All geek questions in one place

How to protect Spring Cloud Config Server

I understand that Spring Cloud Config Server can be protected using the username and password that must be provided by accessible clients.

How can I prevent clients from storing this username and password as plain text in bootstrap.yml files in the application / service client?

+6
source share
2 answers

The easiest basic authentication (from here https://github.com/spring-cloud-samples/configserver )

You can add HTTP Basic authentication by including an additional dependency on Spring security (for example, through spring-boot-starter-security). The username is "user", and the password is run on the console at startup (standard Spring boot approach). If using maven ( pom.xml ):

 <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>

If you need custom user / password pairs, you need to specify in the server configuration file

 security: basic: enabled: false

and add this minimal class to your code ( BasicSecurityConfiguration.java ):

 import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration //@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter { @Value("#{'${qa.admin.password:admin}'}") //property with default value String admin_password; @Value("#{'${qa.user.password:user}'}") //property with default value String user_password; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password(user_password).roles("USER") .and() .withUser("admin").password(admin_password).roles("USER", "ACTUATOR"); } @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .disable() .httpBasic() .and() .authorizeRequests() .antMatchers("/encrypt/**").authenticated() .antMatchers("/decrypt/**").authenticated() //.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR") //.antMatchers("/qa/**").permitAll() ; } }

@Value ("# {'$ {qa.admin.password: admin}'}") allows you to define passwords in the configuration file for properties, environment variables, or the command line.

For example ( application.yml ):

 server: port: 8888 security: basic: enabled: false qa: admin: password: adminadmin user: password: useruser management: port: 8888 context-path: /admin logging: level: org.springframework.cloud: 'DEBUG' spring: cloud: config: server: git: ignoreLocalSshSettings: true uri: ssh:// git@gitlab.server.corp /repo/configuration.git

This works for me.

Edit: instead of a class, you can set the basic user configuration directly in application.yaml :

 security: basic: enabled: true path: /** ignored: /health**,/info**,/metrics**,/trace** user: name: admin password: tupassword
+1
source

ciphertext can be placed in bootstrap.yml.

Verification -> http://projects.spring.io/spring-cloud/spring-cloud.html#_encryption_and_decryption

0
source

Source: https://habr.com/ru/post/985063/

More articles:


All Articles