Shulou(Shulou.com)06/01 Report--

In this article, the editor introduces in detail "Actuator security risks and solutions based on SpringBoot application monitoring", with detailed content, clear steps and proper handling of details. I hope that this article "Actuator security risks and solutions based on SpringBoot application monitoring" can help you solve your doubts.

Overview

As a new technology of deploying applications and services in the cloud, micro-service is a hot topic at present, and the characteristics of micro-service determine that the deployment of functional modules is distributed and run on different machines to interact with each other through service invocation. Business flow will be processed and delivered by multiple micro-services. Under this framework, the monitoring of micro-services is particularly important.

Actuator is the integrated function provided by Spring Boot to monitor and manage the application system, and you can view the details of the application configuration, such as automation configuration information, created Spring beans information, configuration information of system environment variables and details of Web requests.

If used improperly or some careless negligence, it may cause serious security risks such as information disclosure.

Actuator usage

For Actuator application monitoring, you only need to add spring-boot-starter-actuator dependencies, as follows:

Org.springframework.boot spring-boot-starter-actuator

You can specify the access port, access path and other information of actuator in application.properties:

# access example: http://localhost:9595/monitormanagement: endpoints: web: # actuator access path, replace the default / actuator base-path: / monitor # setting whether to expose endpoints only health and info are visible by default exposure: # include: env # method 1: expose endpoint env Configure multiple endpoints to separate include: "*" # method 2: include all endpoints, note that you need to add quotation marks # exclude endpoints exclude: shutdown server: port: 9595 # newly opened monitoring port Do not use the same port as the application endpoint: health: show-details: always # to display db, redis, rabbti connections and other shutdown: enabled: true # by default, all endpoints except shutdown are enabled. Open manually

At this point, run the example, visit / monitor/ to view all the endpoint information, and then visit / monitor/env to view all the environment attributes of the application, as shown in the figure:

Introduction to Endpoints (endpoints)

Endpoints is the core part of Actuator, it is used to monitor applications and interactions, spring-boot-actuator already has a lot of built-in Endpoints (health, info, beans, httptrace, shutdown, etc.), but also allows us to extend our endpoints.

Endpoints is divided into two categories: native endpoints and user-defined endpoints; custom endpoints mainly refer to scalability. Users can define some indicators of concern according to their own practical applications and monitor them at run time.

Native endpoints are a number of restful api interfaces provided in the application through which you can monitor the internal health of the application at run time. Native endpoints can be divided into three categories:

Application configuration class: you can view the static information of the application while it is running, such as automatic configuration information, loaded spring bean information, yml file configuration information, environment information, request mapping information.

Metric class: mainly dynamic information during the run time, such as stack, request connection, some health indicators, metrics information, etc.

Operation control class: mainly refers to shutdown, the user can send a request to turn off the monitoring function of the application.

Actuator provides the following APIs by default, as shown in the following table:

ID

Description

Enabled by default

Public by default

Auditevents exposes audit event information for the current application YesNobeans displays a complete list of all Spring bean in the application YesNoconditions displays the conditions evaluated on the configuration and automatic configuration classes and the reasons for their matching YesNoconfigprops displays a list of all @ ConfigurationProperties comparisons YesNoenv exposes properties YesNoflyway from Spring's ConfigurableEnvironment displays any applied Flyway database migration YesNohealth displays application health information YesYeshttptrace displays HTTP tracking information (by default The last 100 HTTP request-response interactions) YesNoinfo displays arbitrary application information YesYesloggers displays and modifies the configuration of loggers in the application YesNoliquibase displays any applied Liquibase database migration YesNometrics displays metrics information for the current application YesNomappings displays a list of all @ RequestMapping path comparisons YesNoscheduledtasks displays tasks scheduled in the application YesNosessions allows users to be retrieved and deleted from session stores supported by Spring Session Session YesNoshutdown allows applications to gracefully shut down NoNothreaddump to execute thread dump YesNo security measures

If the above request interface does not have any security restrictions, the security risks are obvious. In fact, Spring Boot also provides security restrictions. For example, to disable the / env interface, you can set it as follows:

Endpoint: env: enabled: false

You can also introduce spring-boot-starter-security dependencies

Org.springframework.boot spring-boot-starter-security

Enable the security function in application.properties and configure access authentication. When you access the actuator feature, the login window will pop up. You need to enter the account password to verify the access.

Spring: security: user: password: 123456 name: jaler

In order to validate permissions only for actuator functions, but not for other APIs, we can recustomize SpringSecurity.

Package com.jaler.common.common.config; import org.apache.commons.lang3.StringUtils;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.context.annotation.Configuration;import org.springframework.core.env.Environment;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @ Configuration@EnableWebSecuritypublic class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {@ Autowired Environment env @ Override protected void configure (HttpSecurity security) throws Exception {String contextPath = env.getProperty ("management.endpoints.web.base-path"); if (StringUtils.isEmpty (contextPath)) {contextPath = ";} security.csrf () .disable () Security.authorizeRequests () .antMatrices ("/ * *" + contextPath+ "/ * *") .authenticated () .anyRequest () .permitAll () .and () .httpBasic ();}}

When you access http://localhost:9595/monitor again, permission verification is required, as shown below:

Safety recommendation

1. Open only certain endpoints that do not have sensitive information.

two。 Open security restrictions and authenticate. Login is required to access the Actuator interface.

The 3.Actuator access interface uses an independent port and is configured not to be open to the external network.

After reading this, the article "Monitoring Actuator security risks and solutions based on SpringBoot applications" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself to understand it. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.