Eureka实战-4【开启http basic权限认证】
程序员文章站
2022-06-08 15:38:10
在我们实际生产环境中,都需要考虑到一个安全问题,比如用户登录,又或者是eureka server,它对外暴露的有自己的rest API,如果没有安全认证,也就意味着别人可以通过rest API随意修改数据信息,这是一件非常恐怖的事情,这篇文章咱们详谈eureka server是如何开启认证,以及eu ......
在我们实际生产环境中,都需要考虑到一个安全问题,比如用户登录,又或者是eureka server,它对外暴露的有自己的rest api,如果没有安全认证,也就意味着别人可以通过rest api随意修改数据信息,这是一件非常恐怖的事情,这篇文章咱们详谈eureka server是如何开启认证,以及eureka client是如何配置鉴权信息。
公共pom文件依赖:
<parent>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-parent</artifactid>
<version>2.0.3.release</version>
<relativepath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceencoding>utf-8</project.build.sourceencoding>
<project.reporting.outputencoding>utf-8</project.reporting.outputencoding>
<java.version>1.8</java.version>
<spring-cloud.version>finchley.release</spring-cloud.version>
</properties>
<dependencymanagement>
<dependencies>
<dependency>
<groupid>org.springframework.cloud</groupid>
<artifactid>spring-cloud-dependencies</artifactid>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencymanagement>
1、eureka server工程
1.1、eureka server工程pom:
<!--加上文章头部的公共依赖-->
<dependencies> <dependency> <groupid>org.springframework.cloud</groupid> <artifactid>spring-cloud-starter-netflix-eureka-server</artifactid> </dependency>
<!--权限依赖,只要pom文件有这个依赖,项目默认就已经开启了权限校验--> <dependency> <groupid>org.springframework.boot</groupid> <artifactid>spring-boot-starter-security</artifactid> </dependency> </dependencies> <build> <plugins> <plugin> <groupid>org.springframework.boot</groupid> <artifactid>spring-boot-maven-plugin</artifactid> </plugin> </plugins> </build>
1.2、eureka server工程启动类:
import org.springframework.boot.springapplication;
import org.springframework.boot.autoconfigure.springbootapplication;
import org.springframework.cloud.netflix.eureka.server.enableeurekaserver;
@springbootapplication
@enableeurekaserver
public class eurkeaserverapplication {
public static void main(string[] args) {
springapplication.run(eurkeaserverapplication.class, args);
}
}
1.3、eureka server工程配置文件,路径:eureka-server\src\main\resources\
application-security.yml:
server:
port: 8761
spring:
security:
basic:
enabled: true
user:
name: admin
password: xk38cnhigbp5jk75
eureka:
instance:
hostname: localhost
client:
registerwitheureka: false
fetchregistry: false
serviceurl:
defaultzone: http://${eureka.instance.hostname}:${server.port}/eureka/
server:
waittimeinmswhensyncempty: 0
enableselfpreservation: false
application.yml:
spring:
profiles:
active: security
由于spring-boot-starter-security默认开启了csrf校验,对于client端这类非界面应用来说,有些不合适,但是又没有配置文件的方式可以禁用,需要通过java配置,进行禁用,如下:
import org.springframework.security.config.annotation.web.builders.httpsecurity;
import org.springframework.security.config.annotation.web.configuration.enablewebsecurity;
import org.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter;
/**
* 关闭spring-boot-starter-security的csrf校验
*/
@enablewebsecurity
public class securityconfig extends websecurityconfigureradapter {
@override
protected void configure(httpsecurity http) throws exception {
super.configure(http);
http.csrf().disable();
}
}
1.4、启动eureka server工程,执行命令:
mvn spring-boot:run
打开命令行终端,执行: curl -i http://localhost:8761/eureka/apps
curl -i http://localhost:8761/eureka/apps
http/1.1 401
set-cookie: jsessionid=554bcaf092d8d1ed3936c0cb09e91af1; path=/; httponly
www-authenticate: basic realm="realm"
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: deny
content-type: application/json;charset=utf-8
transfer-encoding: chunked
date: fri, 04 oct 2019 07:31:57 gmt
{"timestamp":"2019-10-04t07:31:57.888+0000","status":401,"error":"unauthorized","message":"unauthorized","path":"/eureka/apps"}
可以看出,没有传递authenticate的header,返回401状态码。
下面使用http basic的账号密码传递authenticate的header:
