---
title: Spring Boot Admin添加安全验证
date: 2021-01-27 17:02:54
description: 阿里云Spring Boot Admin 未授权访问漏洞，需要添加安全验证解决
categories: [技术总结]
tags: [Spring boot]
---

### 阿里云安全警告
阿里云受工业和信息化部网络安全管理局委托通知您，您的资产：XX.XX.XX.XX，存在Spring Boot Admin 未授权访问漏洞，漏洞报告地址：...，详情请查阅邮件或站内信。请您参照修复建议尽快进行整改，避免漏洞被黑客利用，对于长期存在安全隐患但未整改的网络资源，监管部门可能会下达行政处罚（关停、约谈等），望您务必重视。

### 原因
Spring Boot监控系统一直没有加安全机制，被工信部点名了，需要加上账号密码验证。

### Spring Boot Admin Server端
pom.xml中添加security
```xml
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
```
项目里面添加配置类SecuritySecureConfig.java
```java
@Configuration(proxyBeanMethods = false)
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {

  private final AdminServerProperties adminServer;

  public SecuritySecureConfig(AdminServerProperties adminServer) {
    this.adminServer = adminServer;
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("redirectTo");
    successHandler.setDefaultTargetUrl(this.adminServer.path("/"));

    http.authorizeRequests(
        (authorizeRequests) -> authorizeRequests.antMatchers(this.adminServer.path("/assets/**")).permitAll() 
            .antMatchers(this.adminServer.path("/login")).permitAll().anyRequest().authenticated() 
    ).formLogin(
        (formLogin) -> formLogin.loginPage(this.adminServer.path("/login")).successHandler(successHandler).and() 
    ).logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout"))).httpBasic(Customizer.withDefaults()) 
        .csrf((csrf) -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) 
            .ignoringRequestMatchers(
                new AntPathRequestMatcher(this.adminServer.path("/instances"),
                    HttpMethod.POST.toString()), 
                new AntPathRequestMatcher(this.adminServer.path("/instances/*"),
                    HttpMethod.DELETE.toString()), 
                new AntPathRequestMatcher(this.adminServer.path("/actuator/**")) 
            ))
        .rememberMe((rememberMe) -> rememberMe.key(UUID.randomUUID().toString()).tokenValiditySeconds(1209600));
  }

  // Required to provide UserDetailsService for "remember functionality"
  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    // 这里的账号密码改成自己需要的        
    auth.inMemoryAuthentication().withUser("user").password("{noop}password").roles("USER");
  }

}
```
注意： 记录一下最后一个方法的账号密码，Client端需要填写相关的配置

### Spring Boot Admin Client端
添加账号密码的配置
```properties
spring.boot.admin.client.username=user
spring.boot.admin.client.password=password
```

### 相关链接
Spring Boot Admin版本：`2.3.0`
官网相关文章： [保护Spring Boot Admin服务器](https://codecentric.github.io/spring-boot-admin/2.3.0/#securing-spring-boot-admin)