Eureka Server增加Spring Security后的服务端和客户端配置

Posted 岁月已走远

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Eureka Server增加Spring Security后的服务端和客户端配置相关的知识,希望对你有一定的参考价值。

  直接上代码吧,Eureka Server端的主要依赖的版本:

        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-netflix-eureka-server</artifactId>
            <version>2.2.3.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
            <version>2.3.1.RELEASE</version>
        </dependency>

  Eureka Server端的application.yml配置

server:
  port: 8761
eureka:
  server: 
#  这里只是为了测试方便才修改的无效服务剔除时间间隔,生产环境尽量不要改 eviction-interval-timer-in-ms: 3000 client: register-with-eureka: false fetch-registry: false service-url: defaultZone: http://user:pwd123@localhost:8761/eureka/ spring: application: name: discovery-eureka-auth cloud: loadbalancer: ribbon: enabled: false inetutils: # preferred-networks: # - 192.168.0 ignored-interfaces: - VM.* security: user: name: user password: pwd123

  对于现在较新的版本的Spring Security的security.basic.enabled配置项已经不可用了,要配置该属性可以通过继承并重写 WebSecurityConfigurerAdapter :

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and()
                .csrf().ignoringAntMatchers("/eureka/**");
    }
}

  引入新版的Spring Security后会自动开启CSRF安全验证,默认所有请求都要求提供CSRF的token,这就导致Eureka Client启动后向Eureka Server进行服务注册时也被要求提供CSRF的token,但是Eureka Client并不会生成CSRF要的token,目前也没看到手工让Eureka Client携带token的机制,

最终导致Eureka Client向Eureka Server服务注册失败,出现类似下面的异常

2020-07-10 22:32:43.561 ERROR 21416 --- [tbeatExecutor-0] c.n.d.s.t.d.RedirectingEurekaHttpClient  : Request execution error. endpoint=DefaultEndpoint{ serviceUrl=‘http://user:pwd123@localhost:8761/eureka/}

  解决该异常的方法就是重写 WebSecurityConfigurerAdapter时,设置CSRF忽略掉与eureka相关的路径(上文代码中的.csrf().ignoringAntMatchers("/eureka/**")),当然也可以直接禁用掉CSRF,但不建议这么做:

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and()
                .csrf().disable();//不建议完全禁用掉csrf
    }
}

 

  Eureka Client端只要修改一下eureka.client.service-url.defaultZone就可以了:

eureka:
  instance:
#  这里只是为了测试方便修改的服务租期相关时间,生产环境不要改 lease-expiration-duration-in-seconds: 10 lease-renewal-interval-in-seconds: 5 prefer-ip-address: true client: service-url: defaultZone: http://user:pwd123@localhost:8761/eureka/

 

以上是关于Eureka Server增加Spring Security后的服务端和客户端配置的主要内容,如果未能解决你的问题,请参考以下文章

3Spring Cloud - Eureka(高可用Eureka Server集群)

spring boot eureka server

spring boot 1.5.2中eureka客户端如何找到eureka server?

Spring Cloud Eureka 2 (Eureka Server搭建服务注册中心)

spring cloud 注册与发现Eureka

Spring WebClient 和 Eureka Server