How to Secure Spring Cloud Config Server

后端 未结 3 832
情话喂你
情话喂你 2021-02-01 19:20

I understand that a Spring Cloud Config Server can be protected using an user name and password , which has to be provided by the accessing clients.

How c

相关标签:
3条回答
  • 2021-02-01 19:34

    Basic authentication configuration that works for me.

    Server-side:

    Needed depedency: org.springframework.boot:spring-boot-starter-security

    bootstrap.yml

    server:
      port: 8888
    
    spring:
      cloud:
        config:
          server:
            git:
              uri: git@bitbucket.org:someRepo/repoName.git
              hostKeyAlgorithm: ssh-rsa
              hostKey: "general hostKey for bitbucket.org"
    
      security:
        user:
          name: yourUser
          password: yourPassword
    

    Client-side:

    bootstrap.yml

    spring:
      application:
        name: config
      profiles:
        active: dev
      cloud:
        config:
          uri: http://localhost:8888
          username: yourUser
          password: yourPassword
    
    management:
      security:
        enabled: false
    

    Sources: Spring doc security feautres, Spring cloud config client security

    0 讨论(0)
  • 2021-02-01 19:41

    The very basic "basic authentication" (from here https://github.com/spring-cloud-samples/configserver)

    You can add HTTP Basic authentication by including an extra dependency on Spring Security (e.g. via spring-boot-starter-security). The user name is "user" and the password is printed on the console on startup (standard Spring Boot approach). If using maven (pom.xml):

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    

    If you want custom user/password pairs, you need indicate in server configuration file

    security:
        basic:
            enabled: false
    

    and add this minimal Class in your code (BasicSecurityConfiguration.java):

    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.beans.factory.annotation.Value;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    
    @Configuration
    //@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
    public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter {
    
        @Value("#{'${qa.admin.password:admin}'}") //property with default value
            String admin_password;
    
        @Value("#{'${qa.user.password:user}'}") //property with default value
                String user_password;
    
        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
                .inMemoryAuthentication()
                .withUser("user").password(user_password).roles("USER")
            .and()
                .withUser("admin").password(admin_password).roles("USER", "ACTUATOR");
        }
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .csrf()
                .disable()
                .httpBasic()
             .and()
                .authorizeRequests()
                .antMatchers("/encrypt/**").authenticated()
                .antMatchers("/decrypt/**").authenticated()
                //.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR")
                //.antMatchers("/qa/**").permitAll()
    
            ;
        }
    
    }
    

    @Value("#{'${qa.admin.password:admin}'}") allow passwords to be defined in property configuration file, environment variables or command line.

    For example (application.yml):

    server:
      port: 8888
    
    security:
        basic:
            enabled: false
    
    qa:
      admin:
        password: adminadmin
      user:
        password: useruser
    
    management:
      port: 8888
      context-path: /admin
    
    logging:
      level:
        org.springframework.cloud: 'DEBUG'
    
    spring:
      cloud:
        config:
          server:
            git:
              ignoreLocalSshSettings: true
              uri: ssh://git@gitlab.server.corp/repo/configuration.git
    

    This works for me.

    Edit: Instead of the Class, you can put basic user configuration directly in application.yaml:

    security:
      basic:
        enabled: true
        path: /**
      ignored: /health**,/info**,/metrics**,/trace**
      user:
        name: admin
        password: tupassword
    

    For Spring Boot 2 the configuration in application.yml are now under spring.security.* (https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#security-properties)

    spring.security:
      basic:
        enabled: true
        path: /**
      ignored: /health**,/info**,/metrics**,/trace**
      user:
        name: admin
        password: tupassword
    
    0 讨论(0)
  • 2021-02-01 19:43

    encrypted text can be placed in bootstrap.yml.

    Check -> http://projects.spring.io/spring-cloud/spring-cloud.html#_encryption_and_decryption

    0 讨论(0)
提交回复
热议问题