Spring Eureka 未授權(quán)訪問(wèn)漏洞修復(fù)問(wèn)題小結(jié)

更新時(shí)間：2024年04月13日 09:57:40 作者：JustDI-CM

項(xiàng)目組使用的 Spring Boot 比較老,是 1.5.4.RELEASE ,最近被檢測(cè)出 Spring Eureka 未授權(quán)訪問(wèn)漏洞,這篇文章主要介紹了Spring Eureka 未授權(quán)訪問(wèn)漏洞修復(fù)問(wèn)題小結(jié),需要的朋友可以參考下

1. 背景

項(xiàng)目組使用的 Spring Boot 比較老，是 1.5.4.RELEASE 。最近被檢測(cè)出 Spring Eureka 未授權(quán)訪問(wèn)漏洞。

現(xiàn)狀是瀏覽器直接訪問(wèn) Eureka Server 可以直接進(jìn)去，看到已經(jīng)注冊(cè)的服務(wù)信息。

2. 方法

2.1 Eureka Server 添加安全組件

Eureka Server 添加 pom 依賴：

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

2.2 Eureka Server 添加參數(shù)

spring.application.name:demo-eureka
server.port: 8088
eureka.instance.hostname=localhost
#禁用將自己作為客戶端注冊(cè)，禁用客戶端注冊(cè)行為
eureka.client.register-with-eureka=false
eureka.client.fetch-registry=false
#eureka地址
eureka.client.service-url.defaultZone=http://${spring.security.user.name}:${spring.security.user.password}@${eureka.instance.hostname}:${server.port}/eureka
#eureka.client.service-url.defaultZone=http://${eureka.instance.hostname}:${server.port}/eureka
#關(guān)閉自我保護(hù) --本地開發(fā)環(huán)境可以關(guān)閉，生產(chǎn)環(huán)境
eureka.server.enable-self-preservation = false
#清理節(jié)點(diǎn)時(shí)間
eureka.server.eviction-interval-timer-in-ms = 60000
spring.security.basic.enabled=true
spring.security.user.name=demo
spring.security.user.password=123abcd

2.3 重啟 Eureka Server

重啟 Eureka Server ，然后刷新訪問(wèn)頁(yè)面，顯示登錄框：

輸入配置的用戶名和密碼。

spring.security.user.name=demo
spring.security.user.password=123abcd

然后就報(bào)錯(cuò)了：Reason: Bad credentials。

奇怪，明明是按照配置文件里面輸入的，怎么還會(huì)報(bào)用戶名或密碼錯(cuò)誤呢。

查了一些資料，說(shuō)跟 security 加密方法有關(guān)，整了半天搞不定。

2.4 Eureka Server 升級(jí)版本

實(shí)在沒招了，只能懷疑用的框架版本太低，去重新整一個(gè)，eureka 就用了個(gè)服務(wù)發(fā)現(xiàn)，問(wèn)題不大。

訪問(wèn)：https://start.spring.io/

把項(xiàng)目下載到本地，依賴已經(jīng)加好了：

<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.cloud</groupId>
			<artifactId>spring-cloud-starter-netflix-eureka-server</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-test</artifactId>
			<scope>test</scope>
		</dependency>
	</dependencies>
	<dependencyManagement>
		<dependencies>
			<dependency>
				<groupId>org.springframework.cloud</groupId>
				<artifactId>spring-cloud-dependencies</artifactId>
				<version>${spring-cloud.version}</version>
				<type>pom</type>
				<scope>import</scope>
			</dependency>
		</dependencies>

在啟動(dòng)類上加上注解：

package com.demo.cloudeurekaserver;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.cloud.netflix.eureka.server.EnableEurekaServer;
@EnableEurekaServer
@SpringBootApplication
public class CloudEurekaServerApplication {
	public static void main(String[] args) {
		SpringApplication.run(CloudEurekaServerApplication.class, args);
	}
}

再把 2.2 的參數(shù)加到 properties 文件中（最好換個(gè) server.port），然后 run 啟動(dòng)類，訪問(wèn) eureka ，輸入用戶名和密碼，進(jìn)去了：

2.5 Eureka Client 配置

eureka client 參數(shù)：

eureka.client.enabled=true
eureka.client.eureka-server-port=8089
eureka.client.service-url.defaultZone=http://demo:123abcd@localhost:8089/eureka/

