我正在设置一个Spring Cloud配置服务器。只有几个依赖项和一个注释。属性的来源来自git。服务器启用了具有默认基本设置的执行器。令我惊讶的是,执行器意外地对任何(甚至不存在的端点(做出反应,并揭示了完整的环境(git属性源(,该环境也用于存储机密。
pom依赖项:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.3</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>cz.leveland</groupId>
<artifactId>actutest</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>actutest</name>
<description>Actuator test</description>
<properties>
<java.version>11</java.version>
<spring-cloud.version>2021.0.3</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-config-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
application.properties:
server:
port: 8080
spring:
application:
name: CONFIG-SERVER
cloud:
config:
server:
git:
uri: https://bitbucket.org/repo-name/actuator-test
clone-on-start: true
username: repouser
password: xxxxxxxxxx
default-label: master
encrypt:
keyStore:
location: classpath:/server2.jks
password: letmein
alias: mytestkey
secret: letmein
management:
endpoints:
web:
exposure:
include: "health"
春季应用:
@EnableConfigServer
@SpringBootApplication
public class ActutestApplication {
public static void main(String[] args) {
SpringApplication.run(ActutestApplication.class, args);
}
}
gitapplication.properties包含编码密码:
spring.datasource.username=admin
spring.datasource.password={cipher}AQA50Mh4...
现在的问题
服务器响应任何执行器端点,如/actuator/foo-bar,并始终返回完整的git属性源(示例如下(。
当我删除@EnableConfigServer注释时,执行器开始按预期工作。所以这个";特征";必须使用springcloud-config-server激活。
服务器对的响应/执行器/foo-bar:
{
"name": "actuator",
"profiles": [
"foo-bar"
],
"label": null,
"version": "da200e047354e889e6503b10cbb9cbbc7e3dbb28",
"state": null,
"propertySources": [
{
"name": "https://bitbucket.org/repo-name/actuator-test/application.properties",
"source": {
"spring.datasource.username": "admin",
"spring.datasource.password": "secret-password"
}
}
]
}
我一定是做错了什么,还是这是一个安全漏洞?
谢谢你帮我。
测试项目https://github.com/Klapsa2503/actuator-test
执行器指标不起作用
更改
management:
endpoints:
web:
exposure:
include: "health"
至
management:
endpoints:
web:
exposure:
include: "health,metrics"
因此,指标是公开的http://localhost:8080/actuator/metrics工作
端点泄漏属性
默认情况下,spring-config从配置存储库中的application.properties
公开默认属性。Spring-config-server有一个严格的命名约定,您应该遵守它来防止这种情况发生。看见https://www.baeldung.com/spring-cloud-configuration
只需将application.yml
更改为不同的属性,这些属性就不会公开。
试图找到负责获取这些配置的代码及其背后的逻辑,但根本没有时间进行ConfigDataEnvironment::processAndApply