概述
在实际项目开发中可能需要用到actuator健康检测插件来检测程序运行状态,但由于actuator暴露的端口无须登录即可访问,对程序的安全性不大友好,总结了现在网上主流的一些办法,希望遇到这个问题的朋友可以参考
一:直接屏蔽所有端口
通过下面配置文件可以简单粗暴直接屏蔽所有端口,但是可能对需要访问的端口不太友好
management.endpoints.web.exposure.include= "*"
management.endpoints.enabled-by-default= false
二: 通过配置文件设置访问后可访问
在项目目录新建config文件夹,新建下面两个文件
- ActuatorFilter
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Base64;
import java.util.Enumeration;
public class ActuatorFilter implements Filter {
public static final Logger logger = LoggerFactory.getLogger(ActuatorFilter.class);
public static final String ACTUATOR_SESSION = "ActuatorBasicAuthSession";
private String userName;
private String password;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
Enumeration<String> enumeration = filterConfig.getInitParameterNames();
if (enumeration.hasMoreElements()) {
this.userName = filterConfig.getInitParameter("actuatorUserName");
this.password = filterConfig.getInitParameter("actuatorPassword");
}
logger.info("ActuatorFilter init success");
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
String path = request.getRequestURI();
//可以把所有暴露出来的端点路径放在一个集合里面进行判断
if (path.startsWith("/actuator")) {
Object actuatorSessionValue = request.getSession().getAttribute(ACTUATOR_SESSION);
if (actuatorSessionValue == null || !userName.equals(actuatorSessionValue)) {
String auth = request.getHeader("Authorization");
if (auth != null && !"".equals(auth)) {
//解析认证参数
String userAndPass = this.decodeBase64(auth.substring(6));
String[] upArr = userAndPass.split(":");
if (upArr.length != 2) {
this.writeForbiddenCode(response);
return;
}
String iptUser = upArr[0];
String iptPass = upArr[1];
if (iptUser.equals(this.userName) && iptPass.equals(this.password)) {
request.getSession().setAttribute(ACTUATOR_SESSION, this.userName);
filterChain.doFilter(request, response);
return;
}
this.writeForbiddenCode(response);
return;
} else {
this.writeForbiddenCode(response);
return;
}
}
}
filterChain.doFilter(request, response);
}
/**
* 未认证时返回401认证页面
*
* @param httpServletResponse
* @throws IOException
*/
private void writeForbiddenCode(HttpServletResponse httpServletResponse) throws IOException {
httpServletResponse.setStatus(401);
httpServletResponse.setHeader("WWW-Authenticate", "Basic realm="input Actuator Basic userName & password "");
httpServletResponse.getWriter().write("没有权限访问当前资源");
}
private String decodeBase64(String source) {
String decodeStr = null;
if (source != null) {
try {
byte[] bytes = Base64.getDecoder().decode(source);
decodeStr = new String(bytes);
} catch (Exception var4) {
this.logger.error(var4.getMessage(), var4);
}
}
return decodeStr;
}
}
- WebMvcConfig
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
@Bean
public FilterRegistrationBean actuatorFilter () {
FilterRegistrationBean registrationBean = new FilterRegistrationBean();
registrationBean.setFilter(new ActuatorFilter());
registrationBean.setName("actuator");
registrationBean.addUrlPatterns("/*");
registrationBean.setOrder(Integer.MAX_VALUE);
//用户名密码可以配置在配置文件中或者配置中心
registrationBean.addInitParameter("actuatorUserName", "admin");
registrationBean.addInitParameter("actuatorPassword", "123456");
return registrationBean;
}
}
加上上面两个文件后重启项目,会在访问相应端口时提供验证界面,输入正确的用户名密码后可以访问相应资源。
最后
以上就是糟糕飞机为你收集整理的针对springboot actuator未授权访问漏洞的解决办法的全部内容,希望文章能够帮你解决针对springboot actuator未授权访问漏洞的解决办法所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复