Spring boot actor configuration security

What is Spring Boot actor monitoring? Similar to php's phpinfor() function, but the actor is more powerful and can view more data and status. Activator is the integrated function of monitoring and management of application system provided by Spring Boot. You can view the details of application configuration, such as automatic configuration information, created Spring beans information, configuration information of system environment variables and Web request details. If used improperly or carelessly, it may cause serious security risks such as information leakage.

Use

pom join dependency

The <! -- actor module provides spring boot with a series of endpoints for monitoring -- >
<dependency>  
	<groupId>org.springframework.boot</groupId>  
	<artifactId>spring-boot-starter-actuator</artifactId>  
</dependency> 

pom join dependency (Security version)

<dependencies>
    <!-- If used http This dependency is also needed for the way of calling -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <!-- Necessary -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>
    <!-- Safety needs, in order to ensure actuator The security of exposed monitoring interface needs to add the dependency of security control spring-boot-start-security Dependency. When accessing the application monitoring endpoint, you need to enter authentication information.-->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
</dependencies>

properties profile

In addition to defining the data source in the application.properties core configuration file, you need to add the management.security.enabled=false configuration.
If not, access monitoring path will report 401.

#########################################################
###   Actuator Monitor  --   Actuator configuration   ###
#########################################################
management.security.enabled=false

Add in the application.yml configuration file of SpringBoot

# ============================= actuator Monitor ============================= #
management:
  server:
    port: 1234           # Managed port adjusted to 1234
    address: 127.0.0.1   # Only 127.0.0.1 access is allowed
    servlet:
      context-path: /monitor  # Access path of actor
  endpoint:
    shutdown:
      enabled: true    # Enable shutdown
    beans.cache.time-to-live: 10s
    env.enabled: true  # Enable endpoint env
  endpoints:
    enabled-by-default: true # Set whether endpoint is available only shutdown is available by default
    web:
      # Set whether to expose the endpoint. Only health and info are visible by default
      exposure:
        # include: env   # Mode 1: expose multiple end env configurations, separated
        include: "*"     # Mode 2: include all endpoints, note that quotation marks need to be added
        # Exclude endpoints
        exclude: shutdown

Note: if the management.security.enabled=false configuration is not added to the core configuration file, the access of users to some monitoring addresses will be limited, and a 401 unauthorized error will be reported.


Common monitoring items

Method Route describe
GET /autoconfig View usage of autoconfig
GET /conditions An auto configuration report is provided to record which auto configuration conditions passed and which failed
GET /configprops Describes how configuration properties, including default values, are injected into beans
GET /beans Describe all beans in the application context and their relationships
GET /dump Print thread stack
GET /heapdump Take a snapshot of the heap
GET /threaddump Take a snapshot of thread activity
GET /env Get all environment properties
GET /env/{name} Get specific environment property values by name
GET /health Report the health indicators of the application, which are provided by the health indicator's implementation class
GET /info Get the custom information of the application, which is provided by the attribute headed by info
GET /mappings Describes all URI paths and their mapping to controllers including actor endpoints
GET /metrics Reports various application metrics, such as memory usage and HTTP request count
GET /metrics/{name} Report application measures of the specified name
POST /shutdown Shut down the application and require endpoints.shutdown.enabled to be set to true
GET /trace Provide basic HTTP request tracking information (timestamp, HTTP header, etc.)

After the dependency is added, the following paths can be accessed externally:

# After the above dependency is added, the url that can be accessed by default
http://localhost:8080/actuator
http://localhost:8080/actuator/info
http://localhost:8080/actuator/health

Interfaces with sensitive data can be tested by themselves:

/autoconfig
/conditions
/configprops
/beans
/heapdump
/threaddump
/env
/info
/mappings
/metrics
/trace

Reference resources

https://xz.aliyun.com/t/2233
https://www.freebuf.com/news/193509.html
https://blog.csdn.net/qq_29668759/article/details/98672900

Tags: Java Spring snapshot PHP SpringBoot

Posted on Sun, 12 Apr 2020 19:44:01 -0700 by usacascl