5. 安全

5.1 Spring Boot Admin服务安全

由于在分布式Web应用程序中有多种解决认证和授权的方法，因此Spring Boot Admin没有提供默认的安全认证。如果在spring-boot-admin-server-ui-login添加到依赖中，将提供一个登录页面和一个登出按钮。

下面是使用Spring Security的配置示例：

@Configuration
  public static class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
      // Page with login form is served as /login.html and does a POST on /login
      http.formLogin().loginPage("/login.html").loginProcessingUrl("/login").permitAll();
      // The UI does a POST on /logout on logout
      http.logout().logoutUrl("/logout");
      // The ui currently doesn't support csrf
      http.csrf().disable();

      // Requests for the login page and the static assets are allowed
      http.authorizeRequests()
          .antMatchers("/login.html", "/**/*.css", "/img/**", "/third-party/**")
          .permitAll();
      // ... and any other request needs to be authorized
      http.authorizeRequests().antMatchers("/**").authenticated();

      // Enable so that the clients can authenticate via HTTP basic for registering
      http.httpBasic();
    }
  }

完整的示例可以参考spring-boot-admin-sample。

5.2 Actuator端点安全

当使用HTTP Basic认证来保护Actuator端点时，SBA服务器需要凭据来访问它们。当应用注册时，可以在元数据中提交认证信息。BasicAuthHttpHeaderProvider会将元数据添加到Header中访问Actuator端点。你也可以提供自己的HttpHeaderProvider更改它的行为（例如：加解密）或添加额外的信息。

使用Spring Boot Admin客户端认证配置：

application.yml

spring.boot.admin:
  url: http://localhost:8080
  client:
    metadata:
      user.name: ${security.user.name}
      user.password: ${security.user.password}

使用Eureka认证配置：

application.yml

eureka:
  instance:
    metadata-map:
      user.name: ${security.user.name}
      user.password: ${security.user.password}