文章目录
- 一、漏洞修复
- 1. 未授权访问漏洞
- 2. 解决方案
- 3. 修复效果图
- 二、403 异常解决
- 2.1. 版本对照
- 2.2. 线上采用版本
- 2.3. yml文件配置
- 2.4. pom依赖
- 2.5. 效果图
一、漏洞修复
1. 未授权访问漏洞
前因:政府项目被扫出nacos未授权访问漏洞
2. 解决方案
在nacos/conf/application.properties
nacos开启权限认证配置:
nacos.core.auth.enabled=true
3. 修复效果图
添加用户
http://127.0.0.1:8848/nacos/v1/auth/users/?username=test&password=test
可以看到不使用鉴权就可以访问到用户信息
http://127.0.0.1:8848/nacos/v1/auth/users/?pageNo=1&pageSize=9
二、403 异常解决
现象:开启
nacos.core.auth.enabled=true,然后重启nacos,发现权限果然好用了,但是在启动java应用时无法连接nacos服务端,报403错误。
2.1. 版本对照
先阅读->版本说明
2.2. 线上采用版本
| Spring Cloud Alibaba Version | Spring Cloud Version | Spring Boot Version | Nacos Version |
|---|---|---|---|
| 2.2.7.RELEASE | Spring Cloud Hoxton.SR12 | 2.3.12.RELEASE | 2.0.3 |
2.3. yml文件配置
bootstrap.yml
# Tomcat
server:port: 8080# Spring
spring:application:# 应用名称name: ly-gatewayprofiles:# 环境配置active: devcloud:nacos:discovery:# nacos 认证密码username: nacos# nacos 认证密码password: kwx_!2022@O^# 服务注册地址server-addr: 127.0.0.1:8848config:# 配置中心地址server-addr: 127.0.0.1:8848# nacos 认证用户username: nacos# nacos 认证密码password: kwx_!2022@O^# 配置文件格式file-extension: yml# 共享配置shared-configs:- application-${spring.profiles.active}.${spring.cloud.nacos.config.file-extension}2.4. pom依赖
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.gblfy</groupId><artifactId>nacos</artifactId><version>1.0.0</version><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.3.12.RELEASE</version><relativePath/></parent><properties><spring-cloud.version>Hoxton.SR12</spring-cloud.version><spring-cloud-alibaba.version>2.2.7.RELEASE</spring-cloud-alibaba.version><nacos-client.version>2.0.3</nacos-client.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-actuator</artifactId></dependency><!--服务注册发现--><dependency><groupId>com.alibaba.cloud</groupId><artifactId>spring-cloud-starter-alibaba-nacos-discovery</artifactId><exclusions><exclusion><groupId>com.alibaba.nacos</groupId><artifactId>nacos-client</artifactId></exclusion></exclusions></dependency><!--配置管理--><dependency><groupId>com.alibaba.cloud</groupId><artifactId>spring-cloud-starter-alibaba-nacos-config</artifactId><exclusions><exclusion><groupId>com.alibaba.nacos</groupId><artifactId>nacos-client</artifactId></exclusion></exclusions></dependency><dependency><groupId>com.alibaba.nacos</groupId><artifactId>nacos-client</artifactId><version>${nacos-client.version}</version></dependency></dependencies><dependencyManagement><dependencies><!-- SpringCloud 微服务 --><dependency><groupId>org.springframework.cloud</groupId><artifactId>spring-cloud-dependencies</artifactId><version>${spring-cloud.version}</version><type>pom</type><scope>import</scope></dependency><!-- SpringCloud Alibaba 微服务 --><dependency><groupId>com.alibaba.cloud</groupId><artifactId>spring-cloud-alibaba-dependencies</artifactId><version>${spring-cloud-alibaba.version}</version><type>pom</type><scope>import</scope></dependency></dependencies></dependencyManagement><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build></project>2.5. 效果图
