基础>> spring-registry-server>> 返回
项目作者: lenisha

项目描述 :
SpringBott app with Basic Auth and AppInsights
高级语言: Java
项目地址: git://github.com/lenisha/spring-registry-server.git
创建时间: 2019-08-13T19:27:09Z
项目社区:https://github.com/lenisha/spring-registry-server
开源协议:
下载


Authenticated SpringBoot App with AppInsights

App Service with “AlwaysOn” feature will ping application ROOT every 5 min,
which will cause a lot of “401” failures for application with enabled authentication.

metrics

In our example we use simple Eureka Server SpringBoot application with Basic Auth.
User is set in WebSecurityConfig class and password in App Service Application Settings
in variable EUREKA_PASSWORD.

Unauthenticated Healthcheck endpoint

We need endpoint without authentication enabled to serve as a healthcheck url.
Actuator /actuator/health endpoint is good for this purpose.
To disable authentication only on this url for the application add following to WebSecurityConfig:

  1. @Override
  2. protected void configure(HttpSecurity http) throws Exception {
  3.     http
  4.         .authorizeRequests()
  5.              // Permit health endpoint only for local invocation
  6.             .antMatchers("/actuator/health").hasIpAddress("127.0.0.1")
  7.             // require AUTH for all others 
  8.             .anyRequest().authenticated()
  9.             .and()
  10.         .csrf().ignoringAntMatchers("/eureka/**")
  11.             .and()
  12.         .httpBasic();
  14. }

Point AlwaysOn to custom URL

By default AlwaysOn hits ROOT url of the application, it does not have configuration that could be changed.
401

We could implement a redirect that will happen only for the AlwaysOn User-Agent requests by adding a rule to web.config that redirects only those request that come from localhot ::1 and with required User-Agent:

metrics

Add rule:

  1. <rewrite>
  2.     <rules>
  3.     <rule name="Rewrite AlwaysOn" stopProcessing="true">
  4.         <match url="^$" ></match>
  5.         <conditions>
  6.         <add input="{HTTP_USER_AGENT}" pattern="^AlwaysOn$" ></add>
  7.         <add input="{REMOTE_ADDR}" pattern="::1" ></add>
  8.         </conditions>
  9.         <action type="Rewrite" url="/actuator/health" ></action>
  10.     </rule>
  11.     </rules>
  12. </rewrite>

Point Application Initialization module to custome URL

Once we repointed AlwaysOn the only 401 errors we still see in log are from the application initialization performed by IIS server

metrics

To repoint add following 

  1. <applicationInitialization remapManagedRequestsTo="/hostingstart.html"
  2.                            skipManagedModules="true" >
  3.       <add initializationPage="/actuator/health" ></add>
  4. </applicationInitialization>

While application is being initialized (and java boot app might take a while) the splash screen that app init access is set in remapManagedRequestsTo url. We need this URL to be as fast as possible and preferably just static file not coming from Java application. By default when App Service is created it creates file hostingstart.html under wwwroot and it’s exactly what we could leverage.
Last step is to make sure we have handler that would serve this staticfile as we configured all the urls to be server by java engine. To add static handler add following to web.config:

  1.    <add name="StaticFileStart" path="hostingstart.html" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" ></add>

It will handle and serve the html file. And now we do not have any 401 errors in the logs and Application Insights.

metrics