如何保护Spring Cloud Config服务器 [英] How to Secure Spring Cloud Config Server

问题描述

我了解可以使用访问者必须提供的用户名和密码来保护Spring Cloud Config Server.

I understand that a Spring Cloud Config Server can be protected using an user name and password , which has to be provided by the accessing clients.

如何防止客户端存储这些用户名和 客户端中bootstrap.yml文件中的明文形式的密码 应用程序/服务?

How can i prevent the clients from storing these user name and password as clear text in the bootstrap.yml files in the client application/services ?

推荐答案

非常基本的基本身份验证"(从此处 https://github.com/spring-cloud-samples/configserver )

The very basic "basic authentication" (from here https://github.com/spring-cloud-samples/configserver)

您可以通过添加对Spring Security的额外依赖来添加HTTP Basic身份验证(例如，通过spring-boot-starter-security).用户名为"user"，密码在启动时打印在控制台上(标准的Spring Boot方法).如果使用Maven(pom.xml):

You can add HTTP Basic authentication by including an extra dependency on Spring Security (e.g. via spring-boot-starter-security). The user name is "user" and the password is printed on the console on startup (standard Spring Boot approach). If using maven (pom.xml):

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

如果要自定义用户/密码对，则需要在服务器配置文件中指明

If you want custom user/password pairs, you need indicate in server configuration file

security:
    basic:
        enabled: false

并在您的代码(BasicSecurityConfiguration.java)中添加此最小类:

and add this minimal Class in your code (BasicSecurityConfiguration.java):

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
//@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Value("#{'${qa.admin.password:admin}'}") //property with default value
        String admin_password;

    @Value("#{'${qa.user.password:user}'}") //property with default value
            String user_password;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("user").password(user_password).roles("USER")
        .and()
            .withUser("admin").password(admin_password).roles("USER", "ACTUATOR");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .disable()
            .httpBasic()
         .and()
            .authorizeRequests()
            .antMatchers("/encrypt/**").authenticated()
            .antMatchers("/decrypt/**").authenticated()
            //.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR")
            //.antMatchers("/qa/**").permitAll()

        ;
    }

}

@Value(#{'$ {qa.admin.password:admin}'}"))允许在属性配置文件，环境变量或命令行中定义密码.

@Value("#{'${qa.admin.password:admin}'}") allow passwords to be defined in property configuration file, environment variables or command line.

例如(application.yml):

server:
  port: 8888

security:
    basic:
        enabled: false

qa:
  admin:
    password: adminadmin
  user:
    password: useruser

management:
  port: 8888
  context-path: /admin

logging:
  level:
    org.springframework.cloud: 'DEBUG'

spring:
  cloud:
    config:
      server:
        git:
          ignoreLocalSshSettings: true
          uri: ssh://git@gitlab.server.corp/repo/configuration.git

这对我有用.

您可以将基本的用户配置直接放在application.yaml中:

Instead of the Class, you can put basic user configuration directly in application.yaml:

security:
  basic:
    enabled: true
    path: /**
  ignored: /health**,/info**,/metrics**,/trace**
  user:
    name: admin
    password: tupassword

对于Spring Boot 2，application.yml中的配置现在位于spring.security下.*(

For Spring Boot 2 the configuration in application.yml are now under spring.security.* (https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#security-properties)

spring.security:
  basic:
    enabled: true
    path: /**
  ignored: /health**,/info**,/metrics**,/trace**
  user:
    name: admin
    password: tupassword

这篇关于如何保护Spring Cloud Config服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！