记录一下SpringBootAdmin的使用

SpringBootAdmin用于对SpringBoot应用的管理和监控。 SpringBootAdmin分为客户端和服务端；
在SpringBoot单体应用下，应用作为客户端通过http通讯方式与服务端进行数据交互；在SpringCloud微服务项目中，SpringBootAdmin服务端直接通过注册中心获取客户端数据。
最近在项目中解决了一些SpringBootAdmin的问题，特从头梳理一下SpringBootAdmin的使用，作此总结。

一、单体应用使用SpringBootAdmin

1. 创建服务端

创建SpringBoot工程

添加依赖：

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
    <groupId>de.codecentric</groupId>
    <artifactId>spring-boot-admin-starter-server</artifactId>
    <version>2.1.1</version>
</dependency>

启动类上添加注解：

@EnableAdminServer //开启监控

2. 创建客户端

客户端添加依赖：

<dependency>
    <groupId>de.codecentric</groupId>
    <artifactId>spring-boot-admin-starter-client</artifactId>
    <version>2.1.1</version>
</dependency>

配置文件：

spring:
  boot:
    admin:
      client:
        url: http://localhost:8090 # 服务端地址
management:
  endpoints:
    web:
      exposure:
        include: '*' #开放所有端点
  endpoint:
    health:
      show-details: ALWAYS

此时启动服务端和客户端，访问服务端http://localhost:8090看到以下页面即为成功

3. 服务端安全性设置

以下是服务端配置

添加依赖：

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

配置文件配置用户名/密码：

spring:
  security:
    user:
      name: "admin"
      password: "admin"

添加配置类放开登录页并设置跳转页

@Configuration
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {

    private final String adminContextPath;

    public SecuritySecureConfig(AdminServerProperties adminServerProperties) {
        this.adminContextPath = adminServerProperties.getContextPath();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        successHandler.setTargetUrlParameter("redirectTo");
        http.authorizeRequests()
                .antMatchers(adminContextPath + "/assets/**").permitAll()
                .antMatchers(adminContextPath + "/login").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
                .logout().logoutUrl(adminContextPath + "/logout").and()
                .httpBasic().and()
                .csrf().disable();
    }
}

此时启动服务端并访问

---

以下是客户端配置

客户端配置服务端的用户名/密码，否则连接不上

# client 配置
spring:
  boot:
    admin:
      client:
        url: http://localhost:8090
        # server的用户名密码
        username: "admin"
        password: "admin"

此时启动客户端即可与服务端正常连接

4. 客户端安全性设置

将admin监控的端点放开是不安全的，且漏洞扫描会扫描出异常，解决方案：将客户端也添加上安全认证

以下是客户端配置

添加依赖：

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

配置文件配置用户名密码：

spring:
  # client 的用户名和密码
  security:
    user:
      name: "admin"
      password: "admin"

配置文件配置将客户端用户名密码发送至服务端：

spring:
  application:
    name: SpringBootAdminClient
  # client 的用户名和密码
  security:
    user:
      name: "admin"
      password: "admin"
  boot:
    admin:
      client:
        url: http://localhost:8090
        # server的用户名密码
        username: "admin"
        password: "admin"
        # 将client的用户名密码发送至server
        instance:
          metadata:
            user.name: ${spring.security.user.name}
            user.password: ${spring.security.user.password}

添加配置类放开需要的端子url：

@Configuration
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        successHandler.setTargetUrlParameter("redirectTo");

        http.authorizeRequests()
                // 此路径需要加验证
                .antMatchers("/actuator/**").authenticated()
                // 其他路径放开
                .anyRequest().permitAll()
                .and()
                .httpBasic().and()
                .csrf().disable();
    }
}

此时启动客户端，发现服务端能正常获取客户端信息，但通过浏览器访问客户端端子信息url需要用户名密码认证

附服务端和客户端的完整配置文件如下：

服务端：

spring:
  application:
    name: SpringBootAdminServer
  # 服务端认证用户名密码
  security:
    user:
      name: "admin"
      password: "admin"
server:
  port: 8090

