针对springboot actuator未授权访问漏洞的解决办法

在实际项目开发中可能需要用到actuator健康检测插件来检测程序运行状态,但由于actuator暴露的端口无须登录即可访问,对程序的安全性不大友好,总结了现在网上主流的一些办法,希望遇到这个问题的朋友可以参考

一:直接屏蔽所有端口

通过下面配置文件可以简单粗暴直接屏蔽所有端口,但是可能对需要访问的端口不太友好

management.endpoints.web.exposure.include= "*"
management.endpoints.enabled-by-default= false

二: 通过配置文件设置访问后可访问

在项目目录新建config文件夹,新建下面两个文件

  1. ActuatorFilter
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Base64;
import java.util.Enumeration;

public class ActuatorFilter implements Filter {

    public static final Logger logger = LoggerFactory.getLogger(ActuatorFilter.class);

    public static final String ACTUATOR_SESSION = "ActuatorBasicAuthSession";

    private String userName;

    private String password;

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        Enumeration enumeration = filterConfig.getInitParameterNames();
        if (enumeration.hasMoreElements()) {
            this.userName = filterConfig.getInitParameter("actuatorUserName");
            this.password = filterConfig.getInitParameter("actuatorPassword");
        }
        logger.info("ActuatorFilter init success");
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        String path = request.getRequestURI();
        //可以把所有暴露出来的端点路径放在一个集合里面进行判断
        if (path.startsWith("/actuator")) {
            Object actuatorSessionValue = request.getSession().getAttribute(ACTUATOR_SESSION);
            if (actuatorSessionValue == null || !userName.equals(actuatorSessionValue)) {
                String auth = request.getHeader("Authorization");
                if (auth != null && !"".equals(auth)) {
                    //解析认证参数
                    String userAndPass = this.decodeBase64(auth.substring(6));
                    String[] upArr = userAndPass.split(":");
                    if (upArr.length != 2) {
                        this.writeForbiddenCode(response);
                        return;
                    }
                    String iptUser = upArr[0];
                    String iptPass = upArr[1];
                    if (iptUser.equals(this.userName) && iptPass.equals(this.password)) {
                        request.getSession().setAttribute(ACTUATOR_SESSION, this.userName);
                        filterChain.doFilter(request, response);
                        return;
                    }
                    this.writeForbiddenCode(response);
                    return;
                } else {
                    this.writeForbiddenCode(response);
                    return;
                }
            }
        }
        filterChain.doFilter(request, response);
    }

    /**
     * 未认证时返回401认证页面
     *
     * @param httpServletResponse
     * @throws IOException
     */
    private void writeForbiddenCode(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setStatus(401);
        httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"input Actuator Basic userName & password \"");
        httpServletResponse.getWriter().write("没有权限访问当前资源");
    }

    private String decodeBase64(String source) {
        String decodeStr = null;
        if (source != null) {
            try {
                byte[] bytes = Base64.getDecoder().decode(source);
                decodeStr = new String(bytes);
            } catch (Exception var4) {
                this.logger.error(var4.getMessage(), var4);
            }
        }

        return decodeStr;
    }
}

  1. WebMvcConfig
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class WebMvcConfig implements WebMvcConfigurer {

    @Bean
    public FilterRegistrationBean actuatorFilter () {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean();
        registrationBean.setFilter(new ActuatorFilter());
        registrationBean.setName("actuator");
        registrationBean.addUrlPatterns("/*");
        registrationBean.setOrder(Integer.MAX_VALUE);

        //用户名密码可以配置在配置文件中或者配置中心
        registrationBean.addInitParameter("actuatorUserName", "admin");
        registrationBean.addInitParameter("actuatorPassword", "123456");
        return  registrationBean;
    }
}

加上上面两个文件后重启项目,会在访问相应端口时提供验证界面,输入正确的用户名密码后可以访问相应资源。

你可能感兴趣的:(springboot,spring,boot,java)