如何保护Spring Cloud Config服务器 [英] How to Secure Spring Cloud Config Server
问题描述
我了解可以使用访问者必须提供的用户名和密码来保护Spring Cloud Config Server.
I understand that a Spring Cloud Config Server can be protected using an user name and password , which has to be provided by the accessing clients.
如何防止客户端存储这些用户名和 客户端中bootstrap.yml文件中的明文形式的密码 应用程序/服务?
How can i prevent the clients from storing these user name and password as clear text in the bootstrap.yml files in the client application/services ?
推荐答案
非常基本的基本身份验证"(从此处 https://github.com/spring-cloud-samples/configserver )
The very basic "basic authentication" (from here https://github.com/spring-cloud-samples/configserver)
您可以通过添加对Spring Security的额外依赖来添加HTTP Basic身份验证(例如,通过spring-boot-starter-security).用户名为"user",密码在启动时打印在控制台上(标准的Spring Boot方法).如果使用Maven(pom.xml
):
You can add HTTP Basic authentication by including an extra dependency on Spring Security (e.g. via spring-boot-starter-security). The user name is "user" and the password is printed on the console on startup (standard Spring Boot approach). If using maven (pom.xml
):
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
如果要自定义用户/密码对,则需要在服务器配置文件中指明
If you want custom user/password pairs, you need indicate in server configuration file
security:
basic:
enabled: false
并在您的代码(BasicSecurityConfiguration.java
)中添加此最小类:
and add this minimal Class in your code (BasicSecurityConfiguration.java
):
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
//@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("#{'${qa.admin.password:admin}'}") //property with default value
String admin_password;
@Value("#{'${qa.user.password:user}'}") //property with default value
String user_password;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password(user_password).roles("USER")
.and()
.withUser("admin").password(admin_password).roles("USER", "ACTUATOR");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/encrypt/**").authenticated()
.antMatchers("/decrypt/**").authenticated()
//.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR")
//.antMatchers("/qa/**").permitAll()
;
}
}
@Value(#{'$ {qa.admin.password:admin}'}"))允许在属性配置文件,环境变量或命令行中定义密码.
@Value("#{'${qa.admin.password:admin}'}") allow passwords to be defined in property configuration file, environment variables or command line.
例如(application.yml
):
server:
port: 8888
security:
basic:
enabled: false
qa:
admin:
password: adminadmin
user:
password: useruser
management:
port: 8888
context-path: /admin
logging:
level:
org.springframework.cloud: 'DEBUG'
spring:
cloud:
config:
server:
git:
ignoreLocalSshSettings: true
uri: ssh://git@gitlab.server.corp/repo/configuration.git
这对我有用.
您可以将基本的用户配置直接放在application.yaml
中:
Instead of the Class, you can put basic user configuration directly in application.yaml
:
security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword
对于Spring Boot 2,application.yml中的配置现在位于spring.security下.*(
For Spring Boot 2 the configuration in application.yml are now under spring.security.* (https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#security-properties)
spring.security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword
这篇关于如何保护Spring Cloud Config服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!