add 增加 springboot actuator 账号密码认证杜绝内外网信息泄漏问题

6 months ago · 2575d2a711
parent 5ee78233f1
commit 2575d2a711
4 changed files with 44 additions and 5 deletions
--- a/config/nacos/application-common.yml
+++ b/config/nacos/application-common.yml
@ -70,6 +70,12 @@ spring:
      # 允许对象忽略json中不存在的属性
      fail_on_unknown_properties: false
  cloud:
+    nacos:
+      discovery:
+        metadata:
+          # admin 监控账号密码
+          username: ruoyi
+          userpassword: 123456
    # sentinel 配置
    sentinel:
      # sentinel 开关
--- a/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfiguration.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfiguration.java
@ -2,10 +2,12 @@ package org.dromara.common.security.config;

 import cn.dev33.satoken.SaManager;
 import cn.dev33.satoken.filter.SaServletFilter;
+import cn.dev33.satoken.httpauth.basic.SaHttpBasicUtil;
 import cn.dev33.satoken.interceptor.SaInterceptor;
 import cn.dev33.satoken.same.SaSameUtil;
 import cn.dev33.satoken.util.SaResult;
 import org.dromara.common.core.constant.HttpStatus;
+import org.dromara.common.core.utils.SpringUtils;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
@ -35,7 +37,7 @@ public class SecurityConfiguration implements WebMvcConfigurer {
    public SaServletFilter getSaServletFilter() {
        return new SaServletFilter()
            .addInclude("/**")
-            .addExclude("/actuator/**")
+            .addExclude("/actuator", "/actuator/**")
            .setAuth(obj -> {
                if (SaManager.getConfig().getCheckSameToken()) {
                    SaSameUtil.checkCurrentRequestToken();
@ -44,4 +46,19 @@ public class SecurityConfiguration implements WebMvcConfigurer {
            .setError(e -> SaResult.error("认证失败，无法访问系统资源").setCode(HttpStatus.UNAUTHORIZED));
    }

+    /**
+     * 对 actuator 健康检查接口 做账号密码鉴权
+     */
+    @Bean
+    public SaServletFilter actuatorFilter() {
+        String username = SpringUtils.getProperty("spring.cloud.nacos.discovery.metadata.username");
+        String password = SpringUtils.getProperty("spring.cloud.nacos.discovery.metadata.userpassword");
+        return new SaServletFilter()
+            .addInclude("/actuator", "/actuator/**")
+            .setAuth(obj -> {
+                SaHttpBasicUtil.check(username + ":" + password);
+            })
+            .setError(e -> SaResult.error(e.getMessage()).setCode(HttpStatus.UNAUTHORIZED));
+    }
+
 }
--- a/ruoyi-gateway/src/main/java/org/dromara/gateway/filter/AuthFilter.java
+++ b/ruoyi-gateway/src/main/java/org/dromara/gateway/filter/AuthFilter.java
@ -1,12 +1,14 @@
 package org.dromara.gateway.filter;

 import cn.dev33.satoken.exception.NotLoginException;
+import cn.dev33.satoken.httpauth.basic.SaHttpBasicUtil;
 import cn.dev33.satoken.reactor.context.SaReactorSyncHolder;
 import cn.dev33.satoken.reactor.filter.SaReactorFilter;
 import cn.dev33.satoken.router.SaRouter;
 import cn.dev33.satoken.stp.StpUtil;
 import cn.dev33.satoken.util.SaResult;
 import org.dromara.common.core.constant.HttpStatus;
+import org.dromara.common.core.utils.SpringUtils;
 import org.dromara.common.core.utils.StringUtils;
 import org.dromara.common.satoken.utils.LoginHelper;
 import org.dromara.gateway.config.properties.IgnoreWhiteProperties;
@ -30,7 +32,7 @@ public class AuthFilter {
        return new SaReactorFilter()
            // 拦截地址
            .addInclude("/**")
-            .addExclude("/favicon.ico", "/actuator/**")
+            .addExclude("/favicon.ico", "/actuator", "/actuator/**")
            // 鉴权方法：每次访问进入
            .setAuth(obj -> {
                // 登录校验 -- 拦截所有路由
@ -65,4 +67,20 @@ public class AuthFilter {
                return SaResult.error("认证失败，无法访问系统资源").setCode(HttpStatus.UNAUTHORIZED);
            });
    }
+
+    /**
+     * 对 actuator 健康检查接口 做账号密码鉴权
+     */
+    @Bean
+    public SaReactorFilter actuatorFilter() {
+        String username = SpringUtils.getProperty("spring.cloud.nacos.discovery.metadata.username");
+        String password = SpringUtils.getProperty("spring.cloud.nacos.discovery.metadata.userpassword");
+        return new SaReactorFilter()
+            .addInclude("/actuator", "/actuator/**")
+            .setAuth(obj -> {
+                SaHttpBasicUtil.check(username + ":" + password);
+            })
+            .setError(e -> SaResult.error(e.getMessage()).setCode(HttpStatus.UNAUTHORIZED));
+    }
+
 }
--- a/ruoyi-visual/ruoyi-monitor/src/main/java/org/dromara/modules/monitor/config/WebSecurityConfigurer.java
+++ b/ruoyi-visual/ruoyi-monitor/src/main/java/org/dromara/modules/monitor/config/WebSecurityConfigurer.java
@ -39,9 +39,7 @@ public class WebSecurityConfigurer {
            .authorizeHttpRequests((authorize) ->
                authorize.requestMatchers(
                        new AntPathRequestMatcher(adminContextPath + "/assets/**"),
-                        new AntPathRequestMatcher(adminContextPath + "/login"),
-                        new AntPathRequestMatcher("/actuator"),
-                        new AntPathRequestMatcher("/actuator/**")
+                        new AntPathRequestMatcher(adminContextPath + "/login")
                    ).permitAll()
                    .anyRequest().authenticated())
            .formLogin((formLogin) ->