SpringBoot-Actuator-加SpringSecurity验证

背景：
系统中自定义了一些EndPoint来做系统的监控，打成jar包的时候，运行的非常完美，但是打成war包放到tomcat以后发现，management.address和management.port参数无效了！

转载请注明出处：http://blog.csdn.net/goldenfish1919/article/details/78130516

这个倒是也能理解，因为war包以后，端口是由tomcat容器来定义的，而不是应用来定义。本来是想定义额外的端口，跟应用的端口隔离开，然后利用防火墙把EndPoint的端口保护起来，现在只能想别的办法了！

先看官网怎么说：

You can use Spring properties to change the username and password and to change the security role(s) required to access the endpoints. For example, you might set the following in your 

application.properties

:

security.user.name=admin
security.user.password=secret
management.security.roles=SUPERUSER

If your application has custom security configuration and you want all your actuator endpoints to be accessible without authentication, you need to explicitly configure that in your security configuration. Along with that, you need to change the 

management.security.enabled

 property
to 

false

.

If your custom security configuration secures your actuator endpoints, you also need to ensure that the authenticated user has the roles specified under 

management.security.roles

.

也就是说可以用Spring Security来加验证。

解决办法：

（1）application.properties

management.context-path=/manageActuator
management.security.enabled=false
management.security.roles=SUPERUSER
security.user.name=username
security.user.password=password

不用再配置port和address了。但是仅仅这样还不够，这样访问系统中的所有的接口都会弹出认证的窗口，所以我们还需要：

（2）定制下SpringSecurity：

@Configuration
@EnableWebSecurity
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
Environment env;
@Override
protected void configure(HttpSecurity http) throws Exception {
String contextPath = env.getProperty("management.context-path");
if(StringUtils.isEmpty(contextPath)) {
contextPath = "";
}http.csrf().disable();
http.authorizeRequests()
.antMatchers("/**"+contextPath+"/**").authenticated()
.anyRequest().permitAll()
.and().httpBasic();
}
}

现在就可以只对EndPoint的访问加验证了。