feat: add actuator

app/build.gradle.kts

@@ -38,6 +38,7 @@ dependencies {
     implementation("org.yaml:snakeyaml:2.0")  // 覆盖 Spring Boot 默认的 SnakeYAML 版本，解决 CVE-2022-41854
     implementation("org.jetbrains:annotations:24.0.1") // JetBrain 的注解，如 @NonNull
     implementation("org.springframework.boot:spring-boot-starter-data-jpa")  // ORM 框架
+    implementation("org.springframework.boot:spring-boot-starter-actuator") // 健康检查
     kapt("org.hibernate:hibernate-jpamodelgen:6.4.4.Final") // JPA 元模型生成
     implementation("org.springframework.boot:spring-boot-starter-data-redis")  // Redis 操作
     implementation("org.springframework.boot:spring-boot-starter-cache")  // 缓存

app/src/main/kotlin/com/akagiyui/drive/config/CustomResponseBodyAdvice.kt

@@ -1,6 +1,7 @@
 package com.akagiyui.drive.config
 
 import com.akagiyui.common.ResponseResult
+import org.springframework.boot.actuate.endpoint.OperationResponseBody
 import org.springframework.core.MethodParameter
 import org.springframework.http.MediaType
 import org.springframework.http.ResponseEntity
@@ -26,6 +27,7 @@ class CustomResponseBodyAdvice : ResponseBodyAdvice<Any>, WebMvcConfigurer {
             ResponseEntity::class.java, // 文件
             ByteArray::class.java, // 二进制数据
             ResponseResult::class.java, // 已经包装过的数据
+            OperationResponseBody::class.java, // actuator 监控数据
         )
     }
 
@@ -64,7 +66,9 @@ class CustomResponseBodyAdvice : ResponseBodyAdvice<Any>, WebMvcConfigurer {
         converterType: Class<out HttpMessageConverter<*>>,
     ): Boolean {
         val parameterType = returnType.parameterType
-        return !IGNORE_CLASSES.contains(parameterType)
+        return !IGNORE_CLASSES.any {
+            it.isAssignableFrom(parameterType)
+        }
     }
 
     override fun configureMessageConverters(converters: MutableList<HttpMessageConverter<*>>) {

app/src/main/kotlin/com/akagiyui/drive/config/SecurityConfig.kt

@@ -4,6 +4,7 @@ import com.akagiyui.drive.component.TokenAuthenticationFilter
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.http.HttpMethod
+import org.springframework.security.authorization.AuthorizationDecision
 import org.springframework.security.config.Customizer
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
@@ -14,6 +15,7 @@ import org.springframework.security.web.AuthenticationEntryPoint
 import org.springframework.security.web.SecurityFilterChain
 import org.springframework.security.web.access.AccessDeniedHandler
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
+import org.springframework.security.web.util.matcher.IpAddressMatcher
 import org.springframework.web.cors.CorsConfiguration
 import org.springframework.web.cors.CorsConfigurationSource
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource
@@ -65,12 +67,22 @@ class SecurityConfig(
     @Bean
     @Throws(Exception::class)
     fun filterChain(http: HttpSecurity): SecurityFilterChain {
+        val localhostIpMatchers = arrayOf(
+            IpAddressMatcher("127.0.0.1"),
+            IpAddressMatcher("0:0:0:0:0:0:0:1")
+        )
+
         return http
             .authorizeHttpRequests {
                 it // 允许指定路径通过
                     .requestMatchers(HttpMethod.GET, *permitAllGetMapping).permitAll() // 允许匿名 GET 请求访问
                     .requestMatchers(HttpMethod.POST, *permitAllPostMapping).permitAll() // 允许匿名 POST 请求访问
                     .requestMatchers(HttpMethod.POST, *anonymousPostMapping).anonymous() // 仅允许匿名 POST 访问
+                    .requestMatchers("/actuator/**").access { _, context ->
+                        AuthorizationDecision(localhostIpMatchers.any { matcher ->
+                            matcher.matches(context.request.remoteAddr) // 仅允许本地访问
+                        })
+                    }
                     .anyRequest().authenticated() // 其他请求需要认证
             }
             .csrf { it.disable() } // 关闭 CSRF

app/src/main/resources/application-dev.yaml

@@ -21,6 +21,13 @@ spring:
         format_sql: true
   datasource:
     url: jdbc:mysql://localhost/drive?user=root&password=&useUnicode=true&characterEncoding=utf8&useSSL=true&serverTimezone=GMT%2B8
+management:
+  endpoints:
+    web:
+      exposure:
+        # 相关 actuator 监控器
+        include: "*"
+        exclude: "mail"
 application:
   storage:
     local:

docs/thanks.md

@@ -13,6 +13,7 @@
 - [【DB系列】JPA之update使用姿势](https://spring.hhui.top/spring-blog/2019/06/23/190623-SpringBoot%E7%B3%BB%E5%88%97%E6%95%99%E7%A8%8BJPA%E4%B9%8Bupdate%E4%BD%BF%E7%94%A8%E5%A7%BF%E5%8A%BF/)
 - [Contract，开发者和 Kotlin 编译器之间的契约](https://droidyue.com/blog/2019/08/25/kotlin-contract-between-developers-and-the-compiler/)
 - [GitHub: Improve CVE-2023-34035 detection](https://github.com/spring-projects/spring-security/issues/13568)
+- [GitHub: Unable to Use hasIpAddress() Method After Migrating to authorizeHttpRequests() in Spring Security 6](https://github.com/spring-projects/spring-security/issues/13474)
 - [Stack Overflow: How to intercept a RequestRejectedException in Spring?](https://stackoverflow.com/a/75338927/19990931)
 - [Stack Overflow: Map enum in JPA with fixed values?](https://stackoverflow.com/questions/2751733/map-enum-in-jpa-with-fixed-values)
 - [Stack Overflow: Are many-to-many relationships possible with enums in JPA or Hibernate?](https://stackoverflow.com/questions/39870914/are-many-to-many-relationships-possible-with-enums-in-jpa-or-hibernate)