微服务下 Spring Boot Admin 部署指南

微服务下 Spring Boot Admin 部署指南 客户端

此处客户端是指需要被 Spring Boot Admin 监控的服务

1. 引入 actuator 依赖：

    org.springframework.boot
    spring-boot-starter-actuator

2. 开放所有监控端点：

management:
  endpoints:
    web:
      exposure:
        include: "*"
  endpoint:
    health:
      show-details: always

3. 开放所有端点有很大的风险性，所以必须引入安全认证框架，引入 spring security ：

   org.springframework.boot
   spring-boot-starter-security

4. 微服务的业务接口不需要做安全认证，所以添加配置类，放行 actuator 外的其他接口：

@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.httpBasic()
                .and()
                .authorizeRequests()
                .antMatchers("/actuator/**").authenticated()
                .anyRequest().permitAll()
                .and()
                .csrf().disable();
    }
}

5. 引入安全认证后，管理端将同样无法访问监控端点，所以客户端需要将账号密码等元数据注册到注册中心：

spring:
  security:
    user:
      name: jj8&Ujd
      password: df97jmgi73m@*&^234
  cloud:
    nacos:
      discovery:
        metadata:
          user.name: ${spring.security.user.name}
          user.password: ${spring.security.user.password}

管理端

1. 引入依赖：

  de.codecentric
  spring-boot-admin-starter-server

完整的依赖如下（使用 nacos 注册中心，引入安全框架）：

  org.springframework.boot
  spring-boot-starter-web



  com.alibaba.cloud
  spring-cloud-starter-alibaba-nacos-discovery



  de.codecentric
  spring-boot-admin-starter-server



  org.springframework.boot
  spring-boot-starter-mail



  org.springframework.boot
  spring-boot-starter-security

2. 添加配置类，开启密码登录：

@Configuration
public class AdminSecurityConfig extends WebSecurityConfigurerAdapter {
    private final String adminContextPath;

    public AdminSecurityConfig(AdminServerProperties adminServerProperties) {
        this.adminContextPath = adminServerProperties.getContextPath();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        successHandler.setTargetUrlParameter("redirectTo");
        successHandler.setDefaultTargetUrl(adminContextPath + "/");

        http.authorizeRequests()
                //1.配置所有静态资源和登录页可以公开访问
                .antMatchers(adminContextPath + "/assets/**").permitAll()
                .antMatchers(adminContextPath + "/login").permitAll()
                .anyRequest().authenticated()
                //2.配置登录和登出路径
                .and()
                .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler)
                .and()
                .logout().logoutUrl(adminContextPath + "/logout")
                //3.开启http basic支持，admin-client注册时需要使用
                .and()
                .httpBasic()
                //4.开启基于cookie的csrf保护
                .and()
                .csrf()
                .csrfTokenRepository(cookieCsrfTokenRepository.withHttpOnlyFalse())
                //5.忽略这些路径的csrf保护以便admin-client注册
                .ignoringAntMatchers(
                        adminContextPath + "/instances",
                        adminContextPath + "/actuator/**"
                );
    }
}

3. 配置账号密码，并忽略管理端：

spring:
  security:
    user:
      name: admin
      password: m@#54$fdsG$D
  boot: # 不显示admin-security-server的监控信息
    admin:
      discovery:
        ignored-services: ${spring.application.name}