SpringBootAdmin用于对SpringBoot应用的管理和监控。 SpringBootAdmin分为客户端和服务端;
在SpringBoot单体应用下,应用作为客户端通过http通讯方式与服务端进行数据交互;在SpringCloud微服务项目中,SpringBootAdmin服务端直接通过注册中心获取客户端数据。
最近在项目中解决了一些SpringBootAdmin的问题,特从头梳理一下SpringBootAdmin的使用,作此总结。
一、单体应用使用SpringBootAdmin
1. 创建服务端
创建SpringBoot工程
添加依赖:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-server</artifactId>
<version>2.1.1</version>
</dependency>
启动类上添加注解:
@EnableAdminServer //开启监控
2. 创建客户端
客户端添加依赖:
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-client</artifactId>
<version>2.1.1</version>
</dependency>
配置文件:
spring:
boot:
admin:
client:
url: http://localhost:8090 # 服务端地址
management:
endpoints:
web:
exposure:
include: '*' #开放所有端点
endpoint:
health:
show-details: ALWAYS
此时启动服务端和客户端,访问服务端http://localhost:8090看到以下页面即为成功
3. 服务端安全性设置
以下是服务端配置
添加依赖:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
配置文件配置用户名/密码:
spring:
security:
user:
name: "admin"
password: "admin"
添加配置类放开登录页并设置跳转页
@Configuration
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {
private final String adminContextPath;
public SecuritySecureConfig(AdminServerProperties adminServerProperties) {
this.adminContextPath = adminServerProperties.getContextPath();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successHandler.setTargetUrlParameter("redirectTo");
http.authorizeRequests()
.antMatchers(adminContextPath + "/assets/**").permitAll()
.antMatchers(adminContextPath + "/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
.logout().logoutUrl(adminContextPath + "/logout").and()
.httpBasic().and()
.csrf().disable();
}
}
此时启动服务端并访问以下是客户端配置
客户端配置服务端的用户名/密码,否则连接不上
# client 配置
spring:
boot:
admin:
client:
url: http://localhost:8090
# server的用户名密码
username: "admin"
password: "admin"
此时启动客户端即可与服务端正常连接
4. 客户端安全性设置
将admin监控的端点放开是不安全的,且漏洞扫描会扫描出异常,解决方案:将客户端也添加上安全认证
以下是客户端配置
添加依赖:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
配置文件配置用户名密码:
spring:
# client 的用户名和密码
security:
user:
name: "admin"
password: "admin"
配置文件配置将客户端用户名密码发送至服务端:
spring:
application:
name: SpringBootAdminClient
# client 的用户名和密码
security:
user:
name: "admin"
password: "admin"
boot:
admin:
client:
url: http://localhost:8090
# server的用户名密码
username: "admin"
password: "admin"
# 将client的用户名密码发送至server
instance:
metadata:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
添加配置类放开需要的端子url:
@Configuration
public class SecuritySecureConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successHandler.setTargetUrlParameter("redirectTo");
http.authorizeRequests()
// 此路径需要加验证
.antMatchers("/actuator/**").authenticated()
// 其他路径放开
.anyRequest().permitAll()
.and()
.httpBasic().and()
.csrf().disable();
}
}
此时启动客户端,发现服务端能正常获取客户端信息,但通过浏览器访问客户端端子信息url需要用户名密码认证
附服务端和客户端的完整配置文件如下:
服务端:
spring:
application:
name: SpringBootAdminServer
# 服务端认证用户名密码
security:
user:
name: "admin"
password: "admin"
server:
port: 8090
客户端:
spring:
application:
name: SpringBootAdminClient
# 客户端认证的用户名和密码
security:
user:
name: "admin"
password: "admin"
boot:
admin:
client:
url: http://localhost:8090
# 连接服务端所需的服务端用户名密码
username: "admin"
password: "admin"
# 将客户端的用户名密码发送至服务端
instance:
metadata:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
server:
port: 8091
# 放开监控端子
management:
endpoints:
web:
exposure:
include: '*' # 放开所有端子
endpoint:
health:
show-details: ALWAYS
二、微服务应用使用SpringBootAdmin
SpringBootAdmin在微服务应用中可直接通过注册中心获取客户端数据
1. SpringBootAdmin结合eureka注册中心使用
在上面的基础上修改
例如有eureka注册中心:http://localhost:9999/eureka/
服务端修改
1) 添加eureka客户端依赖
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
2)启用eureka客户端
在启动类上添加注解
@EnableDiscoveryClient
3)配置文件修改使用eureka注册中心,并将服务端认证的用户名密码发送至eureka,如下:
spring:
application:
name: EurekaAdminServer
security:
user:
name: "admin"
password: "admin"
server:
port: 9090
eureka:
client:
register-with-eureka: false # admin服务端不注册在eureka中,这样服务端就不会监控自己的信息
registryFetchIntervalSeconds: 5
service-url:
defaultZone: ${EUREKA_SERVICE_URL:http://localhost:9999}/eureka/
客户端修改
1) 添加eureka客户端依赖
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
2)启用eureka客户端
在启动类上添加注解
@EnableDiscoveryClient
3)配置文件修改使用eureka注册中心,并将客户端认证的用户名密码发送至eureka,如下:
spring:
application:
name: EurekaAdminClient
# client 的用户名和密码
security:
user:
name: "admin"
password: "admin"
server:
port: 9091
management:
endpoints:
web:
exposure:
include: '*'
endpoint:
health:
show-details: ALWAYS
eureka:
client:
registryFetchIntervalSeconds: 5
service-url:
defaultZone: ${EUREKA_SERVICE_URL:http://localhost:9999}/eureka/
instance:
# 将客户端端子认证用户名密码发送至eureka
metadata-map:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
2. SpringBootAdmin结合nocas注册中心使用
使用nocas注册中心,换为nacos依赖:
<dependency>
<groupId>com.alibaba.cloud</groupId>
<artifactId>spring-cloud-alibaba-nacos-discovery</artifactId>
</dependency>
启动类上添加启用注解:
@EnableDiscoveryClient
服务端配置文件修改为:
spring:
application:
name: NacosAdminServer
security:
user:
name: "admin"
password: "admin"
cloud:
nacos:
discovery:
register-enabled: false # admin服务端不注册
server-addr: 127.0.0.1:8848
metadata:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
server:
port: 10090
客户端配置文件修改为:
spring:
application:
name: NacosAdminClient
security:
user:
name: "admin"
password: "admin"
cloud:
nacos:
discovery:
server-addr: 127.0.0.1:8848
metadata:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
server:
port: 10091
management:
endpoints:
web:
exposure:
include: '*'
endpoint:
health:
show-details: ALWAYS