How to Secure Spring Cloud Config Server

Question

I understand that a Spring Cloud Config Server can be protected using an user name and password , which has to be provided by the accessing clients.

How can i prevent the clients from storing these user name and password as clear text in the bootstrap.yml files in the client application/services ?

Answer 1

The very basic "basic authentication" (from here https://github.com/spring-cloud-samples/configserver)

You can add HTTP Basic authentication by including an extra dependency on Spring Security (e.g. via spring-boot-starter-security). The user name is "user" and the password is printed on the console on startup (standard Spring Boot approach). If using maven (pom.xml):

<dependency>     <groupId>org.springframework.boot</groupId>     <artifactId>spring-boot-starter-security</artifactId> </dependency> 

If you want custom user/password pairs, you need indicate in server configuration file

security:     basic:         enabled: false 

and add this minimal Class in your code (BasicSecurityConfiguration.java):

import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;  @Configuration //@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter {      @Value("#{'${qa.admin.password:admin}'}") //property with default value         String admin_password;      @Value("#{'${qa.user.password:user}'}") //property with default value             String user_password;      @Autowired     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {         auth             .inMemoryAuthentication()             .withUser("user").password(user_password).roles("USER")         .and()             .withUser("admin").password(admin_password).roles("USER", "ACTUATOR");     }      @Override     protected void configure(HttpSecurity http) throws Exception {         http             .csrf()             .disable()             .httpBasic()          .and()             .authorizeRequests()             .antMatchers("/encrypt/**").authenticated()             .antMatchers("/decrypt/**").authenticated()             //.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR")             //.antMatchers("/qa/**").permitAll()          ;     }  } 

@Value("#{'${qa.admin.password:admin}'}") allow passwords to be defined in property configuration file, environment variables or command line.

For example (application.yml):

server:   port: 8888  security:     basic:         enabled: false  qa:   admin:     password: adminadmin   user:     password: useruser  management:   port: 8888   context-path: /admin  logging:   level:     org.springframework.cloud: 'DEBUG'  spring:   cloud:     config:       server:         git:           ignoreLocalSshSettings: true           uri: ssh://[email protected]/repo/configuration.git 

This works for me.

Edit: Instead of the Class, you can put basic user configuration directly in application.yaml:

security:   basic:     enabled: true     path: /**   ignored: /health**,/info**,/metrics**,/trace**   user:     name: admin     password: tupassword 

For Spring Boot 2 the configuration in application.yml are now under spring.security.* (https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#security-properties)

spring.security:   basic:     enabled: true     path: /**   ignored: /health**,/info**,/metrics**,/trace**   user:     name: admin     password: tupassword