《重新定义Spring Cloud实战》——3.5.4　开启HTTP Basic认证

3.5.4　开启HTTP Basic认证

在实际生产部署的过程中，往往需要考虑一个安全问题，比如Eureka Server自己有暴露REST API，如果没有安全认证，别人就可以通过REST API随意修改信息，造成服务异常。这一小节，我们来看一看Eureka Server是如何启用HTTP Basic校验的，以及Eureka Client是如何配置相应鉴权信息的。

1. Eureka Server配置

要启动Eureka Server的HTTP Basic认证，则需要引入spring-boot-starter-security，如代码清单3-29所示。

代码清单3-29　ch3-4\ch3-4-eureka-server\pom.xml

<dependency>

    <groupId>org.springframework.boot</groupId>

    <artifactId>spring-boot-starter-security</artifactId>

</dependency>

另外需要在配置文件中指定账户密码，这块可以跟config-server的加密功能结合，如代码清单3-30所示。

代码清单3-30　ch3-4\ch3-4-eureka-server\src\main\resources\application-security.yml

server:

    port: 8761

spring:

    security:

        basic:

            enabled: true

        user:

            name: admin

            password: Xk38CNHigBP5jK75

eureka:

    instance:

        hostname: localhost

    client:

        registerWithEureka: false

        fetchRegistry: false

        serviceUrl:

            defaultZone: http://${eureka.instance.hostname}:${server.port}/eureka/

    server:

            waitTimeInMsWhenSyncEmpty: 0

            enableSelfPreservation: false

另外，由于spring-boot-starter-security默认开启了csrf校验，对于Client端这类非界面应用来说不合适，但是又没有配置文件的方式可以禁用，需要自己通过Java的配置文件禁用下，如代码清单3-31所示。

代码清单3-31　ch3-4\ch3-4-eureka-server\src\main\java\cn\springcloud\book\config\SecurityConfig.java

@EnableWebSecurity

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        super.configure(http);

        http.csrf().disable();

    }

}

然后使用security的profile启动Eureka Server：

mvn spring-boot:run –Dspring.profiles.active=security

然后如下所示访问：

curl -i http://localhost:8761/eureka/apps

HTTP/1.1 401

Set-Cookie: JSESSIONID=D7D019318B2E5D011C3000759659FE1C; Path=/; HttpOnly

WWW-Authenticate: Basic realm="Realm"

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

X-Frame-Options: DENY

Content-Type: application/json;charset=UTF-8

Transfer-Encoding: chunked

Date: Mon, 25 Jun 2018 09:11:07 GMT

{"timestamp":"2018-06-25T09:11:07.832+0000","status":401,"error":"Unauthorized","message":"Unauthorized","path":"/eureka/apps"}

可以看到，没有传递Authorization的header，返回401。

接下来使用HTTP Basic的账号密码传递Authorization的header，如下：

curl -i --basic -u admin:Xk38CNHigBP5jK75 http://localhost:8761/eureka/apps

HTTP/1.1 200

Set-Cookie: JSESSIONID=8B745BEA3606E8F4856A6197407D8433; Path=/; HttpOnly

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

X-Frame-Options: DENY

Content-Type: application/xml

Transfer-Encoding: chunked

Date: Mon, 25 Jun 2018 09:28:29 GMT

<applications>

  <versions__delta>1</versions__delta>

  <apps__hashcode></apps__hashcode>

</applications>

可以看到请求成功返回。

2. Eureka Client配置

由于Eureka Server开启了HTTP Basic认证，Eureka Client也需要配置相应的账号信息来传递，这里我们通过配置文件来指定，相关的密码也结合config-server的加密功能来加密，如代码清单3-32所示。

代码清单3-32　ch3-4\ch3-4-eureka-client\src\main\resources\application-security.yml

server:

    port: 8081

spring:

    application:

        name: client1

eureka:

    client:

        security:

            basic:

                user: admin

                password: Xk38CNHigBP5jK75

        serviceUrl:

            defaultZone: http://${eureka.client.security.basic.user}:${eureka.client.security.basic.password}@localhost:8761/eureka/

然后使用如下命令启动：

mvn spring-boot:run –Dspring.profiles.active=security

之后执行如下命令查看：

curl -i --basic -u admin:Xk38CNHigBP5jK75 http://localhost:8761/eureka/apps

HTTP/1.1 200

Set-Cookie: JSESSIONID=0CCE2E3E092CF499CF509F1B799ED837; Path=/; HttpOnly

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

X-Frame-Options: DENY

Content-Type: application/xml

Transfer-Encoding: chunked

Date: Mon, 25 Jun 2018 09:22:49 GMT

<applications>

    <versions__delta>1</versions__delta>

    <apps__hashcode>UP_1_</apps__hashcode>

    <application>

        <name>CLIENT1</name>

        <instance>

            <instanceId>10.2.238.79:client1:8081</instanceId>

            <hostName>10.2.238.79</hostName>

            <app>CLIENT1</app>

            <ipAddr>10.2.238.79</ipAddr>

            <status>UP</status>

            <overriddenstatus>UNKNOWN</overriddenstatus>

            <port enabled="true">8081</port>

            <securePort enabled="false">443</securePort>

            <countryId>1</countryId>

            <dataCenterInfo class="com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo">

                <name>MyOwn</name>

            </dataCenterInfo>

            <leaseInfo>

                <renewalIntervalInSecs>30</renewalIntervalInSecs>

                <durationInSecs>90</durationInSecs>

                <registrationTimestamp>1529917089388</registrationTimestamp>

                <lastRenewalTimestamp>1529918469122</lastRenewalTimestamp>

                <evictionTimestamp>0</evictionTimestamp>

                <serviceUpTimestamp>1529917089389</serviceUpTimestamp>

            </leaseInfo>

            <metadata>

                <management.port>8081</management.port>

                <jmx.port>49950</jmx.port>

            </metadata>

            <homePageUrl>http://10.2.238.79:8081/</homePageUrl>

            <statusPageUrl>http://10.2.238.79:8081/actuator/info</statusPageUrl>

            <healthCheckUrl>http://10.2.238.79:8081/actuator/health</healthCheckUrl>

            <vipAddress>client1</vipAddress>

            <secureVipAddress>client1</secureVipAddress>

            <isCoordinatingDiscoveryServer>false</isCoordinatingDiscoveryServer>

            <lastUpdatedTimestamp>1529917089389</lastUpdatedTimestamp>

            <lastDirtyTimestamp>1529917088523</lastDirtyTimestamp>

            <actionType>ADDED</actionType>

        </instance>

    </application>

</applications>

可以看到Client已经注册成功。