修复SpringBoot Actuator未授权访问遇到的问题
短信预约 -IT技能 免费直播动态提醒
原由:风险检测扫出漏洞
访问http://xxx.xx.x/actuator 会直接获取到系统监控信息,存在安全问题,禁用actuator
1.禁用/env接口
缺点:谁都不可以访问不够灵活
会展示部分信息,漏扫严格的话建议替换其他方法
management: endpoint: env: enabled: false2.直接屏蔽所有端口
缺点:谁都不可以访问不够灵活
management: endpoints: web: exposure: include: "*" enabled-by-default: false3.引入spring-boot-starter-security依赖,增加登录认证
org.springframework.boot spring-boot-starter-security 配置文件增加
spring: security: user: name: admin password: adminmanagement: server: port: 8099 endpoints: web: exposure: include: "*"
4.添加全局过滤拦截类,增加登录认证
在项目目录新建config文件夹,新建下面两个文件
1. ActuatorFilter
import org.slf4j.Logger;import org.slf4j.LoggerFactory;import javax.servlet.*;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.IOException;import java.util.Base64;import java.util.Enumeration;public class ActuatorFilter implements Filter { public static final Logger logger = LoggerFactory.getLogger(ActuatorFilter.class); public static final String ACTUATOR_SESSION = "ActuatorBasicAuthSession"; private String userName; private String password; @Override public void init(FilterConfig filterConfig) throws ServletException { Enumerationenumeration = filterConfig.getInitParameterNames(); if (enumeration.hasMoreElements()) { this.userName = filterConfig.getInitParameter("actuatorUserName"); this.password = filterConfig.getInitParameter("actuatorPassword"); } logger.info("ActuatorFilter init success"); } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) servletRequest; HttpServletResponse response = (HttpServletResponse) servletResponse; String path = request.getRequestURI(); //可以把所有暴露出来的端点路径放在一个集合里面进行判断 if (path.startsWith("/actuator")) { Object actuatorSessionValue = request.getSession().getAttribute(ACTUATOR_SESSION); if (actuatorSessionValue == null || !userName.equals(actuatorSessionValue)) { String auth = request.getHeader("Authorization"); if (auth != null && !"".equals(auth)) { //解析认证参数 String userAndPass = this.decodeBase64(auth.substring(6)); String[] upArr = userAndPass.split(":"); if (upArr.length != 2) { this.writeForbiddenCode(response); return; } String iptUser = upArr[0]; String iptPass = upArr[1]; if (iptUser.equals(this.userName) && iptPass.equals(this.password)) { request.getSession().setAttribute(ACTUATOR_SESSION, this.userName); filterChain.doFilter(request, response); return; } this.writeForbiddenCode(response); return; } else { this.writeForbiddenCode(response); return; } } } filterChain.doFilter(request, response); } private void writeForbiddenCode(HttpServletResponse httpServletResponse) throws IOException { httpServletResponse.setStatus(401); httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"input Actuator Basic userName & password \""); httpServletResponse.getWriter().write("没有权限访问当前资源"); } private String decodeBase64(String source) { String decodeStr = null; if (source != null) { try { byte[] bytes = Base64.getDecoder().decode(source); decodeStr = new String(bytes); } catch (Exception var4) { this.logger.error(var4.getMessage(), var4); } } return decodeStr; }} 2. WebMvcConfig
import org.springframework.boot.web.servlet.FilterRegistrationBean;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;@Configurationpublic class WebMvcConfig implements WebMvcConfigurer { @Bean public FilterRegistrationBean actuatorFilter () { FilterRegistrationBean registrationBean = new FilterRegistrationBean(); registrationBean.setFilter(new ActuatorFilter()); registrationBean.setName("actuator"); registrationBean.addUrlPatterns("/*"); registrationBean.setOrder(Integer.MAX_VALUE); //用户名密码可以配置在配置文件中或者配置中心 registrationBean.addInitParameter("actuatorUserName", "admin"); registrationBean.addInitParameter("actuatorPassword", "123456"); return registrationBean; }}配置文件增加
management: endpoints: web: exposure: include: "*" endpoint: health: show-details: always
- never:不展示详细信息,up或者down的状态,默认配置
- when-authorized:详细信息将会展示给通过认证的用户。授权的角色可以通过
management.endpoint.health.roles配置- always:对所有用户暴露详细信息
建议用方法3增加security的认证
来源地址:https://blog.csdn.net/weixin_45393972/article/details/129860984
免责声明:
① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。
② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
