Skip to content

S
spring-boot-admin
Switch branch/tag
Find file
Normal viewHistoryPermalink
security.adoc 2.76 KB
Newer Older
Add a note on securing SBA to the docs
5b9f7217
 
Johannes Edmeier committed
1 2 3 4 5 6 
[[securing-spring-boot-admin]]
== Security ==

=== Securing Spring Boot Admin Server ===

Since there are several approaches on solving authentication and authorization in distributed web applications Spring Boot Admin doesn't ship a default one.
Secure the spring-boot-admin-sample
2a260438
 
Johannes Edmeier committed
7 
If you include the `spring-boot-admin-server-ui-login` in your dependencies it will provide a login page and a logout button.
Add a note on securing SBA to the docs
5b9f7217
 
Johannes Edmeier committed
8
Secure the spring-boot-admin-sample
2a260438
 
Johannes Edmeier committed
9 10 11 12 13 14 15 16 17 18 19 20 21 
A Spring Security configuration could look like this:
[source,java]
----
include::{samples-dir}/spring-boot-admin-sample/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java[tags=configuration-spring-security]
----

For a complete sample look at https://github.com/codecentric/spring-boot-admin/tree/master/spring-boot-admin-samples/spring-boot-admin-sample/[spring-boot-admin-sample].

NOTE: If you protect the `/api/applications` endpoint don't forget to configure the username and password on your SBA-Client using `spring.boot.admin.username` and `spring.boot.admin.password`.

TIP: There are more samples (e.g. using OAuth2) in https://github.com/joshiste/spring-boot-admin-samples[joshiste/spring-boot-admin-samples^].

=== Securing Client Actuator Endpoints ===
Add a note on securing SBA to the docs
5b9f7217
 
Johannes Edmeier committed
22
Add option to submit credentials when registering
38a5cb25
 
Johannes Edmeier committed
23 
When the actuator endpoints are secured using HTTP Basic authentication the SBA Server needs credentials to access them. You can submit the credentials in the metadata when registering the application. The `BasicAuthHttpHeaderProvider` then uses this metadata to add the `Authorization` header to access your application's actuator endpoints. You can provide your own `HttpHeadersProvider` to alter the behaviour (e.g. add some decryption) or add extra headers.
Add a note on securing SBA to the docs
5b9f7217
 
Johannes Edmeier committed
24
Add option to submit credentials when registering
38a5cb25
 
Johannes Edmeier committed
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 
Submitting the credentials using SBA Client:
[source,yaml]
.application.yml
----
spring.boot.admin:
  url: http://localhost:8080
  client:
    metadata:
      user.name: ${security.user.name}
      user.password: ${security.user.password}
----

Submitting the credentials using Eureka:
[source,yaml]
.application.yml
----
eureka:
  instance:
    metadata-map:
      user.name: ${security.user.name}
      user.password: ${security.user.password}
----

NOTE: The SBA Server masks certain metadata in the HTTP interface to prevent leaking of sensitive information.

WARNING: You should configure HTTPS for your SBA Server or (service registry) when submitting credentials via the metadata.

WARNING: When using Spring Cloud Discovery, you must be aware that anybody who can query your service registry can obtain the credentials.

TIP: When using this approach the SBA Server decides whether or not the user can access the registered applications. There are more complex solutions possible (using OAuth2) to let the clients decide if the user can access the endpoints. For that please have a look at the samples in https://github.com/joshiste/spring-boot-admin-samples[joshiste/spring-boot-admin-samples^].