curl -i --basic -u admin:xk38cnhigbp5jk75 http://localhost:8761/eureka/apps http/1.1 200 set-cookie: jsessionid=cf1c0de56415626494ec539a654cc543; path=/; httponly x-content-type-options: nosniff x-xss-protection: 1; mode=block cache-control: no-cache, no-store, max-age=0, must-revalidate pragma: no-cache expires: 0 x-frame-options: deny content-type: application/xml transfer-encoding: chunked date: fri, 04 oct 2019 07:35:54 gmt <applications> <versions__delta>1</versions__delta> <apps__hashcode></apps__hashcode> </applications>
请求成功。
2、eureka client工程
2.1、eureka client工程pom:
<!--加上文章头部的公共依赖-->
<dependencies> <dependency> <groupid>org.springframework.cloud</groupid> <artifactid>spring-cloud-starter-netflix-eureka-client</artifactid> </dependency> </dependencies> <build> <plugins> <plugin> <groupid>org.springframework.boot</groupid> <artifactid>spring-boot-maven-plugin</artifactid> </plugin> </plugins> </build>
2.2、eureka client工程启动类:
import org.springframework.boot.springapplication;
import org.springframework.boot.autoconfigure.springbootapplication;
import org.springframework.cloud.client.discovery.enablediscoveryclient;
@springbootapplication
@enablediscoveryclient
public class eurekaclientapplication {
public static void main(string[] args) {
springapplication.run(eurekaclientapplication.class, args);
}
}
2.3、eureka client工程配置文件,路径:eureka-client\src\main\resources\
由于eureka server工程开启了http basic认证,eureka client工程也需要添加相应的账号信息来传递,这里我们通过配置文件来指定。
application-security.yml:
server:
port: 8081
spring:
application:
name: client1
eureka:
client:
security:
basic:
user: admin
password: xk38cnhigbp5jk75
serviceurl:
defaultzone: http://${eureka.client.security.basic.user}:${eureka.client.security.basic.password}@localhost:8761/eureka/
application.yml:
spring:
profiles:
active: security
执行:curl -i --basic -u admin:xk38cnhigbp5jk75 http://localhost:8761/eureka/apps
curl -i --basic -u admin:xk38cnhigbp5jk75 http://localhost:8761/eureka/apps
http/1.1 200
set-cookie: jsessionid=c7ce372067a44606e9d3dea6b64aedcd; path=/; httponly
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: deny
content-type: application/xml
transfer-encoding: chunked
date: fri, 04 oct 2019 07:53:40 gmt
<applications>
<versions__delta>1</versions__delta>
<apps__hashcode>up_1_</apps__hashcode>
<application>
<name>client1</name>
<instance>
<instanceid>192.168.50.161:client1:8081</instanceid>
<hostname>192.168.50.161</hostname>
<app>client1</app>
<ipaddr>192.168.50.161</ipaddr>
<status>up</status>
<overriddenstatus>unknown</overriddenstatus>
<port enabled="true">8081</port>
<secureport enabled="false">443</secureport>
<countryid>1</countryid>
<datacenterinfo class="com.netflix.appinfo.instanceinfo$defaultdatacenterinfo">
<name>myown</name>
</datacenterinfo>
<leaseinfo>
<renewalintervalinsecs>30</renewalintervalinsecs>
<durationinsecs>90</durationinsecs>
<registrationtimestamp>1570175584067</registrationtimestamp>
<lastrenewaltimestamp>1570175584067</lastrenewaltimestamp>
<evictiontimestamp>0</evictiontimestamp>
<serviceuptimestamp>1570175584067</serviceuptimestamp>
</leaseinfo>
<metadata>
<management.port>8081</management.port>
</metadata>
<homepageurl>http://192.168.50.161:8081/</homepageurl>
<statuspageurl>http://192.168.50.161:8081/actuator/info</statuspageurl>
<healthcheckurl>http://192.168.50.161:8081/actuator/health</healthcheckurl>
<vipaddress>client1</vipaddress>
<securevipaddress>client1</securevipaddress>
<iscoordinatingdiscoveryserver>false</iscoordinatingdiscoveryserver>
<lastupdatedtimestamp>1570175584067</lastupdatedtimestamp>
<lastdirtytimestamp>1570175583914</lastdirtytimestamp>
<actiontype>added</actiontype>
</instance>
</application>
</applications>
可以看到eureka client已经成功注册到server。
上一篇: 一个简单的自定义标签