解决办法适用于2.x springboot版本
注意:actuator默认是开启的,默认开启是有漏洞的。
法零:和网站设置不同端口,不映射到外面,并修改路径
法一:禁用所有http接口,将配置改成:management.endpoints.web.exposure.exclude=*
法二:引入spring-boot-starter-security依赖,增加安全认证
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
配置增加
# actuator是否需要安全保证配置
management:
security:
enabled: true
endpoints:
web:
exposure:
include: "*"
# actuator登录认证配置
spring:
security:
user:
name: admin${random.int}
password: ${random.value}
代码增加 打印认证的用户和密码
@Component
public class MyApplicationRunner implements ApplicationRunner {
private static final Logger LOGGER = LoggerFactory.getLogger(MyApplicationRunner.class);
@Autowired
private SecurityProperties securityProperties;
@Override
public void run(ApplicationArguments args) throws Exception {
LOGGER.info("actuator user name:{}, password:{}", securityProperties.getUser().getName(), securityProperties.getUser().getPassword());
// todo 存到redis或者其他
}
}
ActuatorSecurity认证类
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
.anyRequest().authenticated().and().httpBasic();
}
}
启动&测试
http://localhost:8088/actuator/beans