spring - 如何使用基本身份验证保护 Spring Cloud Eureka 服务?
问题描述
我在同一台主机上设置了多个 eureka 服务器实例。他们使用主机名 eureka-primary、secondary 和 tertiary,这些主机名在 hosts 文件中定义为 localhost 别名,并且一切正常——它们都是可见的,并且作为不同的实例可供彼此使用。
当我尝试使用它来保护尤里卡实例时,问题就开始了basic auth。这个想法是添加 spring 安全依赖,在 eureka 服务器上指定安全用户和密码,并将这些凭据放在defaultZoneurls 中(配置如下),但这似乎不起作用。
Eureka 实例甚至无法相互注册,当我尝试访问 eureka 门户网站时,系统会提示我输入登录表单,然后重定向到仪表板。所有仪表板都工作正常,需要访问凭据。
我正在使用Finchley.RC1带有 spring boot2.0.1.RELEASE和相同版本的spring cloudspring-boot-starter-security和spring-cloud-starter-netflix-eureka-server.
尤里卡服务器 pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>rs.microservices</groupId>
<artifactId>eurekaServer</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>eurekaServer</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.1.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
<spring-cloud.version>Finchley.RC1</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-milestones</id>
<name>Spring Milestones</name>
<url>https://repo.spring.io/milestone</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
</project>
尤里卡服务器应用程序.yml
---
spring:
security:
user:
name: admin
password: admin
profiles: primary
application:
name: eureka-server-clustered
server:
port: 8011
eureka:
instance:
hostname: eureka-primary
client:
registerWithEureka: true
fetchRegistry: true
serviceUrl:
defaultZone: http://admin:admin@eureka-secondary:8012/eureka/,http://admin:admin@eureka-tertiary:8013/eureka/
---
spring:
security:
user:
name: admin
password: admin
profiles: secondary
application:
name: eureka-server-clustered
server:
port: 8012
eureka:
instance:
hostname: eureka-secondary
client:
registerWithEureka: true
fetchRegistry: true
serviceUrl:
defaultZone: http://admin:admin@eureka-primary:8013/eureka/,http://admin:admin@eureka-tertiary:8011/eureka/
---
spring:
security:
user:
name: admin
password: admin
profiles: tertiary
application:
name: eureka-server-clustered
server:
port: 8013
eureka:
instance:
hostname: eureka-tertiary
client:
registerWithEureka: true
fetchRegistry: true
serviceUrl:
defaultZone: http://admin:admin@eureka-primary:8011/eureka/,http://admin:admin@eureka-secondary:8012/eureka/
微服务 bootstrap.yml
spring:
application:
name: someService
server:
port: 0
eureka:
client:
registerWithEureka: true
fetchRegistry: true
service-url:
defaultZone: http://admin:admin@localhost:8011/eureka/,http://admin:admin@localhost:8012/eureka/,http://admin:admin@localhost:8013/eureka/
我究竟做错了什么?
*编辑
我已经找到了多种解决方案,例如Securing Eureka in Spring cloud,但它们都没有真正解决我的问题 - 正如您所看到的,我们的配置是相同的。
解决方案
解决了!
TL; DR
问题是由于CSRF某种原因,spring 无法对配置的用户进行身份验证application.yml
所以我不得不重写配置方法WebSecurityConfigurerAdapter来禁用 csrf 并创建 inMemory 用户。还从 application.yml 中删除了 spring.security.user 属性。
Eureka 服务器application.yml现在看起来像:
---
spring:
profiles: primary
application:
name: eureka-server-clustered
server:
port: 8011
eureka:
instance:
hostname: eureka-primary
client:
registerWithEureka: true
fetchRegistry: true
serviceUrl:
defaultZone: http://admin:admin@eureka-secondary:8012/eureka,http://admin:admin@eureka-tertiary:8013/eureka
---
spring:
profiles: secondary
application:
name: eureka-server-clustered
server:
port: 8012
eureka:
instance:
hostname: eureka-secondary
client:
registerWithEureka: true
fetchRegistry: true
serviceUrl:
defaultZone: http://admin:admin@eureka-primary:8013/eureka,http://admin:admin@eureka-tertiary:8011/eureka
---
spring:
profiles: tertiary
application:
name: eureka-server-clustered
server:
port: 8013
eureka:
instance:
hostname: eureka-tertiary
client:
registerWithEureka: true
fetchRegistry: true
serviceUrl:
defaultZone: http://admin:admin@eureka-primary:8011/eureka,http://admin:admin@eureka-secondary:8012/eureka
新创建WebSecurityConfig的类:
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.passwordEncoder(NoOpPasswordEncoder.getInstance())
.withUser("admin").password("admin")
.authorities("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
推荐阅读
- javascript - 如何在 VueJS 中使用闭包获取汇总数据
- python - 如何使用 pyvmomi 将 ESXi 主机置于维护模式?
- ruby-on-rails - 查看自定义 Rails 生成器中的更改
- c# - 查找形状上的角/边(可以定义该形状的最小顶点)
- angular - 如何通过单击按钮选择使用 Async Pipe 绑定到可观察对象的所有项目 ID?
- python - 为什么我的裁剪图像被保存到不正确的目录?
- ruby-on-rails - 如何在 rails_admin 中使用魔法宝石
- python - Python pyasn1 通过 sqlalchemy 发生冲突
- bash - 程序化 ngrok 隧道 url
- linux - 如何在 Linux 上运行从 Github 下载并解压的本地 python 3.5/3.6 包