search

alibaba / druid

阿里云计算平台DataWorks(https://help.aliyun.com/document_detail/137663.html) 团队出品,为监控而生的数据库连接池
https://github.com/alibaba/druid/wiki
Apache License 2.0
27.9k stars 8.57k forks source link

[安全相关]monitor帐号登录url应与servlet配置的url一致 现是固定的/druid/login.html #2090

Open yjqg6666 opened 6 years ago

yjqg6666 commented 6 years ago

druid stat数据查看 servlet配置如下


    <servlet>
        <servlet-name>StatViewServlet</servlet-name>
        <servlet-class>com.alibaba.druid.support.http.StatViewServlet</servlet-class>
        <init-param>
            <param-name>resetEnable</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>sessionStatMaxCount</param-name>
            <param-value>2000</param-value>
        </init-param>
        <init-param>
            <param-name>sessionStatEnable</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>principalSessionName</param-name>
            <param-value>DSUK</param-value>
        </init-param>
        <init-param>
            <param-name>profileEnable</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>loginUsername</param-name>
            <param-value>druidStatUser</param-value>
        </init-param>
        <init-param>
            <param-name>loginPassword</param-name>
            <param-value>Ojib_ob0Quacoig[</param-value>
        </init-param>
    </servlet>
    <servlet-mapping>
        <servlet-name>StatViewServlet</servlet-name>
        <url-pattern>/dstat/viUcujOt/*</url-pattern>
    </servlet-mapping>

登录的url不是  /dstat/viUcujOt/login.html 而是 /druid/login.html  这导致url-pattern只能配置为/druid/*  安全性上会有所影响

rxxy commented 6 years ago

嗯是的,遇到了同样的问题