1. Overview
1.概述
In this tutorial, we’re going to learn how to enable all the endpoints in the Spring Boot Actuator. We’ll start with the necessary Maven dependencies. From there, we’ll look at how to control our endpoints via our properties files. We’ll finish up with an overview of how to secure our endpoints.
在本教程中,我们将学习如何启用Spring Boot Actuator中的所有端点。我们将从必要的Maven依赖项开始。接着,我们将研究如何通过属性文件控制我们的端点。最后,我们将概述如何保护我们的端点。
There have been several changes between Spring Boot 1.x and Spring Boot 2.x in terms of how actuator endpoints are configured. We’ll note these as they come up.
在如何配置执行器端点方面,Spring Boot 1.x 和 Spring Boot 2.x 之间有几个变化。我们将在出现这些变化时予以说明。
2. Setup
2.设置
In order to use the actuator, we need to include the spring-boot-starter-actuator in our Maven configuration:
为了使用该执行器,我们需要在Maven配置中包含spring-boot-starter-actuator。
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>2.5.1</version>
</dependency>
Additionally, starting with Spring Boot 2.0, we need to include the web starter if we want our endpoints exposed via HTTP:
此外,从Spring Boot 2.0开始,如果我们希望通过HTTP暴露我们的端点,我们需要包括web starter。
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.5.1</version>
</dependency>
3. Enabling and Exposing Endpoints
3.启用和暴露端点
Starting with Spring Boot 2, we have to enable and expose our endpoints. By default, all endpoints but /shutdown are enabled and only /health and /info are exposed. All endpoints are found at /actuator even if we’ve configured a different root context for our application.
从Spring Boot 2开始,我们必须启用并公开我们的端点。默认情况下,除了/shutdown之外的所有端点都被启用,只有/health和/info被公开。所有的端点都可以在/actuator找到,即使我们为我们的应用程序配置了不同的根上下文。
That means that once we’ve added the appropriate starters to our Maven configuration, we can access the /health and /info endpoints at http://localhost:8080/actuator/health and http://localhost:8080/actuator/info.
这意味着,一旦我们在Maven配置中加入相应的启动器,就可以访问/health和/info端点,地址是http://localhost:8080/actuator/health 和http://localhost:8080/actuator/info。
Let’s go to http://localhost:8080/actuator and view a list of available endpoints because the actuator endpoints are HATEOS enabled. We should see /health and /info.
让我们去http://localhost:8080/actuator,查看可用的端点列表,因为执行器端点是启用的HATEOS。我们应该看到/health和/info。
{"_links":{"self":{"href":"http://localhost:8080/actuator","templated":false},
"health":{"href":"http://localhost:8080/actuator/health","templated":false},
"info":{"href":"http://localhost:8080/actuator/info","templated":false}}}
3.1. Exposing All Endpoints
3.1.暴露所有端点
Now, let’s expose all endpoints except /shutdown by modifying our application.properties file:
现在,让我们通过修改application.properties文件来公开除/shutdown之外的所有端点。
management.endpoints.web.exposure.include=*
Once we’ve restarted our server and accessed the /actuator endpoint again we should see the other endpoints available with the exception of /shutdown:
一旦我们重新启动我们的服务器并再次访问/actuator端点,我们应该看到除了/shutdown:之外的其他端点都是可用的。
{"_links":{"self":{"href":"http://localhost:8080/actuator","templated":false},
"beans":{"href":"http://localhost:8080/actuator/beans","templated":false},
"caches":{"href":"http://localhost:8080/actuator/caches","templated":false},
"health":{"href":"http://localhost:8080/actuator/health","templated":false},
"info":{"href":"http://localhost:8080/actuator/info","templated":false},
"conditions":{"href":"http://localhost:8080/actuator/conditions","templated":false},
"configprops":{"href":"http://localhost:8080/actuator/configprops","templated":false},
"env":{"href":"http://localhost:8080/actuator/env","templated":false},
"loggers":{"href":"http://localhost:8080/actuator/loggers","templated":false},
"heapdump":{"href":"http://localhost:8080/actuator/heapdump","templated":false},
"threaddump":{"href":"http://localhost:8080/actuator/threaddump","templated":false},
"metrics":{"href":"http://localhost:8080/actuator/metrics","templated":false},
"scheduledtasks":{"href":"http://localhost:8080/actuator/scheduledtasks","templated":false},
"mappings":{"href":"http://localhost:8080/actuator/mappings","templated":false}}}
3.2. Exposing Specific Endpoints
3.2.暴露特定的端点
Some endpoints can expose sensitive data, so let’s learn how to be more find-grained about which endpoints we expose.