啟動(dòng) eureka client，報(bào)錯(cuò)：

javax.ws.rs.WebApplicationException: null
	at com.netflix.discovery.provider.DiscoveryJerseyProvider.readFrom(DiscoveryJerseyProvider.java:110)
	at com.sun.jersey.api.client.ClientResponse.getEntity(ClientResponse.java:634)
	at com.sun.jersey.api.client.ClientResponse.getEntity(ClientResponse.java:586)
	at com.netflix.discovery.shared.transport.jersey.AbstractJerseyEurekaHttpClient.sendHeartBeat(AbstractJerseyEurekaHttpClient.java:105)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator$3.execute(EurekaHttpClientDecorator.java:92)
	at com.netflix.discovery.shared.transport.decorator.MetricsCollectingEurekaHttpClient.execute(MetricsCollectingEurekaHttpClient.java:73)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.sendHeartBeat(EurekaHttpClientDecorator.java:89)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator$3.execute(EurekaHttpClientDecorator.java:92)
	at com.netflix.discovery.shared.transport.decorator.RedirectingEurekaHttpClient.executeOnNewServer(RedirectingEurekaHttpClient.java:118)
	at com.netflix.discovery.shared.transport.decorator.RedirectingEurekaHttpClient.execute(RedirectingEurekaHttpClient.java:79)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.sendHeartBeat(EurekaHttpClientDecorator.java:89)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator$3.execute(EurekaHttpClientDecorator.java:92)
	at com.netflix.discovery.shared.transport.decorator.RetryableEurekaHttpClient.execute(RetryableEurekaHttpClient.java:119)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.sendHeartBeat(EurekaHttpClientDecorator.java:89)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator$3.execute(EurekaHttpClientDecorator.java:92)
	at com.netflix.discovery.shared.transport.decorator.SessionedEurekaHttpClient.execute(SessionedEurekaHttpClient.java:77)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.sendHeartBeat(EurekaHttpClientDecorator.java:89)
	at com.netflix.discovery.DiscoveryClient.renew(DiscoveryClient.java:824)
	at com.netflix.discovery.DiscoveryClient$HeartbeatThread.run(DiscoveryClient.java:1388)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
2023-11-03 14:41:26.339  WARN [test-app-service,,,] 16240 --- [tbeatExecutor-0] c.n.d.s.t.d.RetryableEurekaHttpClient    : Request execution failed with message: null
2023-11-03 14:41:26.339 ERROR [test-app-service,,,] 16240 --- [tbeatExecutor-0] com.netflix.discovery.DiscoveryClient    : DiscoveryClient_TEST-APP-SERVICE/10.136.44.122:test-app-service:60000 - was unable to send heartbeat!
com.netflix.discovery.shared.transport.TransportException: Cannot execute request on any known server
	at com.netflix.discovery.shared.transport.decorator.RetryableEurekaHttpClient.execute(RetryableEurekaHttpClient.java:111)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.sendHeartBeat(EurekaHttpClientDecorator.java:89)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator$3.execute(EurekaHttpClientDecorator.java:92)
	at com.netflix.discovery.shared.transport.decorator.SessionedEurekaHttpClient.execute(SessionedEurekaHttpClient.java:77)
	at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator.sendHeartBeat(EurekaHttpClientDecorator.java:89)
	at com.netflix.discovery.DiscoveryClient.renew(DiscoveryClient.java:824)
	at com.netflix.discovery.DiscoveryClient$HeartbeatThread.run(DiscoveryClient.java:1388)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

刷新 eureka 頁(yè)面，也沒有服務(wù)信息，服務(wù)注冊(cè)失敗了。

這是因?yàn)閺?Spring Boot 2.0 開始，默認(rèn)情況下會(huì)啟用CSRF保護(hù)，以防止CSRF攻擊應(yīng)用程序，導(dǎo)致服務(wù)注冊(cè)失敗。

2.6 Eureka Server 添加代碼

修改 Eureka Server ：

package com.demo.cloudeurekaserver;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.cloud.netflix.eureka.server.EnableEurekaServer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableEurekaServer
@SpringBootApplication
public class CloudEurekaServerApplication {
	public static void main(String[] args) {
		SpringApplication.run(CloudEurekaServerApplication.class, args);
	}
	/**
	 * springboot 從 2.0 開始，默認(rèn)情況下會(huì)啟用CSRF保護(hù)
	 * 需要關(guān)閉
	 */
	@EnableWebSecurity
	static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
		@Override
		protected void configure(HttpSecurity http) throws Exception {
			//方法1：關(guān)閉csrf
//			http.csrf().disable();
			//方法2：忽略/eureka/** 所有請(qǐng)求
			http.csrf().ignoringAntMatchers("/eureka/**");
			super.configure(http);
		}
	}
}

重啟 Eureka Server 和 Eureka Client ，這次沒有報(bào)錯(cuò)，刷新頁(yè)面，重新登錄后，看到注冊(cè)的服務(wù)信息：

2.7 其他問(wèn)題

在 Spring Security 5.7.0-M2 中，WebSecurityConfigurerAdapter 被棄用了，Spring 鼓勵(lì)用戶轉(zhuǎn)向基于組件的安全配置。這意味著，現(xiàn)在應(yīng)該使用基于組件的安全配置來(lái)配置 HttpSecurity，而不是繼承 WebSecurityConfigurerAdapter。這種方式更加靈活，可以更好地支持 Spring Boot 2.x 和 Spring 5.x。

我試了幾個(gè)方法，沒有替換掉，靠你了，耿小姐。

到此這篇關(guān)于Spring Eureka 未授權(quán)訪問(wèn)漏洞修復(fù)問(wèn)題小結(jié)的文章就介紹到這了,更多相關(guān)Spring Eureka 漏洞修復(fù)內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: