Eureka Server增加Spring Security后的服务端和客户端配置
直接上代码吧,Eureka Server端主要依赖的版本:
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-netflix-eureka-server</artifactId> <version>2.2.3.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> <version>2.3.1.RELEASE</version> </dependency>
Eureka Server端的application.yml配置
server: port: 8761 eureka: server:
# 这里只是为了测试方便才修改的无效服务剔除时间间隔,生产环境尽量不要改 eviction-interval-timer-in-ms: 3000 client: register-with-eureka: false fetch-registry: false service-url: defaultZone: http://user:pwd123@localhost:8761/eureka/ spring: application: name: discovery-eureka-auth cloud: loadbalancer: ribbon: enabled: false inetutils: # preferred-networks: # - 192.168.0 ignored-interfaces: - VM.* security: user: name: user password: pwd123
对于现在较新的版本的Spring Security的security.basic.enabled配置项已经不可用了,要配置该属性可以通过继承并重写 WebSecurityConfigurerAdapter :
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest().authenticated() .and() .httpBasic() .and() .csrf().ignoringAntMatchers("/eureka/**"); } }
引入新版的Spring Security后会自动开启CSRF安全验证,默认所有请求都要求提供CSRF的token,这就导致Eureka Client启动后向Eureka Server进行服务注册时也被要求提供CSRF的token,但是Eureka Client并不会生成CSRF要的token,目前也没看到手工让Eureka Client携带token的机制,
最终导致Eureka Client向Eureka Server服务注册失败,出现类似下面的异常:
2020-07-10 22:32:43.561 ERROR 21416 --- [tbeatExecutor-0] c.n.d.s.t.d.RedirectingEurekaHttpClient : Request execution error. endpoint=DefaultEndpoint{ serviceUrl='http://user:pwd123@localhost:8761/eureka/}
解决该异常的方法就是重写 WebSecurityConfigurerAdapter时,设置CSRF忽略掉与eureka相关的路径(上文代码中的.csrf().ignoringAntMatchers("/eureka/**")),当然也可以直接禁用掉CSRF,但不建议这么做:
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest().authenticated() .and() .httpBasic() .and() .csrf().disable();//不建议完全禁用掉csrf } }
Eureka Client端只要修改一下eureka.client.service-url.defaultZone就可以了:
eureka: instance:
# 这里只是为了测试方便修改的服务租期相关时间,生产环境不要改 lease-expiration-duration-in-seconds: 10 lease-renewal-interval-in-seconds: 5 prefer-ip-address: true client: service-url: defaultZone: http://user:pwd123@localhost:8761/eureka/