为Druid监控配置访问权限(配置访问监控信息的用户与密码)

Druid是一个强大的新兴数据库连接池,兼容DBCP，是阿里巴巴做的开源项目. 不仅提供了强悍的数据源实现,还内置了一个比较靠谱的监控组件。 GitHub项目主页: https://github.com/alibaba/druid QQ群: 点击链接加入群【阿里开源技术交流】 演示地址: http://cnco

Druid是一个强大的新兴数据库连接池,兼容DBCP，是阿里巴巴做的开源项目.

不仅提供了强悍的数据源实现,还内置了一个比较靠谱的监控组件。

GitHub项目主页: https://github.com/alibaba/druid

QQ群: 点击链接加入群【阿里开源技术交流】

演示地址: http://cncounter.duapp.com/druid/index.html

常见问题回答请参考: https://github.com/alibaba/druid/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98

一篇CSDN对Druid的介绍 druid简单教程

因为想要监控数据,又不愿意谁都可以访问,所以想要配置个密码.在开源群里一问,就知道原来内部已经有实现了.

先贴完成后的代码:

web.xml 部分:

	
	
	
	DruidWebStatFilter
	com.alibaba.druid.support.http.WebStatFilter
	
	exclusions
	*.js,*.gif,*.jpg,*.png,*.css,*.ico,*.jsp,/druid/*,/download/*
	
	
	sessionStatMaxCount
	2000
	
	
	 sessionStatEnable
	 true
	 
	
	 principalSessionName
	 session_user_key
	 
	 
	 profileEnable
	 true
	
	
	
	DruidWebStatFilter
	/*
	
	
	
	DruidStatView
	com.alibaba.druid.support.http.StatViewServlet
	
	
	resetEnable
	true
	
	
	
	loginUsername
	druid
	
	
	
	loginPassword
	druid
	
	
	
	DruidStatView
	/druid/*
	

首先,因为使用的是 MAVEN, 所以查看源码时maven会自动帮你下载. 我们在 web.xml 中点击 com.alibaba.druid.support.http.StatViewServlet 进入class文件,等一会源码下载好就可以查看. 发现有类似下面这样的代码:

public class StatViewServlet extends ResourceSerlvet {

 private final static Log LOG = LogFactory.getLog(StatViewServlet.class);

 private static final long serialVersionUID = 1L;

 public static final String PARAM_NAME_RESET_ENABLE = "resetEnable";

 public static final String PARAM_NAME_JMX_URL = "jmxUrl";
 public static final String PARAM_NAME_JMX_USERNAME = "jmxUsername";
 public static final String PARAM_NAME_JMX_PASSWORD = "jmxPassword";

 private DruidStatService statService = DruidStatService.getInstance();

 /** web.xml中配置的jmx的连接地址 */
 private String jmxUrl = null;
 /** web.xml中配置的jmx的用户名 */
 private String jmxUsername = null;
 /** web.xml中配置的jmx的密码 */
 private String jmxPassword = null;
.........

而在其中的 jmxUrl、jmxUsername 和 jmxPassword 很显然是连接远程 JMX时使用的,那么我就想着去看看父类: com.alibaba.druid.support.http.ResourceSerlvet

@SuppressWarnings("serial")
public abstract class ResourceSerlvet extends HttpServlet {

 private final static Log LOG = LogFactory.getLog(ResourceSerlvet.class);

 public static final String SESSION_USER_KEY = "druid-user";
 public static final String PARAM_NAME_USERNAME = "loginUsername";
 public static final String PARAM_NAME_PASSWORD = "loginPassword";
 public static final String PARAM_NAME_ALLOW = "allow";
 public static final String PARAM_NAME_DENY = "deny";
 public static final String PARAM_REMOTE_ADDR = "remoteAddress";

 protected String username = null;
 protected String password = null;
.......... 

 public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
 ......
 if (isRequireAuth() //
 && !ContainsUser(request)//
 && !("/login.html".equals(path) //
 || path.startsWith("/css")//
 || path.startsWith("/js") //
 || path.startsWith("/img"))) {
 if (contextPath == null || contextPath.equals("") || contextPath.equals("/")) {
 response.sendRedirect("/druid/login.html");
 } else {
 if ("".equals(path)) {
 response.sendRedirect("druid/login.html");
 } else {
 response.sendRedirect("login.html");
 }
 }
 return;
 }
 ......

 public boolean isRequireAuth() {
 return this.username != null;
 }

那现在知道是 username 在作怪,也设置了,但是没有起作用,于是搜索 username ,

 public void init() throws ServletException {
 initAuthEnv();
 }

 private void initAuthEnv() {
 String paramUserName = getInitParameter(PARAM_NAME_USERNAME);
 if (!StringUtils.isEmpty(paramUserName)) {
 this.username = paramUserName;
 }

 String paramPassword = getInitParameter(PARAM_NAME_PASSWORD);
 if (!StringUtils.isEmpty(paramPassword)) {
 this.password = paramPassword;
 }
 ......

那么很简单,找到 PARAM_NAME_USERNAME 即可:
public static final String PARAM_NAME_USERNAME = "loginUsername"; public static final String PARAM_NAME_PASSWORD = "loginPassword";

于是在 web.xml 中换上,OK，成功进行了拦截.