In our production environment, need to be considered a security issue, such as user login, or a eureka server, it has exposed outside their rest API, if there is no security authentication, which means that other people can freely through the rest API modify data, this is a very terrible thing, we go into the details of this article is on how eureka server authentication, and eureka client is how to configure authentication information.
Public pom file dependencies:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
<spring-cloud.version>Finchley.RELEASE</spring-cloud.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
1, eureka server project
1.1, eureka server project pom:
<! - plus the head of the public rely article ->
<the Dependencies> <dependency> <groupId> org.springframework.cloud </ groupId> <artifactId> the Spring-Cloud-Starter-Netflix-Eureka-Server </ artifactId > </ dependency>
<-! rights are dependent, as long as there is this dependency pom file, the project has been opened by default permissions check -> <dependency> <groupId> org.springframework.boot </ groupId> <artifactId> the Spring Starter-Security--boot </ the artifactId> </ dependency> </ Dependencies> <Build> <plugins> <plugin> <the groupId> org.springframework.boot </ the groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build>
1.2, eureka server project started categories:
import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.cloud.netflix.eureka.server.EnableEurekaServer; @SpringBootApplication @EnableEurekaServer public class EurkeaServerApplication { public static void main(String[] args) { SpringApplication.run(EurkeaServerApplication.class, args); } }
1.3, eureka server project configuration file, path: eureka-server \ src \ main \ resources \
application-security.yml:
server: port: 8761 spring: security: basic: enabled: true user: name: admin password: Xk38CNHigBP5jK75 eureka: instance: hostname: localhost client: registerWithEureka: false fetchRegistry: false serviceUrl: defaultZone: http://${eureka.instance.hostname}:${server.port}/eureka/ server: waitTimeInMsWhenSyncEmpty: 0 enableSelfPreservation: false
application.yml:
spring:
profiles:
active: security
Since the spring-boot-starter-security enabled by default CSRF check for client-side applications, such non-interface, somewhat inappropriate, but there is no way to disable the configuration file, need to configure Java, were disabled, as follows:
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * 关闭spring-boot-starter-security的CSRF校验 */ @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http.csrf().disable(); } }
1.4, start eureka server project, execute the command:
mvn spring-boot:run
Open a command line terminal, execute: curl -i http: // localhost: 8761 / eureka / apps
curl -i http://localhost:8761/eureka/apps HTTP/1.1 401 Set-Cookie: JSESSIONID=554BCAF092D8D1ED3936C0CB09E91AF1; Path=/; HttpOnly WWW-Authenticate: Basic realm="Realm" X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 04 Oct 2019 07:31:57 GMT {"timestamp":"2019-10-04T07:31:57.888+0000","status":401,"error":"Unauthorized","message":"Unauthorized","path":"/eureka/apps"}
As can be seen, header Authenticate not transmitted, it returns a 401 status code.
The following account password using http basic header Authenticate transfer of:
curl -i --basic -u admin:Xk38CNHigBP5jK75 http://localhost:8761/eureka/apps HTTP/1.1 200 Set-Cookie: JSESSIONID=CF1C0DE56415626494EC539A654CC543; Path=/; HttpOnly X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: application/xml Transfer-Encoding: chunked Date: Fri, 04 Oct 2019 07:35:54 GMT <applications> <versions__delta>1</versions__delta> <apps__hashcode></apps__hashcode> </applications>
Request was successful.
2, eureka client project
2.1, eureka client project pom:
<!--加上文章头部的公共依赖-->
<dependencies> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build>
2.2, eureka client project started categories:
import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.cloud.client.discovery.EnableDiscoveryClient; @SpringBootApplication @EnableDiscoveryClient public class EurekaClientApplication { public static void main(String[] args) { SpringApplication.run(EurekaClientApplication.class, args); } }
2.3, eureka client project configuration file, path: eureka-client \ src \ main \ resources \
Since the project opened a eureka server http basic authentication, eureka client projects also need to add the appropriate account information to pass, here we are specified by the configuration file.
application-security.yml:
server: port: 8081 spring: application: name: client1 eureka: client: security: basic: user: admin password: Xk38CNHigBP5jK75 serviceUrl: defaultZone: http://${eureka.client.security.basic.user}:${eureka.client.security.basic.password}@localhost:8761/eureka/
application.yml:
spring:
profiles:
active: security
执行:curl -i --basic -u admin:Xk38CNHigBP5jK75 http://localhost:8761/eureka/apps
curl -i --basic -u admin:Xk38CNHigBP5jK75 http://localhost:8761/eureka/apps HTTP/1.1 200 Set-Cookie: JSESSIONID=C7CE372067A44606E9D3DEA6B64AEDCD; Path=/; HttpOnly X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: application/xml Transfer-Encoding: chunked Date: Fri, 04 Oct 2019 07:53:40 GMT <applications> <versions__delta>1</versions__delta> <apps__hashcode>UP_1_</apps__hashcode> <application> <name>CLIENT1</name> <instance> <instanceId>192.168.50.161:client1:8081</instanceId> <hostName>192.168.50.161</hostName> <app>CLIENT1</app> <ipAddr>192.168.50.161</ipAddr> <status>UP</status> <overriddenstatus>UNKNOWN</overriddenstatus> <port enabled="true">8081</port> <securePort enabled="false">443</securePort> <countryId>1</countryId> <dataCenterInfo class="com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo"> <name>MyOwn</name> </dataCenterInfo> <leaseInfo> <renewalIntervalInSecs>30</renewalIntervalInSecs> <durationInSecs>90</durationInSecs> <registrationTimestamp>1570175584067</registrationTimestamp> <lastRenewalTimestamp>1570175584067</lastRenewalTimestamp> <evictionTimestamp>0</evictionTimestamp> <serviceUpTimestamp>1570175584067</serviceUpTimestamp> </leaseInfo> <metadata> <management.port>8081</management.port> </metadata> <homePageUrl>http://192.168.50.161:8081/</homePageUrl> <statusPageUrl>http://192.168.50.161:8081/actuator/info</statusPageUrl> <healthCheckUrl>http://192.168.50.161:8081/actuator/health</healthCheckUrl> <vipAddress>client1</vipAddress> <secureVipAddress>client1</secureVipAddress> <isCoordinatingDiscoveryServer>false</isCoordinatingDiscoveryServer> <lastUpdatedTimestamp>1570175584067</lastUpdatedTimestamp> <lastDirtyTimestamp>1570175583914</lastDirtyTimestamp> <actionType>ADDED</actionType> </instance> </application> </applications>
You can see the eureka client has successfully registered with the server.