果你想要自定义用户/密码对,你需要在服务器配置文件中指明
security:
basic:
enabled: false
并在您的代码中添加这个最小的类( BasicSecurityConfiguration.java
):
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
//@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("#{'${qa.admin.password:admin}'}") //property with default value
String admin_password;
@Value("#{'${qa.user.password:user}'}") //property with default value
String user_password;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password(user_password).roles("USER")
.and()
.withUser("admin").password(admin_password).roles("USER", "ACTUATOR");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/encrypt/**").authenticated()
.antMatchers("/decrypt/**").authenticated()
//.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR")
//.antMatchers("/qa/**").permitAll()
;
}
}
@Value("#{'${qa.admin.password:admin}'}") 允许在属性配置文件、环境变量或命令行中定义密码。
例如( application.yml
):
server:
port: 8888
security:
basic:
enabled: false
qa:
admin:
password: adminadmin
user:
password: useruser
management:
port: 8888
context-path: /admin
logging:
level:
org.springframework.cloud: 'DEBUG'
spring:
cloud:
config:
server:
git:
ignoreLocalSshSettings: true
uri: ssh://git@gitlab.server.corp/repo/configuration.git
这对我有用。
编辑:您可以将基本用户配置直接放在application.yaml
,而不是 Class:
security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword
对于 Spring Boot 2,application.yml 中的配置现在位于 spring.security.* ( https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#security - 属性)
spring.security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword
适用于我的基本身份验证配置。
服务器端:
需要依赖: org.springframework.boot:spring-boot-starter-security
引导程序.yml
server:
port: 8888
spring:
cloud:
config:
server:
git:
uri: git@bitbucket.org:someRepo/repoName.git
hostKeyAlgorithm: ssh-rsa
hostKey: "general hostKey for bitbucket.org"
security:
user:
name: yourUser
password: yourPassword
客户端:
引导程序.yml
spring:
application:
name: config
profiles:
active: dev
cloud:
config:
uri: http://localhost:8888
username: yourUser
password: yourPassword
management:
security:
enabled: false
来源: Spring doc security feautres 、 Spring cloud config client security
加密文本可以放在 bootstrap.yml 中。
检查-> http://projects.spring.io/spring-cloud/spring-cloud.html#_encryption_and_decryption
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.