spring boot actuator 安全配置 springboot的安全性

关于springboot Actuator框架的安全配置方案：

加入security安全验证框架

方案一：

配置信息：

spring:
    security:
        user:
          password: admin
          name: admin

management:
  endpoints:
    web:
      base-path: /monitor
      exposure:
        include: "*"
        # 排除端点
        exclude: shutdown
  server:
    port: 9595
  endpoint:
    health:
      show-details: always
    shutdown:
      enabled: true

引入依赖信息

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

需要上下午url对进行处理；

处理方法一：只针对端点请求进行权限校验

@Configuration
@EnableWebSecurity
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  Environment env;

  @Override
  protected void configure(HttpSecurity security) throws Exception {
        String contextPath = env.getProperty("management.endpoints.web.base-path");
        if(StringUtils.isEmpty(contextPath)) {
            contextPath = "";
        }
        security.csrf().disable().headers().frameOptions().disable();
        security.cors().and().antMatcher("/**"+contextPath+"/**")
                .authorizeRequests()
                .anyRequest()
                .authenticated().and().httpBasic();
     }
}

以下处理跨域请求

@Configuration
public class WebConfig implements WebMvcConfigurer {

    /**
     * 允许跨域请求
     *
     * @param registry
     */
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
            .allowedOrigins("*")
            .allowedMethods("GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS")
            .allowCredentials(true)
            .maxAge(3600)
            .allowedHeaders("*");
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

方案二：定制端点信息

启用端点：默认情况下，启用除shutdown 之外的所有端点。要配置端点的启用，请使用其management.endpoint…enabled 属性。以下示例启用shutdown 端点：

management.endpoint.shutdown.enabled=true
management.endpoint.env.enabled=false

如果您希望端点启用是选择加入而不是选择退出，请将management.endpoints.enabled-by-default 属性设置为false 并使用单个端点enabled 属性重新加入。以下示例启用info endpoint并禁用所有其他端点：

management.endpoints.enabled-by-default=false
management.endpoint.info.enabled=true