课程分享:
异常情况:
/health 只有status信息,没有其他
{
"status" : "UP"
}
/metrics 提示没有权限
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Mon Nov 20 10:42:15 CST 2017
There was an unexpected error (type=Unauthorized, status=401).
Full authentication is required to access this resource.
解决办法【设置端点访问 】:
方式1-关闭验证
application.properties添加配置参数
management.security.enabled=false
方式2-开启HTTP basic认证
- 添加依赖
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
- application.properties 添加用户名和密码
security.user.name=admin
security.user.password=123456
management.security.enabled=true
management.security.role=ADMIN
- 访问URL http://localhost:8080/env 后,就看到需要输入用户名和密码了。
原因分析:
Actuator endpoints 【断点】:
Actuator endpoints allow you to monitor and interact with your application.
Spring Boot includes a number of built-in endpoints and you can also add your own.
For example the health endpoint provides basic application health information.
Actuator 端点允许您监视和与您的应用程序进行交互。
Spring Boot包含许多内置的端点,您也可以添加自己的端点。
例如, health端点提供基本的应用程序健康信息。
The way that endpoints are exposed will depend on the type of technology that you choose.
Most applications choose HTTP monitoring, where the ID of the endpoint is mapped to a URL.
For example, by default, the health endpoint will be mapped to /health.
端点的暴露方式取决于您选择的技术类型。
大多数应用程序选择HTTP监视,其中端点的ID映射到一个URL。
例如,默认情况下,health端点将被映射到/health。
The following technology agnostic endpoints are available:
| ID | Description | Sensitive Default |
|
Provides a hypermedia-based “discovery page” for the other endpoints. Requires Spring HATEOAS to be on the classpath. 为其他端点提供基于超媒体的“发现页面”。要求Spring HATEOAS在类路径上。 |
true |
|
Exposes audit events information for the current application. 公开当前应用程序的审计事件信息。 |
true |
|
Displays an auto-configuration report showing all auto-configuration candidates and the reason why they ‘were’ or ‘were not’ applied. 显示一个auto-configuration的报告,该报告展示所有auto-configuration候选者及它们被应用或未被应用的原因 |
true |
|
Displays a complete list of all the Spring beans in your application. 显示一个应用中所有Spring Beans的完整列表 |
true |
|
Displays a collated list of all |
true |
|
Performs a thread dump. 执行一个线程转储 |
true |
|
Exposes properties from Spring’s |
true |
|
Shows any Flyway database migrations that have been applied. 显示已应用的所有Flyway数据库迁移。 |
true |
|
Shows application health information (when the application is secure, a simple ‘status’ when accessed over an unauthenticated connection or full message details when authenticated). 显示应用程序运行状况信息(应用程序安全时,通过未经身份验证的连接访问时的简单'状态'或通过身份验证时的完整邮件详细信息)。 |
false |
|
Displays arbitrary application info. 显示任意的应用信息。 |
false |
|
Shows and modifies the configuration of loggers in the application. 显示和修改应用程序中的记录器配置。 |
true |
|
Shows any Liquibase database migrations that have been applied. 显示已经应用的任何Liquibase数据库迁移。 |
true |
|
Shows ‘metrics’ information for the current application. 显示当前应用程序的“指标”信息。 |
true |
|
Displays a collated list of all @RequestMapping路径的整理列表。 |
true |
|
Allows the application to be gracefully shutdown (not enabled by default). 允许应用程序正常关机(默认情况下不启用)。 |
true |
|
Displays trace information (by default the last 100 HTTP requests). 显示跟踪信息(默认最后100个HTTP请求)。 |
true |
Accessing sensitive endpoints【访问敏感端点】
By default all sensitive HTTP endpoints are secured such that only users that have an ACTUATOR role may access them.
Security is enforced using the standard HttpServletRequest.isUserInRole method.
(默认情况下,所有敏感的HTTP端点都是安全的,只有具有ACTUATOR角色的用户 可以访问它们。
安全性是使用标准HttpServletRequest.isUserInRole方法强制执行的 。)
Use the management.security.roles property if you want something different to ACTUATOR.
If you are deploying applications behind a firewall, you may prefer that all your actuator endpoints can be accessed without requiring authentication.
You can do this by changing the management.security.enabled property:
application.properties.
management.security.enabled=false
By default, actuator endpoints are exposed on the same port that serves regular HTTP traffic.
Take care not to accidentally expose sensitive informationif you change the management.security.enabled property.
(默认情况下,执行器端点暴露在提供常规HTTP通信的相同端口上。
注意不要在更改management.security.enabled属性时意外暴露敏感信息。)
If you’re deploying applications publicly, you may want to add ‘Spring Security’ to handle user authentication.
When ‘Spring Security’ is added, by default ‘basic’ authentication will be used with the username user and a generated password (which is printed on the console when the application starts).
(如果您公开部署应用程序,则可能需要添加“Spring Security”来处理用户身份验证。
当添加“Spring Security”时,默认情况下,“基本”身份验证将与用户名user和生成的密码一起使用(在应用程序启动时在控制台上打印)。)
Generated passwords are logged as the application starts. Search for ‘Using default security password’.
生成的密码在应用程序启动时被记录。搜索“使用默认安全密码”。
You can use Spring properties to change the username and password and to change the security role(s) required to access the endpoints.
For example, you might set the following in your application.properties:
security.user.name=admin security.user.password=secret management.security.roles=SUPERUSER
If your application has custom security configuration and you want all your actuator endpoints to be accessible without authentication, you need to explicitly configure that in your security configuration. Along with that, you need to change the management.security.enabledproperty to false.
(如果您的应用程序具有自定义安全配置,并且您希望所有执行器端点无需身份验证即可访问,则需要在安全配置中明确配置该端点。与此同时,你需要改变management.security.enabled 属性false。)
If your custom security configuration secures your actuator endpoints, you also need to ensure that the authenticated user has the roles specified under management.security.roles.
(如果您的自定义安全配置保护您的执行器端点,则还需要确保经过身份验证的用户具有在下指定的角色management.security.roles。)
If you don’t have a use case for exposing basic health information to unauthenticated users,
and you have secured the actuator endpoints with customsecurity, you can set management.security.enabled to false.
This will inform Spring Boot to skip the additional role check.
(如果您没有用于向未经验证的用户公开基本健康信息的用例,并且已经使用自定义安全保护了执行器端点,则可以设置management.security.enabled为false。这将通知Spring Boot跳过额外的角色检查。)
参考来源:https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready
