From 2575d2a71109b6da4d8e531bbee3836305aa437a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=96=AF=E7=8B=82=E7=9A=84=E7=8B=AE=E5=AD=90Li?=
 <15040126243@163.com>
Date: Wed, 24 Jul 2024 20:07:56 +0800
Subject: [PATCH] =?UTF-8?q?add=20=E5=A2=9E=E5=8A=A0=20springboot=20actuato?=
 =?UTF-8?q?r=20=E8=B4=A6=E5=8F=B7=E5=AF=86=E7=A0=81=E8=AE=A4=E8=AF=81=20?=
 =?UTF-8?q?=E6=9D=9C=E7=BB=9D=E5=86=85=E5=A4=96=E7=BD=91=E4=BF=A1=E6=81=AF?=
 =?UTF-8?q?=E6=B3=84=E6=BC=8F=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 config/nacos/application-common.yml           |  6 ++++++
 .../config/SecurityConfiguration.java         | 19 +++++++++++++++++-
 .../dromara/gateway/filter/AuthFilter.java    | 20 ++++++++++++++++++-
 .../monitor/config/WebSecurityConfigurer.java |  4 +---
 4 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/config/nacos/application-common.yml b/config/nacos/application-common.yml
index c3ff3454..4a685cbc 100644
--- a/config/nacos/application-common.yml
+++ b/config/nacos/application-common.yml
@@ -70,6 +70,12 @@ spring:
       # 允许对象忽略json中不存在的属性
       fail_on_unknown_properties: false
   cloud:
+    nacos:
+      discovery:
+        metadata:
+          # admin 监控账号密码
+          username: ruoyi
+          userpassword: 123456
     # sentinel 配置
     sentinel:
       # sentinel 开关
diff --git a/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfiguration.java b/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfiguration.java
index efd34fc2..fb1b39a0 100644
--- a/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfiguration.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfiguration.java
@@ -2,10 +2,12 @@ package org.dromara.common.security.config;
 
 import cn.dev33.satoken.SaManager;
 import cn.dev33.satoken.filter.SaServletFilter;
+import cn.dev33.satoken.httpauth.basic.SaHttpBasicUtil;
 import cn.dev33.satoken.interceptor.SaInterceptor;
 import cn.dev33.satoken.same.SaSameUtil;
 import cn.dev33.satoken.util.SaResult;
 import org.dromara.common.core.constant.HttpStatus;
+import org.dromara.common.core.utils.SpringUtils;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
@@ -35,7 +37,7 @@ public class SecurityConfiguration implements WebMvcConfigurer {
     public SaServletFilter getSaServletFilter() {
         return new SaServletFilter()
             .addInclude("/**")
-            .addExclude("/actuator/**")
+            .addExclude("/actuator", "/actuator/**")
             .setAuth(obj -> {
                 if (SaManager.getConfig().getCheckSameToken()) {
                     SaSameUtil.checkCurrentRequestToken();
@@ -44,4 +46,19 @@ public class SecurityConfiguration implements WebMvcConfigurer {
             .setError(e -> SaResult.error("认证失败，无法访问系统资源").setCode(HttpStatus.UNAUTHORIZED));
     }
 
+    /**
+     * 对 actuator 健康检查接口 做账号密码鉴权
+     */
+    @Bean
+    public SaServletFilter actuatorFilter() {
+        String username = SpringUtils.getProperty("spring.cloud.nacos.discovery.metadata.username");
+        String password = SpringUtils.getProperty("spring.cloud.nacos.discovery.metadata.userpassword");
+        return new SaServletFilter()
+            .addInclude("/actuator", "/actuator/**")
+            .setAuth(obj -> {
+                SaHttpBasicUtil.check(username + ":" + password);
+            })
+            .setError(e -> SaResult.error(e.getMessage()).setCode(HttpStatus.UNAUTHORIZED));
+    }
+
 }
diff --git a/ruoyi-gateway/src/main/java/org/dromara/gateway/filter/AuthFilter.java b/ruoyi-gateway/src/main/java/org/dromara/gateway/filter/AuthFilter.java
index 943b0bad..d3dbba34 100644
--- a/ruoyi-gateway/src/main/java/org/dromara/gateway/filter/AuthFilter.java
+++ b/ruoyi-gateway/src/main/java/org/dromara/gateway/filter/AuthFilter.java
@@ -1,12 +1,14 @@
 package org.dromara.gateway.filter;
 
 import cn.dev33.satoken.exception.NotLoginException;
+import cn.dev33.satoken.httpauth.basic.SaHttpBasicUtil;
 import cn.dev33.satoken.reactor.context.SaReactorSyncHolder;
 import cn.dev33.satoken.reactor.filter.SaReactorFilter;
 import cn.dev33.satoken.router.SaRouter;
 import cn.dev33.satoken.stp.StpUtil;
 import cn.dev33.satoken.util.SaResult;
 import org.dromara.common.core.constant.HttpStatus;
+import org.dromara.common.core.utils.SpringUtils;
 import org.dromara.common.core.utils.StringUtils;
 import org.dromara.common.satoken.utils.LoginHelper;
 import org.dromara.gateway.config.properties.IgnoreWhiteProperties;
@@ -30,7 +32,7 @@ public class AuthFilter {
         return new SaReactorFilter()
             // 拦截地址
             .addInclude("/**")
-            .addExclude("/favicon.ico", "/actuator/**")
+            .addExclude("/favicon.ico", "/actuator", "/actuator/**")
             // 鉴权方法：每次访问进入
             .setAuth(obj -> {
                 // 登录校验 -- 拦截所有路由
@@ -65,4 +67,20 @@ public class AuthFilter {
                 return SaResult.error("认证失败，无法访问系统资源").setCode(HttpStatus.UNAUTHORIZED);
             });
     }
+
+    /**
+     * 对 actuator 健康检查接口 做账号密码鉴权
+     */
+    @Bean
+    public SaReactorFilter actuatorFilter() {
+        String username = SpringUtils.getProperty("spring.cloud.nacos.discovery.metadata.username");
+        String password = SpringUtils.getProperty("spring.cloud.nacos.discovery.metadata.userpassword");
+        return new SaReactorFilter()
+            .addInclude("/actuator", "/actuator/**")
+            .setAuth(obj -> {
+                SaHttpBasicUtil.check(username + ":" + password);
+            })
+            .setError(e -> SaResult.error(e.getMessage()).setCode(HttpStatus.UNAUTHORIZED));
+    }
+
 }
diff --git a/ruoyi-visual/ruoyi-monitor/src/main/java/org/dromara/modules/monitor/config/WebSecurityConfigurer.java b/ruoyi-visual/ruoyi-monitor/src/main/java/org/dromara/modules/monitor/config/WebSecurityConfigurer.java
index 686200b8..994ca73c 100644
--- a/ruoyi-visual/ruoyi-monitor/src/main/java/org/dromara/modules/monitor/config/WebSecurityConfigurer.java
+++ b/ruoyi-visual/ruoyi-monitor/src/main/java/org/dromara/modules/monitor/config/WebSecurityConfigurer.java
@@ -39,9 +39,7 @@ public class WebSecurityConfigurer {
             .authorizeHttpRequests((authorize) ->
                 authorize.requestMatchers(
                         new AntPathRequestMatcher(adminContextPath + "/assets/**"),
-                        new AntPathRequestMatcher(adminContextPath + "/login"),
-                        new AntPathRequestMatcher("/actuator"),
-                        new AntPathRequestMatcher("/actuator/**")
+                        new AntPathRequestMatcher(adminContextPath + "/login")
                     ).permitAll()
                     .anyRequest().authenticated())
             .formLogin((formLogin) ->