001-spring Cloud EDGWARE.SR3 Upgrade latest finchley.sr1,spring boot 1.5.9.RELEASE upgrade 2.0.4.RELEASE attention Point

Source: Internet
Author: User
Tags decrypt csrf attack

First, the premise

Pre-upgrade = + After upgrade

Spring Boot 1.5.x = Spring boot 2.0.4.RELEASE

Spring Cloud Edgware SR3 = Spring Cloud FINCHLEY.SR1

1.1. Eureka Server

Ureka Server Dependent Update

Before upgrade:

        < Dependency >            < groupId >org.springframework.cloud</groupId>            <  Artifactid>spring-cloud-starter-eureka-server</artifactid  >        </dependency>

After Upgrade:

        < Dependency >            < groupId >org.springframework.cloud</groupId>            <  Artifactid>spring-cloud-starter-netflix-eureka-server</artifactid >        </ Dependency >
1.2. Eureka Client

Because the configuration center needs to be registered as a service to the registry, the Eureka Client needs to be upgraded, and other dependencies are not changed.

Eureka Client Dependency Update

Before upgrade:

< Dependency >    < groupId >org.springframework.cloud</groupId>    <  Artifactid>spring-cloud-starter-eureka</artifactid> </ Dependency >

After Upgrade:

< Dependency >    < groupId >org.springframework.cloud</groupId>    <  Artifactid>spring-cloud-starter-netflix-eureka-client</artifactid > </ Dependency >
1.3. Spring Cloud

Client instance IP inside the registry is not displayed correctly

Because the Spring Cloud gets the service client IP address configuration changed.

Before upgrade:

${spring.cloud.client.ipaddress}

After Upgrade:

${spring.cloud.client.ip-address}
1.4. Spring Security

The general registry, the configuration center uses secure encryption, it relies on spring-boot-starter-security components, and there are several issues after the upgrade.

1.4.1, user name and password cannot be logged in

Because the parameters of Spring Security are changed.

Before upgrade:

Security:  User:    name:    Password:

After Upgrade:

Spring:  Security:     User:       name:        Password:

1.4.2, using the security registry does not have a registered instance

, two registries cannot register with each other without registering an instance.

Because Spring Security turns on all CSRF attack defenses by default, you need to disable/eureka's defenses.

In the Application Ingress class, add the Ignore Eureka configuration:

 Packagecom.lhx.springcloud.discovery.configuration;Importorg.springframework.security.config.annotation.web.builders.HttpSecurity;Importorg.springframework.security.config.annotation.web.configuration.EnableWebSecurity;Importorg.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter;@ Enablewebsecurity Public classWebsecurityconfigextendsWebsecurityconfigureradapter {@Overrideprotected voidConfigure (Httpsecurity http)throwsException {http.csrf (). Ignoringantmatchers ("/eureka/**"); Super. Configure (HTTP); }}

Disable all

Import Org.springframework.security.config.annotation.web.builders.httpsecurity;import Org.springframework.security.config.annotation.web.configuration.enablewebsecurity;import Org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @EnableWebSecuritypublic class Websecurityconfig extends Websecurityconfigureradapter {    @Override    protected void Configure (Httpsecurity http) throws Exception {        http.csrf (). disable ();}    }

1.4.3, Configuration Center cannot add decryption

After the upgrade, the Discovery Access Configuration Center cannot read to the configuration, and can not decrypt the configuration information, access the Configuration Center link directly to the login page.

Now want to change back to the basic Auth authentication method, find source discovery is automatic configuration jumped to the login page, now rewrite.

Automatically configure the source code:
Org.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter#configure ( org.springframework.security.config.annotation.web.builders.HttpSecurity)

protected void throws Exception {    logger.debug ("Using default Configure (httpsecurity). If subclassed This would potentially override subclass configure (httpsecurity). " );    http. Authorizerequests (). Anyrequest (). authenticated (). and (). Formlogin (). and        ()        . Httpbasic ();}

After rewriting:

@EnableWebSecurity Static class extends websecurityconfigureradapter {    @Override    protectedvoidthrows  Exception {        http.csrf (). Ignoringantmatchers ("/**"). and (). Authorizerequests (). Anyrequest (                ) . authenticated (). and (). Httpbasic ();}    }

In fact, is to formLogin() kill, and return to the previous basic Auth authentication method, as shown.

Now we can use the following command to decrypt it.

such as decryption:
Curl http://xx.xx.xx.xx:7100/decrypt-d secret-u User:password

After the basic auth is restored, the previous service requires the encrypted Connection Configuration Center to function again.

1.5. Maven

After upgrading to spring boot 2.x, it is not easy to find the spring boot Maven boot plugin, mainly the profile cannot be switched freely.

Before upgrade:

spring-boot:run -Drun.profiles=profile1

After Upgrade:

spring-boot:run -Dspring-boot.run.profiles=profile1

For details, please refer to:
Https://docs.spring.io/spring-boot/docs/current/maven-plugin/run-mojo.html

Gateway replaces Zuul.

001-spring Cloud EDGWARE.SR3 Upgrade latest finchley.sr1,spring boot 1.5.9.RELEASE upgrade 2.0.4.RELEASE attention Point

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.