一些端点可能会暴露敏感数据,所以让我们学习如何对我们暴露的端点进行更严格的查找。
The management.endpoints.web.exposure.include property can also take a comma-separated list of endpoints. So, let’s only expose /beans and /loggers:
management.endpoints.web.exposure.include属性也可以接受一个用逗号分隔的端点列表。所以,我们只暴露/beans和/loggers。
management.endpoints.web.exposure.include=beans, loggers
In addition to including certain endpoints with a property, we can also exclude endpoints. Let’s expose all the endpoints except /threaddump:
除了用一个属性包括某些端点之外,我们还可以排除端点。让我们公开所有的端点,除了/threaddump。
management.endpoints.web.exposure.include=*
management.endpoints.web.exposure.exclude=threaddump
Both the include and exclude properties take a list of endpoints. The exclude property takes precedence over include.
include和exclude属性都接受一个端点的列表。exclude属性优先于include。
3.3. Enabling Specific Endpoints
3.3.启用特定的端点
Next, let’s learn how we can get more fine-grained about which endpoints we have enabled.
接下来,让我们学习如何更精细地了解我们启用了哪些端点。
First, we need to turn off the default that enables all the endpoints:
首先,我们需要关闭启用所有端点的默认值。
management.endpoints.enabled-by-default=false
Next, let’s enable and expose only the /health endpoint:
接下来,让我们只启用和公开/health端点。
management.endpoint.health.enabled=true
management.endpoints.web.exposure.include=health
With this configuration, we can access only the /health endpoint.
通过这种配置,我们只能访问/health端点。
3.4. Enabling Shutdown
3.4.启用关机功能
Because of its sensitive nature, the /shutdown endpoint is disabled by default.
由于其敏感性,/shutdown端点默认是禁用的。
Let’s enable it now by adding a line to our application.properties file:
现在让我们通过在application.properties文件中添加一行来启用它。
management.endpoint.shutdown.enabled=true
Now when we query the /actuator endpoint, we should see it listed. The /shutdown endpoint only accepts POST requests, so let’s shut down our application gracefully:
现在,当我们查询/actuator端点时,我们应该看到它被列出。/shutdown端点只接受POST请求,所以让我们优雅地关闭我们的应用程序。
curl -X POST http://localhost:8080/actuator/shutdown
4. Securing Endpoints
4.确保端点安全
In a real-world application, we’re most likely going to have security on our application. With that in mind, let’s secure our actuator endpoints.
在现实世界的应用中,我们最有可能对我们的应用进行安全保护。考虑到这一点,让我们来保护我们的执行器端点。
First, let’s add security to our application by adding the security starter Maven dependency:
首先,让我们通过添加security starter Maven依赖项来为我们的应用程序添加安全性。
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.5.1</version>
</dependency>
For the most basic security, that’s all we have to do. Just by adding the security starter, we’ve automatically applied basic authentication to all exposed endpoints except /info and /health.
对于最基本的安全,这就是我们所要做的。仅仅通过添加安全启动器,我们就已经自动将基本认证应用于所有暴露的端点,除了/info和/health。
Now, let’s customize our security to restrict the /actuator endpoints to an ADMIN role.
现在,让我们自定义我们的安全性,将/actuator端点限制为ADMIN角色。
Let’s start by excluding the default security configuration:
让我们从排除默认的安全配置开始。
@SpringBootApplication(exclude = {
SecurityAutoConfiguration.class,
ManagementWebSecurityAutoConfiguration.class
})
Let’s note the ManagementWebSecurityAutoConfiguration.class because this will let us apply our own security configuration to the /actuator.
让我们注意一下ManagementWebSecurityAutoConfiguration.class,因为这将让我们把自己的安全配置应用到/actuator。
Over in our configuration class, let’s configure a couple of users and roles, so we have an ADMIN role to work with:
在我们的配置类中,让我们配置几个用户和角色,所以我们有一个ADMIN角色可以使用。
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
auth
.inMemoryAuthentication()
.withUser("user")
.password(encoder.encode("password"))
.roles("USER")
.and()
.withUser("admin")
.password(encoder.encode("admin"))
.roles("USER", "ADMIN");
}
SpringBoot provides us with a convenient request matcher to use for our actuator endpoints.
SpringBoot为我们提供了一个方便的请求匹配器,供我们的执行器端点使用。
Let’s use it to lockdown our /actuator to only the ADMIN role:
让我们用它来锁定我们的/actuator,只允许ADMIN角色。
http.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests((requests) -> requests.anyRequest().hasRole("ADMIN"));
5. Conclusion
5.总结
In this tutorial, we learned how Spring Boot configures the actuator by default. After that, we customized which endpoints were enabled, disabled, and exposed in our application.properties file. Because Spring Boot configures the /shutdown endpoint differently by default, we learned how to enable it separately.
在本教程中,我们了解了Spring Boot是如何默认配置执行器的。之后,我们在application.properties文件中定制了哪些端点被启用、禁用和暴露。由于Spring Boot默认配置/shutdown端点的方式不同,我们学习了如何单独启用它。
After learning the basics, we then learned how to configure actuator security.
在学习了基础知识之后,我们又学习了如何配置执行器的安全性。
As always, the example code is available over on GitHub.
像往常一样,示例代码可在GitHub上获得。