在spring-boot-admin(SBA)监控端,为了防止没授权的访问,一般需要做访问控制。只需简单几步,就可以配置spring security来控制对SBA的访问。
1、引入依赖:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
2、配置:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${spring.profiles}")
private String env;
@Override
protected void configure(HttpSecurity http) throws Exception {
/*if("dev".equals(env)){ //如果需要在开发服中免登录
http.authorizeRequests().antMatchers("*//**","*//**//*filters").permitAll();
http.csrf().disable();
http.httpBasic();
return;
}*/
http
.formLogin().loginPage("/login.html").loginProcessingUrl("/login").permitAll()
.and()
.logout().logoutUrl("/logout")
.and()
.authorizeRequests()
.antMatchers("/login.html", "/**/*.css", "/img/**", "/api/**") //放开"/api/**":为了给被监控端免登录注册
.permitAll()
.and()
.authorizeRequests().antMatchers("/**").authenticated();
http.csrf().disable();
http.httpBasic();
}
/* @Autowired //也可以在application.yml文件中配置登录账号密码:security.user.name/password
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("svcAdmin").password("pw").roles("USER");
}*/
}
application.yml:
security:
user:
name: sba
password: passwd
3、登录页面:
<html>
<head>
<meta charset="UTF-8">
<title>sba登录</title>
<style>
html,body{text-align:center;margin:0px auto;}
form, div{margin: 5px;}
</style>
</head>
<body>
<br/>
<form action="/svc-monitor/login" method="post">
<div>请登录:</div>
<div><label><input type="text" name="username" placeholder="用户名"/> </label></div>
<div><label><input type="password" name="password" placeholder="密码"/> </label></div>
<div><input type="submit" value="登录"/></div>
</form>
</body>
</html>