客户端：

spring:
  application:
    name: SpringBootAdminClient
  # 客户端认证的用户名和密码
  security:
    user:
      name: "admin"
      password: "admin"
  boot:
    admin:
      client:
        url: http://localhost:8090
        # 连接服务端所需的服务端用户名密码
        username: "admin"
        password: "admin"
        # 将客户端的用户名密码发送至服务端
        instance:
          metadata:
            user.name: ${spring.security.user.name}
            user.password: ${spring.security.user.password}

server:
  port: 8091
# 放开监控端子
management:
  endpoints:
    web:
      exposure:
        include: '*' # 放开所有端子
  endpoint:
    health:
      show-details: ALWAYS

二、微服务应用使用SpringBootAdmin

SpringBootAdmin在微服务应用中可直接通过注册中心获取客户端数据

1. SpringBootAdmin结合eureka注册中心使用

在上面的基础上修改

例如有eureka注册中心：http://localhost:9999/eureka/

服务端修改

1） 添加eureka客户端依赖

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>

2）启用eureka客户端

在启动类上添加注解

@EnableDiscoveryClient

3）配置文件修改使用eureka注册中心，并将服务端认证的用户名密码发送至eureka，如下：

spring:
  application:
    name: EurekaAdminServer
  security:
    user:
      name: "admin"
      password: "admin"
server:
  port: 9090

eureka:
  client:
  	register-with-eureka: false # admin服务端不注册在eureka中，这样服务端就不会监控自己的信息
    registryFetchIntervalSeconds: 5
    service-url:
      defaultZone: ${EUREKA_SERVICE_URL:http://localhost:9999}/eureka/

客户端修改

1） 添加eureka客户端依赖

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>

2）启用eureka客户端

在启动类上添加注解

@EnableDiscoveryClient

3）配置文件修改使用eureka注册中心，并将客户端认证的用户名密码发送至eureka，如下：

spring:
  application:
    name: EurekaAdminClient
  # client 的用户名和密码
  security:
    user:
      name: "admin"
      password: "admin"

server:
  port: 9091

management:
  endpoints:
    web:
      exposure:
        include: '*'
  endpoint:
    health:
      show-details: ALWAYS

eureka:
  client:
    registryFetchIntervalSeconds: 5
    service-url:
      defaultZone: ${EUREKA_SERVICE_URL:http://localhost:9999}/eureka/
  instance:
    # 将客户端端子认证用户名密码发送至eureka
    metadata-map:
      user.name: ${spring.security.user.name}
      user.password: ${spring.security.user.password}

2. SpringBootAdmin结合nocas注册中心使用

使用nocas注册中心，换为nacos依赖：

<dependency>
	<groupId>com.alibaba.cloud</groupId>
	<artifactId>spring-cloud-alibaba-nacos-discovery</artifactId>
</dependency>

启动类上添加启用注解：

@EnableDiscoveryClient

服务端配置文件修改为：

spring:
  application:
    name: NacosAdminServer
  security:
    user:
      name: "admin"
      password: "admin"
  cloud:
    nacos:
      discovery:
      	register-enabled: false # admin服务端不注册
        server-addr: 127.0.0.1:8848
        metadata:
          user.name: ${spring.security.user.name}
          user.password: ${spring.security.user.password}
server:
  port: 10090

客户端配置文件修改为：

spring:
  application:
    name: NacosAdminClient
  security:
    user:
      name: "admin"
      password: "admin"
  cloud:
    nacos:
      discovery:
        server-addr: 127.0.0.1:8848
        metadata:
          user.name: ${spring.security.user.name}
          user.password: ${spring.security.user.password}
server:
  port: 10091
  
management:
  endpoints:
    web:
      exposure:
        include: '*'
  endpoint:
    health:
      show-details: ALWAYS

晚安
完整demo项目见：仓库