Secure the spring-boot-admin-sample

spring-boot-admin-docs/src/main/asciidoc/getting-started.adoc

@@ -37,9 +37,9 @@ public class SpringBootAdminApplication {
 }
 ----
 
-TIP: If you want to setup the Spring Boot Admin Server via war-deployment in a servlet-container, please have a look at the https://github.com/codecentric/spring-boot-admin/blob/master/spring-boot-admin-samples/spring-boot-admin-sample-war/[spring-boot-admin-sample-war].
+NOTE: If you want to setup the Spring Boot Admin Server via war-deployment in a servlet-container, please have a look at the https://github.com/codecentric/spring-boot-admin/blob/master/spring-boot-admin-samples/spring-boot-admin-sample-war/[spring-boot-admin-sample-war].
 
-See also the https://github.com/codecentric/spring-boot-admin/tree/master/spring-boot-admin-samples/spring-boot-admin-sample/[spring-boot-admin-sample] project.
+See also the https://github.com/codecentric/spring-boot-admin/tree/master/spring-boot-admin-samples/spring-boot-admin-sample/[spring-boot-admin-sample] project, which also adds security.
 
 [[register-client-applications]]
 === Registering client applications ===
@@ -68,7 +68,8 @@ Each application that wants to register has to include the Spring Boot Admin Cli
 [source,yml]
 .application.yml
 ----
-include::{samples-dir}/spring-boot-admin-sample/src/main/resources/application.yml[tags=configuration-sba-client]
+spring.boot.admin.url: http://localhost:8080  #<1>
+managment.security.enabled: false  #<2>
 ----
 <1> The URL of the Spring Boot Admin Server to register at.
 <2> Since Spring Boot 1.5.x all endpoints are secured by default. For the sake of brevity we're disabling the security for now. Have a look at the <<securing-spring-boot-admin,security section>> on how to deal with secured endpoints.

spring-boot-admin-docs/src/main/asciidoc/security.adoc

@@ -4,9 +4,21 @@
 === Securing Spring Boot Admin Server ===
 
 Since there are several approaches on solving authentication and authorization in distributed web applications Spring Boot Admin doesn't ship a default one.
-However you can include Spring Security to your SBA Server and configure it the way you like.
+If you include the `spring-boot-admin-server-ui-login` in your dependencies it will provide a login page and a logout button.
 
-=== Securing Client's Actuator Endpoints ===
+A Spring Security configuration could look like this:
+[source,java]
+----
+include::{samples-dir}/spring-boot-admin-sample/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java[tags=configuration-spring-security]
+----
+
+For a complete sample look at https://github.com/codecentric/spring-boot-admin/tree/master/spring-boot-admin-samples/spring-boot-admin-sample/[spring-boot-admin-sample].
+
+NOTE: If you protect the `/api/applications` endpoint don't forget to configure the username and password on your SBA-Client using `spring.boot.admin.username` and `spring.boot.admin.password`.
+
+TIP: There are more samples (e.g. using OAuth2) in https://github.com/joshiste/spring-boot-admin-samples[joshiste/spring-boot-admin-samples^].
+
+=== Securing Client Actuator Endpoints ===
 
 When the actuator endpoints are secured using HTTP Basic authentication the SBA Server needs credentials to access them. You can submit the credentials in the metadata when registering the application. The `BasicAuthHttpHeaderProvider` then uses this metadata to add the `Authorization` header to access your application's actuator endpoints. You can provide your own `HttpHeadersProvider` to alter the behaviour (e.g. add some decryption) or add extra headers.
 

spring-boot-admin-samples/spring-boot-admin-sample/pom.xml

@@ -19,6 +19,14 @@
         </dependency>
         <dependency>
             <groupId>de.codecentric</groupId>
+            <artifactId>spring-boot-admin-server-ui-login</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>de.codecentric</groupId>
             <artifactId>spring-boot-admin-starter-client</artifactId>
         </dependency>
     </dependencies>

spring-boot-admin-samples/spring-boot-admin-sample/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -23,6 +23,8 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Primary;
 import org.springframework.scheduling.annotation.Scheduled;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
 import de.codecentric.boot.admin.config.EnableAdminServer;
 import de.codecentric.boot.admin.notify.LoggingNotifier;
@@ -38,6 +40,33 @@ public class SpringBootAdminApplication {
 		SpringApplication.run(SpringBootAdminApplication.class, args);
 	}
 
+	// tag::configuration-spring-security[]
+	@Configuration
+	public static class SecurityConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// Page with login form is served as /login.html and does a POST on /login
+			http.formLogin().loginPage("/login.html").loginProcessingUrl("/login").permitAll();
+			// The UI does a POST on /logout on logout
+			http.logout().logoutUrl("/logout");
+			// The ui currently doesn't support csrf
+			http.csrf().disable();
+
+			// Requests for the login page and the static assets are allowed
+			http.authorizeRequests()
+					.antMatchers("/login.html", "/**/*.css", "/img/**", "/third-party/**")
+					.permitAll();
+			// ... and any other request needs to be authorized
+			http.authorizeRequests().antMatchers("/**").authenticated();
+
+			// Enable so that the clients can authenticate via HTTP basic for registering
+			http.httpBasic();
+		}
+	}
+	// end::configuration-spring-security[]
+
+	@Configuration
+	public static class NotifierConfig {
 	@Bean
 	@Primary
 	public RemindingNotifier remindingNotifier() {
@@ -60,4 +89,5 @@ public class SpringBootAdminApplication {
 	public LoggingNotifier loggerNotifier() {
 		return new LoggingNotifier();
 	}
+	}
 }

spring-boot-admin-samples/spring-boot-admin-sample/src/main/resources/application.yml

 info:
-  scm-url: @scm.url@
-  build-url: http://travis-ci.org/@env.TRAVIS_REPO_SLUG@/builds/@env.TRAVIS_BUILD_ID@
+  scm-url: "@scm.url@"
+  build-url: "http://travis-ci.org/@env.TRAVIS_REPO_SLUG@/builds/@env.TRAVIS_BUILD_ID@"
   stage: test
 
 logging:
-  file: target/boot-admin-sample.log
+  file: "target/boot-admin-sample.log"
+
+management:
+  context-path: "/actuator"
 
 spring:
   application:
-    name: @pom.artifactId@
+    name: "@pom.artifactId@"
+  boot:
+    admin:
+      url: http://localhost:8080
+      username: "${security.user.name}"       #These two are needed so that the client
+      password: "${security.user.password}"   #can register at the protected server api
+      client:
+        metadata:
+          user.name: "${security.user.name}"          #These two are needed so that the server
+          user.password:  "${security.user.password}" #can access the proteceted client endpoints
 
-# tag::configuration-sba-client[]
-spring.boot.admin.url: http://localhost:8080  #<1>
+security:
+  user:
+    name: user
+    password: pass
 
-management.security.enabled: false  #<2>
-# end::configuration-sba-client[]
 
-endpoints.health.sensitive: false