spring boot:用spring security加强druid的安全(druid 1.1.22 / spring boot 2.3.3)
一,druid的安全保障有哪些环节要注意?
1,druid ui的访问要有ip地址限制
2,用户必须要有相应的权限才能访问druid
3,关闭重置功能
说明:stat-view-servlet.url-pattern的配置应用时会报错,
如果bug修改了,使用这个功能会更安全
说明:刘宏缔的架构森林是一个专注架构的博客,
网站:https://blog.imgtouch.com
本文: https://blog.imgtouch.com/index.php/2023/05/25/springboot-yong-springsecurity-jia-qiang-druid-de-an-quan-druid1122springboot233/
对应的源码可以访问这里获取: https://github.com/liuhongdi/
说明:作者:刘宏缔 邮箱: 371125307@qq.com
二,演示项目的相关信息
1,项目地址:
https://github.com/liuhongdi/druidsecurity
2,项目功能说明:
演示了druid的安全配置
3,项目结构:如图:
三,配置文件说明
1,pom.xml
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <exclusions> <exclusion> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-logging</artifactId> </exclusion> </exclusions> </dependency> <!--druid begin--> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid-spring-boot-starter</artifactId> <version>1.1.22</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> </dependency> <dependency> <groupId>com.lmax</groupId> <artifactId>disruptor</artifactId> <version>3.4.2</version> </dependency> <!--mybatis begin--> <dependency> <groupId>org.mybatis.spring.boot</groupId> <artifactId>mybatis-spring-boot-starter</artifactId> <version>2.1.3</version> </dependency> <!--mysql begin--> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <scope>runtime</scope> </dependency> <!-- spring security --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
2,application.properties
#error server.error.include-stacktrace=always #error logging.level.org.springframework.web=trace # 数据源基本配置 spring.datasource.username = root spring.datasource.password = lhddemo spring.datasource.driver-class-name = com.mysql.cj.jdbc.Driver spring.datasource.url = jdbc:mysql://127.0.0.1:3306/store?serverTimezone=UTC spring.datasource.type = com.alibaba.druid.pool.DruidDataSource # Druid数据源配置 spring.datasource.druid.initialSize = 5 spring.datasource.druid.minIdle = 5 spring.datasource.druid.maxActive = 20 spring.datasource.druid.maxWait = 60000 spring.datasource.druid.timeBetweenEvictionRunsMillis = 60000 spring.datasource.druid.minEvictableIdleTimeMillis = 300000 spring.datasource.druid.validationQuery = SELECT 1 FROM DUAL spring.datasource.druid.testWhileIdle = true spring.datasource.druid.testOnBorrow = false spring.datasource.druid.testOnReturn = false spring.datasource.druid.poolPreparedStatements = true # 配置监控统计拦截的filters,去掉后监控界面sql无法统计,'wall'用于防火墙 spring.datasource.druid.filters = stat,wall,log4j2 spring.datasource.druid.maxPoolPreparedStatementPerConnectionSize = 20 spring.datasource.druid.useGlobalDataSourceStat = true spring.datasource.druid.connectionProperties = druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500 #druid sql firewall monitor spring.datasource.druid.filter.wall.enabled=true #druid sql monitor spring.datasource.druid.filter.stat.enabled=true spring.datasource.druid.filter.stat.log-slow-sql=true spring.datasource.druid.filter.stat.slow-sql-millis=10000 spring.datasource.druid.filter.stat.merge-sql=true #druid uri monitor spring.datasource.druid.web-stat-filter.enabled=true spring.datasource.druid.web-stat-filter.url-pattern=/* spring.datasource.druid.web-stat-filter.exclusions=*.js,*.gif,*.jpg,*.bmp,*.png,*.css,*.ico,/druid/* #druid session monitor spring.datasource.druid.web-stat-filter.session-stat-enable=true spring.datasource.druid.web-stat-filter.profile-enable=true #druid spring monitor spring.datasource.druid.aop-patterns=com.druid.