From f56ccb0de603346fcf565dbc0bd04e9bf2b25917 Mon Sep 17 00:00:00 2001 From: Dave Syer Date: Fri, 10 Oct 2014 15:06:07 +0000 Subject: [PATCH] Sync docs from master to gh-pages --- spring-cloud.html | 67 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 65 insertions(+), 2 deletions(-) diff --git a/spring-cloud.html b/spring-cloud.html index 02577bc..b1a9a52 100644 --- a/spring-cloud.html +++ b/spring-cloud.html @@ -425,6 +425,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
  • Spring Cloud Config Server
  • @@ -726,6 +728,24 @@ server is easily embeddable in a Spring Boot application using the @EnableConfigServer annotation.

    +

    Security

    +
    +

    You are free to secure your Config Server in any way that makes sense +to you (from physical network security to OAuth2 bearer +tokens), and Spring Security and Spring Boot make it easy to do pretty +much anything.

    +
    +
    +

    To use the default Spring Boot configured HTTP Basic security, just +include Spring Security on the classpath (e.g. through +spring-boot-starter-security). The default is a username of "user" +and a randomly generated password, which isn’t going to be very useful +in practice, so we recommend you configure the password (via +security.user.password) and encrypt it (see below for instructions +on how to do that).

    +
    +
    +

    Encryption and Decryption

    @@ -750,7 +770,9 @@ agents). If the remote property sources contain encryted content (values starting with {cipher}) they will be decrypted before sending to clients over HTTP. The main advantage of this set up is that the property values don’t have to be in plain text when they are -"at rest" (e.g. in a git repository).

    +"at rest" (e.g. in a git repository). If a value cannot be decrypted +it is replaced with an empty string, largely to prevent cipher text +being used as a password in Spring Boot autconfigured HTTP basic.

    If you are setting up a remote config repository for config client @@ -1099,6 +1121,47 @@ public class CustomPropertySourceLocator implements PropertySourceLocator { application that includes that jar on its classpath.

    +
    +

    Security

    +
    +

    If you use HTTP Basic security on the server then clients just need to +know the password (and username if it isn’t the default). You can do +that via the config server URI, or via separate username and password +properties, e.g.

    +
    +
    +
    bootstrap.yml
    +
    +
    spring:
    +  cloud:
    +    config:
    +     uri: https://user:secret@myconfig.mycompany.com
    +
    +
    +
    +

    or

    +
    +
    +
    bootstrap.yml
    +
    +
    spring:
    +  cloud:
    +    config:
    +     uri: https://myconfig.mycompany.com
    +     username: user
    +     password: secret
    +
    +
    +
    +

    The spring.cloud.config.password and spring.cloud.config.username +values override anything that is provided in the URI.

    +
    +
    +

    If you use another form of security you might need to provide a +RestTemplate to the ConfigServicePropertySourceLocator (e.g. by +grabbing it in the bootstrap context and injecting one).

    +
    +

    Spring Cloud Netflix

    @@ -1824,7 +1887,7 @@ and puts it in a request header for the downstream requests.