spring-boot-actuator报错Full authentication is required to access this resource

课程分享:

  1. 课程分享:Docker+Kubernetes(k8s)微服务容器化实践
  2. 课程分享:Kubernetes(k8s)生产级实践指南 从部署到核心应用

  3. 课程分享:(极客时间)深入剖析Kubernetes

异常情况:

/health 只有status信息,没有其他

{

"status" : "UP"

}

/metrics 提示没有权限

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Mon Nov 20 10:42:15 CST 2017

There was an unexpected error (type=Unauthorized, status=401).

Full authentication is required to access this resource.

解决办法【设置端点访问 】:

 

方式1-关闭验证 

application.properties添加配置参数

management.security.enabled=false

方式2-开启HTTP basic认证 

  • 添加依赖    
<dependency>  
    <groupId>org.springframework.boot</groupId>  
    <artifactId>spring-boot-starter-security</artifactId>  
</dependency>
  • application.properties 添加用户名和密码

security.user.name=admin

security.user.password=123456

management.security.enabled=true

management.security.role=ADMIN

  • 访问URL http://localhost:8080/env 后,就看到需要输入用户名和密码了。 

原因分析:

 

Actuator endpoints 【断点】:

Actuator endpoints allow you to monitor and interact with your application.

Spring Boot includes a number of built-in endpoints and you can also add your own. 

For example the health endpoint provides basic application health information.

Actuator 端点允许您监视和与您的应用程序进行交互。

Spring Boot包含许多内置的端点,您也可以添加自己的端点。

例如, health端点提供基本的应用程序健康信息。

 

The way that endpoints are exposed will depend on the type of technology that you choose.

Most applications choose HTTP monitoring, where the ID of the endpoint is mapped to a URL. 

For example, by default, the health endpoint will be mapped to /health.

端点的暴露方式取决于您选择的技术类型。

大多数应用程序选择HTTP监视,其中端点的ID映射到一个URL

例如,默认情况下,health端点将被映射到/health

The following technology agnostic endpoints are available:

ID Description Sensitive
 Default

actuator

Provides a hypermedia-based “discovery page” for the other endpoints. Requires Spring HATEOAS to be on the classpath.

为其他端点提供基于超媒体的“发现页面”。要求Spring HATEOAS在类路径上。

true

auditevents

Exposes audit events information for the current application.

公开当前应用程序的审计事件信息。

true

autoconfig

Displays an auto-configuration report showing all auto-configuration candidates and the reason why they ‘were’ or ‘were not’ applied.

显示一个auto-configuration的报告,该报告展示所有auto-configuration候选者及它们被应用或未被应用的原因

true

beans

Displays a complete list of all the Spring beans in your application.

显示一个应用中所有Spring Beans的完整列表

true

configprops

Displays a collated list of all @ConfigurationProperties.

显示一个所有@ConfigurationProperties的整理列表

true

dump

Performs a thread dump.

执行一个线程转储

true

env

Exposes properties from Spring’s ConfigurableEnvironment.

暴露来自Spring ConfigurableEnvironment的属性

true

flyway

Shows any Flyway database migrations that have been applied.

显示已应用的所有Flyway数据库迁移。

true

health

Shows application health information (when the application is secure, a simple ‘status’ when accessed over an unauthenticated connection or full message details when authenticated).

显示应用程序运行状况信息(应用程序安全时,通过未经身份验证的连接访问时的简单'状态'或通过身份验证时的完整邮件详细信息)。

false

info

Displays arbitrary application info.

显示任意的应用信息。

false

loggers

Shows and modifies the configuration of loggers in the application.

显示和修改应用程序中的记录器配置。

true

liquibase

Shows any Liquibase database migrations that have been applied.

显示已经应用的任何Liquibase数据库迁移。

true

metrics

Shows ‘metrics’ information for the current application.

显示当前应用程序的“指标”信息。

true

mappings

Displays a collated list of all @RequestMapping paths.

显示所有@RequestMapping路径的整理列表。

true

shutdown

Allows the application to be gracefully shutdown (not enabled by default).

允许应用程序正常关机(默认情况下不启用)。

true

trace

Displays trace information (by default the last 100 HTTP requests).

显示跟踪信息(默认最后100个HTTP请求)。

true

 

Accessing sensitive endpoints【访问敏感端点】

 

By default all sensitive HTTP endpoints are secured such that only users that have an ACTUATOR role may access them. 

Security is enforced using the standard HttpServletRequest.isUserInRole method.

(默认情况下,所有敏感的HTTP端点都是安全的,只有具有ACTUATOR角色的用户 可以访问它们。

安全性是使用标准HttpServletRequest.isUserInRole方法强制执行的 。)

Use the management.security.roles property if you want something different to ACTUATOR.

If you are deploying applications behind a firewall, you may prefer that all your actuator endpoints can be accessed without requiring authentication. 

You can do this by changing the management.security.enabled property:

application.properties. 

management.security.enabled=false

By default, actuator endpoints are exposed on the same port that serves regular HTTP traffic. 

Take care not to accidentally expose sensitive information if you change the management.security.enabled property.

(默认情况下,执行器端点暴露在提供常规HTTP通信的相同端口上。

注意不要在更改management.security.enabled属性时意外暴露敏感信息。)

If you’re deploying applications publicly, you may want to add ‘Spring Security’ to handle user authentication. 

When ‘Spring Security’ is added, by default ‘basic’ authentication will be used with the username user and a generated password (which is printed on the console when the application starts).

(如果您公开部署应用程序,则可能需要添加“Spring Security”来处理用户身份验证。

当添加“Spring Security”时,默认情况下,“基本”身份验证将与用户名user和生成的密码一起使用(在应用程序启动时在控制台上打印)。)

Generated passwords are logged as the application starts. Search for Using default security password’.

生成的密码在应用程序启动时被记录。搜索“使用默认安全密码”。

You can use Spring properties to change the username and password and to change the security role(s) required to access the endpoints. 

For example, you might set the following in your application.properties:

security.user.name=admin
security.user.password=secret
management.security.roles=SUPERUSER

If your application has custom security configuration and you want all your actuator endpoints to be accessible without authentication, you need to explicitly configure that in your security configuration. Along with that, you need to change the management.security.enabledproperty to false.

(如果您的应用程序具有自定义安全配置,并且您希望所有执行器端点无需身份验证即可访问,则需要在安全配置中明确配置该端点。与此同时,你需要改变management.security.enabled 属性false。)

If your custom security configuration secures your actuator endpoints, you also need to ensure that the authenticated user has the roles specified under management.security.roles.

(如果您的自定义安全配置保护您的执行器端点,则还需要确保经过身份验证的用户具有在下指定的角色management.security.roles。)

If you dont have a use case for exposing basic health information to unauthenticated users, 

and you have secured the actuator endpoints with custom security, you can set management.security.enabled to false. 

This will inform Spring Boot to skip the additional role check.

(如果您没有用于向未经验证的用户公开基本健康信息的用例,并且已经使用自定义安全保护了执行器端点,则可以设置management.security.enabled 为false。这将通知Spring Boot跳过额外的角色检查。)

参考来源:https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready

发布了409 篇原创文章 · 获赞 1340 · 访问量 202万+
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 酷酷鲨 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览