* #monintor #druid login user config spring.datasource.druid.stat-view-servlet.enabled=true #使重置功能不起作用 spring.datasource.druid.stat-view-servlet.reset-enable=false #spring.datasource.druid.stat-view-servlet.url-pattern=/abcd/* spring.datasource.druid.stat-view-servlet.login-username=root spring.datasource.druid.stat-view-servlet.login-password=root # IP白名单 (没有配置或者为空,则允许所有访问) spring.datasource.druid.stat-view-servlet.allow = 127.0.0.1,192.168.1.1 # IP黑名单 (存在共同时,deny优先于allow) spring.datasource.druid.stat-view-servlet.deny = 192.168.10.1 #mybatis mybatis.mapper-locations=classpath:/mapper/*Mapper.xml mybatis.type-aliases-package=com.example.demo.mapper mybatis.configuration.log-impl=org.apache.ibatis.logging.stdout.StdOutImpl logging.config = classpath:log4j2.xml
说明:以下是安全配置的重点
#使重置功能不起作用
spring.datasource.druid.stat-view-servlet.reset-enable=false
#配置访问监控view的用户名密码
spring.datasource.druid.stat-view-servlet.login-username=root
spring.datasource.druid.stat-view-servlet.login-password=root
# IP白名单 (没有配置或者为空,则允许所有访问)
spring.datasource.druid.stat-view-servlet.allow = 127.0.0.1,192.168.1.1
# IP黑名单 (存在共同时,deny优先于allow)
spring.datasource.druid.stat-view-servlet.deny = 192.168.10.1
四,java代码说明:
1,SecurityConfig.java
@Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { //针对druid的ui,关闭csrf,否则会无法登录 http.csrf().ignoringAntMatchers("/druid/**"); //login和logout http.formLogin() .defaultSuccessUrl("/goods/session") .failureUrl("/login-error.html") .permitAll() .and() .logout(); //指定访问druid的role String druidRule = "hasAnyRole('ADMIN','DEV')"; //匹配的页面,符合限制才可访问 http.authorizeRequests() .antMatchers("/druid/**").access(druidRule) .antMatchers("/goods/**").hasAnyRole("ADMIN","DEV","USER"); //剩下的页面,允许访问 http.authorizeRequests().anyRequest().permitAll(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { //添加两个账号用来做测试 auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder()) .withUser("lhdadmin") .password(new BCryptPasswordEncoder().encode("123456")) .roles("ADMIN","USER") .and() .withUser("lhduser") .password(new BCryptPasswordEncoder().encode("123456")) .roles("USER"); } }
说明:
http.csrf().ignoringAntMatchers("/druid/**");
针对druid关闭csrf,否则会导致无法登录,其他页面不受影响
antMatchers("/druid/**").access(druidRule)
指定了访问druid监控view的规则
2,GoodsController.java
@Controller @RequestMapping("/goods") public class GoodsController { @Resource private GoodsMapper goodsMapper; //商品详情 参数:商品id @GetMapping("/goodsinfo") @ResponseBody public Goods goodsInfo(@RequestParam(value="goodsid",required = true,defaultValue = "0") Long goodsId) { Goods goods = goodsMapper.selectOneGoods(goodsId); return goods; } //打印当前登录用户的session @GetMapping("/session") @ResponseBody public String session() { HttpSession session = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getSession(); Enumeration e = session.getAttributeNames(); String s = ""; while( e.hasMoreElements()) { String sessionName=(String)e.nextElement(); s += "name="+sessionName+";<br/>"; s += "value="+session.getAttribute(sessionName)+";"; } return s; } }
3,GoodsMapper.java,GoodsMapper.xml,Goods.java等用来演示通过druid访问数据源,不再贴出,
大家可访问github.com查看
五,效果测试
1,使用无权限的用户登录后访问
用lhduser登录
session信息中可以看到授权的角色是:ROLE_USER
访问druid:
因为没有权限,我们看到了报错信息
2,使用有权限的用户登录后访问
用lhdadmin登录,查看session:
查看druid,先用配置的账号root登录
可以正常访问:
3,从未授权的ip访问:注意替换成自己应用所在的ip
http://192.168.3.182:8080/druid
用有权限的账号lhdadmin登录,
返回:
可见既使有权限访问,但如果ip未加入白名单也会报错
六,查看spring boot的版本
. ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v2.3.3.RELEASE)