springboot 1.3.6中使用actuator預設開啟監控,如何防止資料洩漏
阿新 • • 發佈:2018-12-17
在新增完依賴後
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-actuator</artifactId>
</dependency>
啟動工程時會看到如下日誌:
2018-10-24 15:48:59.355 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/env/{name:.*}],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EnvironmentMvcEndpoint.value(java.lang.String) 2018-10-24 15:48:59.355 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/env || /env.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke() 2018-10-24 15:48:59.356 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/info || /info.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke() 2018-10-24 15:48:59.356 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/beans || /beans.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke() 2018-10-24 15:48:59.357 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/health || /health.json],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.HealthMvcEndpoint.invoke(java.security.Principal) 2018-10-24 15:48:59.357 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/metrics/{name:.*}],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.MetricsMvcEndpoint.value(java.lang.String) 2018-10-24 15:48:59.357 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/metrics || /metrics.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke() 2018-10-24 15:48:59.358 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/dump || /dump.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke() 2018-10-24 15:48:59.359 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/autoconfig || /autoconfig.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke() 2018-10-24 15:48:59.359 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/mappings || /mappings.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke() 2018-10-24 15:48:59.359 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/trace || /trace.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke() 2018-10-24 15:48:59.360 INFO 15657 --- [ main] o.s.b.a.e.mvc.EndpointHandlerMapping : Mapped "{[/configprops || /configprops.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
如果工程非web工程,僅提供API服務,那麼如果沒有進行URL過濾,工程執行起來後,是可以通過GET請求訪問監控資源的,如:
http://127.0.0.1:7001/health
{
"status":"UP",
"hello":{
"status":"UP"
},
"diskSpace":{
"status":"UP",
"total":116333809664,
"free":86622515200,
"threshold":10485760
},
"db":{
"status" :"UP",
"database":"Oracle",
"hello":"Hello"
}
}
生產環境中如果這些URL還沒有過濾的話,是會造成資料洩漏的,那如何遮蔽掉這些資訊呢,springboot 2.0中可以通過配置來關閉掉監控,但1.X版本的倒沒有找到有效的配置方式,目前僅通過URL過濾來防止資料過濾,即讓這些資料監控URL無法訪問。
package com.XXXX.filter;
import com.autonavi.utils.RegUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
/**
* URL過濾器,僅接受允許陣列中的URL path
*
* @author loongshawn
* @date 2018/10/23 下午8:30
*/
@Configuration
@WebFilter(urlPatterns = "/*")
@Order(value = 1)
public class UrlFilter implements Filter {
private Logger logger = LoggerFactory.getLogger(UrlFilter.class);
private static final Set<String> ALLOWED_PATHS = Collections.unmodifiableSet(new HashSet<>(
Arrays.asList("/hello", "/product", "/error", "/checkpreload.htm", "/status.taobao")));
@Override
public void init(FilterConfig filterConfig) throws ServletException {
logger.info("init-----------filter");
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String path = request.getRequestURI().substring(request.getContextPath().length()).replaceAll("[/]+$", "");
boolean allowedPath = ALLOWED_PATHS.contains(RegUtil.getUrlPath(path));
if (allowedPath) {
logger.info(path + "是不需要處理的url進入方法");
chain.doFilter(req, res);
} else {
logger.info(path + "是需要跳轉的url進入方法");
response.sendRedirect("/error");
}
}
@Override
public void destroy() {
logger.info("destroy----------filter");
}
}
通過設定URL過濾器,僅允許訪問特定的URL訪問,攔截掉其他URL,效果如下:
Url:http://127.0.0.1:7001/error
Error:None
Status:999
Timestamp:Wed Oct 24 16:28:57 CST 2018
有關actuator資料監控的說明見https://www.jianshu.com/p/cc4b1ce1a913