16.3.1 Enabling login in the Admin server
It’s probably a good idea to add security to the Admin server because it’s not secured by default. Because the Admin server is a Spring Boot application, you can secure it using Spring Security just like you would any other Spring Boot application. And just as you would with any application secured by Spring Security, you’re free to decide which security scheme fits your needs best.
At a minimum, you can add the Spring Boot security starter to the Admin server’s build by checking the Security checkbox in the Initializr or by adding the following <dependency> to the project’s pom.xml file:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>Then, so that you don’t have to keep looking at the Admin server’s logs for the randomly generated password, you can configure a simple administrative username and password in application.yml like so:
spring:
security:
user:
name: admin
password: 53cr3tNow when the Admin server is loaded in the browser, you’ll be prompted for a username and password with Spring Security’s default login form. As in the code snippet, entering admin and 53cr3t will get you in.
By default, Spring Security will enable CSRF on the Spring Boot Admin server, which will prevent client applications from registering with the Admin Server. Therefore, we will need a small bit of security configuration to disable CSRF, as shown here:
package tacos.admin;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
@EnableWebFluxSecurity
public class SecurityConfig {
@Bean
public SecurityWebFilterChain filterChain(ServerHttpSecurity http) throws Exception {
return http
.csrf()
.disable()
.build();
}
}Of course, this security configuration is extremely basic. I recommend that you consult chapter 5 for ways of configuring Spring Security for a richer security scheme around the Admin server.