spring-cloud / spring-cloud-config

External configuration (server and client) for Spring Cloud
Apache License 2.0
1.96k stars 1.29k forks source link

how to user embedded config-server with secrrity #1078

Closed a561066192 closed 5 years ago

a561066192 commented 6 years ago

Dear spring-cloud team: I use embedded config-serve in my config-client,everything works as expected but security。I add spring-boot-starter-security in my pom.xml. And I configure security.user.name, security.user.password and coressponding spring.cloud.config.username , spring.cloud.config.password, but when I start up my project,any endpoint need me to input username and password。I don't know where I had a mistake, so please help my,thank you~。 the following is my bootstrap.properties:

spring.application.name=edu-fin-api
spring.application.index=${random.uuid}
management.security.enabled=false
server.port=8299
spring.cloud.config.server.bootstrap=true
spring.rabbitmq.host=192.168.50.69
spring.rabbitmq.port=5672
security.user.name=user
security.user.password=123

the following is my bootstrap.yml:

encrypt:
    key: key1
spring:
  cloud:
     config:
       server:
         git:
           uri: git@gitmylab.365ime.com:liuxiang/springcloud-config-server.git
           search-paths: /**
           basedir: /data/${spring.application.name}
           clone-on-start: true
          prefix: /ime-config
          encrypt:
            enabled: false
       label: master
       username: user
       password: 123
bingbingll commented 6 years ago

of course,Once security is added, all requests must carry user and password.You can remove security.It seems wrong to see the information you've written.

a561066192 commented 6 years ago

@bingbingll when I seperate config-server and config-client.I can use security,and the result is when I request config-server's endpoint such as /encrypt I need to input username and password,but when I request config-client's endpoint,I don't need to input anyting because I had configured username and password in config-client's bootstrap.properties.So what I want to know is how to implement the result as I mentioned before when I use embedded config-server.

indraneelb1903 commented 6 years ago

I am a little confused .Why would Config Client's endpoint be protected ? Can you submit a project which reproduces the issue you are talking about.

a561066192 commented 6 years ago

@indraneelb1903 If is't not protected,everyone can get properties,and use /decrypt endpoint to decrypt the value.It's not safe。

indraneelb1903 commented 6 years ago

Can u post a minimal verifiable sample which reproduces the issue you are talking about.

bingbingll commented 6 years ago

@a561066192 look me sample

a561066192 commented 6 years ago

@bingbingll I suppose you are a chinese?how can i contact with you and so i can communicate with you in chinese to show this issue.

a561066192 commented 6 years ago

@bingbingll here is a sample . https://github.com/a561066192/embedded-config-server.git

a561066192 commented 6 years ago

@indraneelb1903 here is a sample . https://github.com/a561066192/embedded-config-server.git

indraneelb1903 commented 6 years ago

Thanks , I will try to take a look today.

spencergibb commented 6 years ago

Is this still an issue after looking at the sample?

ghost commented 6 years ago

If you use spring.cloud.config.server.bootstrap=true (which is missing in your bootstrap.yml example) in your config, you do not need Security, because with spring.cloud.config.server.bootstrap=true an embedded config server with no endpoint will start. And attention, don't use @EnableConfigServer in your code, this will switch on the Config Server endpoints.

And Security can switched off by removing the dependency spring-boot-starter-security. So remove maven/gradle dependency spring-boot-starter-security . After that you can also remove obsolete username/password properties.

a561066192 commented 6 years ago

But if I do not use @EnableConfigServer, how can I refresh my config when the application is running?

发送自 Windows 10 版邮件应用

发件人: moerker 发送时间: 2018年9月26日 22:30 收件人: spring-cloud/spring-cloud-config 抄送: a561066192; Mention 主题: Re: [spring-cloud/spring-cloud-config] how to user embeddedconfig-server with secrrity (#1078)

If you use spring.cloud.config.server.bootstrap=true (which is missing in your bootstrap.yml example) in your config, you do not need Security, because with spring.cloud.config.server.bootstrap=true an embedded config server with no endpoint will start. And attention, don't use @EnableConfigServer in your code, this will switch on the Config Server endpoints. And Security can switched off by removing the dependency spring-boot-starter-security. So remove maven/gradle dependency spring-boot-starter-security . After that you can also remove obsolete username/password properties. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

ghost commented 6 years ago

To update the config, you can restart the application with embedded ConfigServer or use Spring Boot Actuator (Dependency springframework.boot:spring-boot-starter-actuator) and needed to be enabled via management.endpoints.web.exposure.include=refresh in the local application.properties. If properties have now been changed, with a simple curl localhost:8080/actuator/refresh -d {} -H "Content-Type: application/json" the application can be triggerd to reload the config.

a561066192 commented 6 years ago

I will try it and thank you very very much!

On 09/27/2018 15:57, moerker wrote:

To update the config, you can restart the application with embedded ConfigServer or use Spring Boot Actuator (Dependency springframework.boot:spring-boot-starter-actuator) and needed to be enabled via management.endpoints.web.exposure.include=refresh in the local application.properties. If properties have now been changed, with a simple curl localhost:8080/actuator/refresh -d {} -H "Content-Type: application/json" the application can be triggerd to reload the config.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

spencergibb commented 5 years ago

Closing this due to inactivity. Please re-open if there's more to discuss.