SpringBootAdmin用于对SpringBoot应用的管理和监控。 SpringBootAdmin分为客户端和服务端;
在SpringBoot单体应用下,应用作为客户端通过http通讯方式与服务端进行数据交互;在SpringCloud微服务项目中,SpringBootAdmin服务端直接通过注册中心获取客户端数据。
最近在项目中解决了一些SpringBootAdmin的问题,特从头梳理一下SpringBootAdmin的使用,作此总结。
一、单体应用使用SpringBootAdmin
1. 创建服务端
创建SpringBoot工程
添加依赖:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>de.codecentric</groupId> <artifactId>spring-boot-admin-starter-server</artifactId> <version>2.1.1</version> </dependency>
启动类上添加注解:
@EnableAdminServer //开启监控
2. 创建客户端
客户端添加依赖:
<dependency> <groupId>de.codecentric</groupId> <artifactId>spring-boot-admin-starter-client</artifactId> <version>2.1.1</version> </dependency>
配置文件:
spring: boot: admin: client: url: http://localhost:8090 # 服务端地址 management: endpoints: web: exposure: include: '*' #开放所有端点 endpoint: health: show-details: ALWAYS
此时启动服务端和客户端,访问服务端http://localhost:8090看到以下页面即为成功
3. 服务端安全性设置
以下是服务端配置
添加依赖:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
配置文件配置用户名/密码:
spring: security: user: name: "admin" password: "admin"
添加配置类放开登录页并设置跳转页
@Configuration public class SecuritySecureConfig extends WebSecurityConfigurerAdapter { private final String adminContextPath; public SecuritySecureConfig(AdminServerProperties adminServerProperties) { this.adminContextPath = adminServerProperties.getContextPath(); } @Override protected void configure(HttpSecurity http) throws Exception { SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler(); successHandler.setTargetUrlParameter("redirectTo"); http.authorizeRequests() .antMatchers(adminContextPath + "/assets/**").permitAll() .antMatchers(adminContextPath + "/login").permitAll() .anyRequest().authenticated() .and() .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and() .logout().logoutUrl(adminContextPath + "/logout").and() .httpBasic().and() .csrf().disable(); } }
此时启动服务端并访问
以下是客户端配置
客户端配置服务端的用户名/密码,否则连接不上
# client 配置 spring: boot: admin: client: url: http://localhost:8090 # server的用户名密码 username: "admin" password: "admin"
此时启动客户端即可与服务端正常连接
4. 客户端安全性设置
将admin监控的端点放开是不安全的,且漏洞扫描会扫描出异常,解决方案:将客户端也添加上安全认证
以下是客户端配置
添加依赖:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
配置文件配置用户名密码:
spring: # client 的用户名和密码 security: user: name: "admin" password: "admin"
配置文件配置将客户端用户名密码发送至服务端:
spring: application: name: SpringBootAdminClient # client 的用户名和密码 security: user: name: "admin" password: "admin" boot: admin: client: url: http://localhost:8090 # server的用户名密码 username: "admin" password: "admin" # 将client的用户名密码发送至server instance: metadata: user.name: ${spring.security.user.name} user.password: ${spring.security.user.password}
添加配置类放开需要的端子url:
@Configuration public class SecuritySecureConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler(); successHandler.setTargetUrlParameter("redirectTo"); http.authorizeRequests() // 此路径需要加验证 .antMatchers("/actuator/**").authenticated() // 其他路径放开 .anyRequest().permitAll() .and() .httpBasic().and() .csrf().disable(); } }
此时启动客户端,发现服务端能正常获取客户端信息,但通过浏览器访问客户端端子信息url需要用户名密码认证
附服务端和客户端的完整配置文件如下:
服务端:
spring: application: name: SpringBootAdminServer # 服务端认证用户名密码 security: user: name: "admin" password: "admin" server: port: 8090
客户端:
spring: application: name: SpringBootAdminClient # 客户端认证的用户名和密码 security: user: name: "admin" password: "admin" boot: admin: client: url: http://localhost:8090 # 连接服务端所需的服务端用户名密码 username: "admin" password: "admin" # 将客户端的用户名密码发送至服务端 instance: metadata: user.name: ${spring.security.user.name} user.password: ${spring.security.user.password} server: port: 8091 # 放开监控端子 management: endpoints: web: exposure: include: '*' # 放开所有端子 endpoint: health: show-details: ALWAYS
二、微服务应用使用SpringBootAdmin
SpringBootAdmin在微服务应用中可直接通过注册中心获取客户端数据
1. SpringBootAdmin结合eureka注册中心使用
在上面的基础上修改
例如有eureka注册中心:http://localhost:9999/eureka/
服务端修改
1) 添加eureka客户端依赖
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
2)启用eureka客户端
在启动类上添加注解
@EnableDiscoveryClient
3)配置文件修改使用eureka注册中心,并将服务端认证的用户名密码发送至eureka,如下:
spring:
application:
name: EurekaAdminServer
security:
user:
name: "admin"
password: "admin"
server:
port: 9090
eureka:
client:
register-with-eureka: false # admin服务端不注册在eureka中,这样服务端就不会监控自己的信息
registryFetchIntervalSeconds: 5
service-url:
defaultZone: ${EUREKA_SERVICE_URL:http://localhost:9999}/eureka/
客户端修改
1) 添加eureka客户端依赖
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
2)启用eureka客户端
在启动类上添加注解
@EnableDiscoveryClient
3)配置文件修改使用eureka注册中心,并将客户端认证的用户名密码发送至eureka,如下:
spring:
application:
name: EurekaAdminClient
# client 的用户名和密码
security:
user:
name: "admin"
password: "admin"
server:
port: 9091
management:
endpoints:
web:
exposure:
include: '*'
endpoint:
health:
show-details: ALWAYS
eureka:
client:
registryFetchIntervalSeconds: 5
service-url:
defaultZone: ${EUREKA_SERVICE_URL:http://localhost:9999}/eureka/
instance:
# 将客户端端子认证用户名密码发送至eureka
metadata-map:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
2. SpringBootAdmin结合nocas注册中心使用
使用nocas注册中心,换为nacos依赖:
<dependency>
<groupId>com.alibaba.cloud</groupId>
<artifactId>spring-cloud-alibaba-nacos-discovery</artifactId>
</dependency>
启动类上添加启用注解:
@EnableDiscoveryClient
服务端配置文件修改为:
spring:
application:
name: NacosAdminServer
security:
user:
name: "admin"
password: "admin"
cloud:
nacos:
discovery:
register-enabled: false # admin服务端不注册
server-addr: 127.0.0.1:8848
metadata:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
server:
port: 10090
客户端配置文件修改为:
spring:
application:
name: NacosAdminClient
security:
user:
name: "admin"
password: "admin"
cloud:
nacos:
discovery:
server-addr: 127.0.0.1:8848
metadata:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
server:
port: 10091
management:
endpoints:
web:
exposure:
include: '*'
endpoint:
health:
show-details: ALWAYS
晚安
完整demo项目见:仓库