How to Secure Spring Cloud Config Server
The very basic "basic authentication" (from here https://github.com/spring-cloud-samples/configserver)
You can add HTTP Basic authentication by including an extra dependency on Spring Security (e.g. via spring-boot-starter-security). The user name is "user" and the password is printed on the console on startup (standard Spring Boot approach). If using maven (pom.xml
):
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId></dependency>
If you want custom user/password pairs, you need indicate in server configuration file
security: basic: enabled: false
and add this minimal Class in your code (BasicSecurityConfiguration.java
):
import org.springframework.beans.factory.annotation.Autowired;import org.springframework.beans.factory.annotation.Value;import org.springframework.context.annotation.Configuration;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;@Configuration//@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter { @Value("#{'${qa.admin.password:admin}'}") //property with default value String admin_password; @Value("#{'${qa.user.password:user}'}") //property with default value String user_password; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password(user_password).roles("USER") .and() .withUser("admin").password(admin_password).roles("USER", "ACTUATOR"); } @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .disable() .httpBasic() .and() .authorizeRequests() .antMatchers("/encrypt/**").authenticated() .antMatchers("/decrypt/**").authenticated() //.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR") //.antMatchers("/qa/**").permitAll() ; }}
@Value("#{'${qa.admin.password:admin}'}") allow passwords to be defined in property configuration file, environment variables or command line.
For example (application.yml
):
server: port: 8888security: basic: enabled: falseqa: admin: password: adminadmin user: password: userusermanagement: port: 8888 context-path: /adminlogging: level: org.springframework.cloud: 'DEBUG'spring: cloud: config: server: git: ignoreLocalSshSettings: true uri: ssh://git@gitlab.server.corp/repo/configuration.git
This works for me.
Edit: Instead of the Class, you can put basic user configuration directly in application.yaml
:
security: basic: enabled: true path: /** ignored: /health**,/info**,/metrics**,/trace** user: name: admin password: tupassword
For Spring Boot 2 the configuration in application.yml are now under spring.security.* (https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#security-properties)
spring.security: basic: enabled: true path: /** ignored: /health**,/info**,/metrics**,/trace** user: name: admin password: tupassword
Basic authentication configuration that works for me.
Server-side:
Needed depedency: org.springframework.boot:spring-boot-starter-security
bootstrap.yml
server: port: 8888spring: cloud: config: server: git: uri: git@bitbucket.org:someRepo/repoName.git hostKeyAlgorithm: ssh-rsa hostKey: "general hostKey for bitbucket.org" security: user: name: yourUser password: yourPassword
Client-side:
bootstrap.yml
spring: application: name: config profiles: active: dev cloud: config: uri: http://localhost:8888 username: yourUser password: yourPasswordmanagement: security: enabled: false
Sources: Spring doc security feautres, Spring cloud config client security
encrypted text can be placed in bootstrap.yml.
Check -> http://projects.spring.io/spring-cloud/spring-cloud.html#_encryption_and_decryption