add 增加 springboot actuator 账号密码认证杜绝内外网信息泄漏问题

2024-07-24 18:56:40 +08:00 · 2024-07-24 18:56:40 +08:00 · 105c007f03
commit 105c007f03
parent 0a3d5fd5d4
7 changed files with 36 additions and 3 deletions
--- a/ruoyi-admin/src/main/resources/application-dev.yml
+++ b/ruoyi-admin/src/main/resources/application-dev.yml
@ -5,6 +5,9 @@ spring.boot.admin.client:
  url: http://localhost:9090/admin
  instance:
    service-host-type: IP
+    metadata:
+      username: ${spring.boot.admin.client.username}
+      userpassword: ${spring.boot.admin.client.password}
  username: ruoyi
  password: 123456

--- a/ruoyi-admin/src/main/resources/application-prod.yml
+++ b/ruoyi-admin/src/main/resources/application-prod.yml
@ -8,6 +8,9 @@ spring.boot.admin.client:
  url: http://localhost:9090/admin
  instance:
    service-host-type: IP
+    metadata:
+      username: ${spring.boot.admin.client.username}
+      userpassword: ${spring.boot.admin.client.password}
  username: ruoyi
  password: 123456

--- a/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfig.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfig.java
@ -1,11 +1,15 @@
 package org.dromara.common.security.config;

 import cn.dev33.satoken.exception.NotLoginException;
+import cn.dev33.satoken.filter.SaServletFilter;
+import cn.dev33.satoken.httpauth.basic.SaHttpBasicUtil;
 import cn.dev33.satoken.interceptor.SaInterceptor;
 import cn.dev33.satoken.router.SaRouter;
 import cn.dev33.satoken.stp.StpUtil;
+import cn.dev33.satoken.util.SaResult;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.dromara.common.core.constant.HttpStatus;
 import org.dromara.common.core.utils.ServletUtils;
 import org.dromara.common.core.utils.SpringUtils;
 import org.dromara.common.core.utils.StringUtils;
@ -14,6 +18,7 @@ import org.dromara.common.security.config.properties.SecurityProperties;
 import org.dromara.common.security.handler.AllUrlHandler;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@ -71,4 +76,19 @@ public class SecurityConfig implements WebMvcConfigurer {
            .excludePathPatterns(securityProperties.getExcludes());
    }

+    /**
+     * 对 actuator 健康检查接口 做账号密码鉴权
+     */
+    @Bean
+    public SaServletFilter getSaServletFilter() {
+        String username = SpringUtils.getProperty("spring.boot.admin.client.username");
+        String password = SpringUtils.getProperty("spring.boot.admin.client.password");
+        return new SaServletFilter()
+            .addInclude("/actuator", "/actuator/**")
+            .setAuth(obj -> {
+                SaHttpBasicUtil.check(username + ":" + password);
+            })
+            .setError(e -> SaResult.error(e.getMessage()).setCode(HttpStatus.UNAUTHORIZED));
+    }
+
 }
--- a/ruoyi-extend/ruoyi-monitor-admin/src/main/java/org/dromara/monitor/admin/config/SecurityConfig.java
+++ b/ruoyi-extend/ruoyi-monitor-admin/src/main/java/org/dromara/monitor/admin/config/SecurityConfig.java
@ -39,9 +39,7 @@ public class SecurityConfig {
            .authorizeHttpRequests((authorize) ->
                authorize.requestMatchers(
                        new AntPathRequestMatcher(adminContextPath + "/assets/**"),
-                        new AntPathRequestMatcher(adminContextPath + "/login"),
-                        new AntPathRequestMatcher("/actuator"),
-                        new AntPathRequestMatcher("/actuator/**")
+                        new AntPathRequestMatcher(adminContextPath + "/login")
                    ).permitAll()
                    .anyRequest().authenticated())
            .formLogin((formLogin) ->
--- a/ruoyi-extend/ruoyi-monitor-admin/src/main/resources/application.yml
+++ b/ruoyi-extend/ruoyi-monitor-admin/src/main/resources/application.yml
@ -41,5 +41,8 @@ spring.boot.admin.client:
  url: http://localhost:9090/admin
  instance:
    service-host-type: IP
+    metadata:
+      username: ${spring.boot.admin.client.username}
+      userpassword: ${spring.boot.admin.client.password}
  username: ruoyi
  password: 123456
--- a/ruoyi-extend/ruoyi-snailjob-server/src/main/resources/application-dev.yml
+++ b/ruoyi-extend/ruoyi-snailjob-server/src/main/resources/application-dev.yml
@ -43,5 +43,8 @@ spring.boot.admin.client:
  url: http://localhost:9090/admin
  instance:
    service-host-type: IP
+    metadata:
+      username: ${spring.boot.admin.client.username}
+      userpassword: ${spring.boot.admin.client.password}
  username: ruoyi
  password: 123456
--- a/ruoyi-extend/ruoyi-snailjob-server/src/main/resources/application-prod.yml
+++ b/ruoyi-extend/ruoyi-snailjob-server/src/main/resources/application-prod.yml
@ -43,5 +43,8 @@ spring.boot.admin.client:
  url: http://localhost:9090/admin
  instance:
    service-host-type: IP
+    metadata:
+      username: ${spring.boot.admin.client.username}
+      userpassword: ${spring.boot.admin.client.password}
  username: ruoyi
  password: 123456