SpringBoot 2 Actuator with Spring Security
How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/
endpoints.
To achieve this, I've added the following to the initialization class.
@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?
spring spring-boot spring-security
add a comment |
How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/
endpoints.
To achieve this, I've added the following to the initialization class.
@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?
spring spring-boot spring-security
Actuator endpoints are accessible viaEndpointRequest.class
you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.
– akuma8
Nov 13 '18 at 21:46
add a comment |
How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/
endpoints.
To achieve this, I've added the following to the initialization class.
@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?
spring spring-boot spring-security
How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/
endpoints.
To achieve this, I've added the following to the initialization class.
@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?
spring spring-boot spring-security
spring spring-boot spring-security
asked Nov 13 '18 at 20:30
RKodakandlaRKodakandla
1,48594368
1,48594368
Actuator endpoints are accessible viaEndpointRequest.class
you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.
– akuma8
Nov 13 '18 at 21:46
add a comment |
Actuator endpoints are accessible viaEndpointRequest.class
you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.
– akuma8
Nov 13 '18 at 21:46
Actuator endpoints are accessible via
EndpointRequest.class
you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.– akuma8
Nov 13 '18 at 21:46
Actuator endpoints are accessible via
EndpointRequest.class
you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.– akuma8
Nov 13 '18 at 21:46
add a comment |
2 Answers
2
active
oldest
votes
There isn't a separate context for the actuator anymore.
Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
.and().formLogin();
}
}
The EndpointRequest
handles matching any Actuator
endpoint, giving a form login for the sake of testing. Note that even /info
and /health
are secured. The EndpointRequest
has more options for granularity; additionally in Spring Boot 2 only info
, and health
are enabled by default.
Or you could just secure the paths behind whatever security mechanism you are using for your other APIs
I pushed an example app here,
https://github.com/DarrenForsythe/secure-spring-actuator-only
add a comment |
You can use below code and configurations
application.properties
spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN
Securing Actuator endpoints
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author dpoddar
*
*/
@Configuration
@EnableWebSecurity
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
.and()
.httpBasic()
;
}
}
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53289032%2fspringboot-2-actuator-with-spring-security%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
There isn't a separate context for the actuator anymore.
Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
.and().formLogin();
}
}
The EndpointRequest
handles matching any Actuator
endpoint, giving a form login for the sake of testing. Note that even /info
and /health
are secured. The EndpointRequest
has more options for granularity; additionally in Spring Boot 2 only info
, and health
are enabled by default.
Or you could just secure the paths behind whatever security mechanism you are using for your other APIs
I pushed an example app here,
https://github.com/DarrenForsythe/secure-spring-actuator-only
add a comment |
There isn't a separate context for the actuator anymore.
Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
.and().formLogin();
}
}
The EndpointRequest
handles matching any Actuator
endpoint, giving a form login for the sake of testing. Note that even /info
and /health
are secured. The EndpointRequest
has more options for granularity; additionally in Spring Boot 2 only info
, and health
are enabled by default.
Or you could just secure the paths behind whatever security mechanism you are using for your other APIs
I pushed an example app here,
https://github.com/DarrenForsythe/secure-spring-actuator-only
add a comment |
There isn't a separate context for the actuator anymore.
Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
.and().formLogin();
}
}
The EndpointRequest
handles matching any Actuator
endpoint, giving a form login for the sake of testing. Note that even /info
and /health
are secured. The EndpointRequest
has more options for granularity; additionally in Spring Boot 2 only info
, and health
are enabled by default.
Or you could just secure the paths behind whatever security mechanism you are using for your other APIs
I pushed an example app here,
https://github.com/DarrenForsythe/secure-spring-actuator-only
There isn't a separate context for the actuator anymore.
Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
.and().formLogin();
}
}
The EndpointRequest
handles matching any Actuator
endpoint, giving a form login for the sake of testing. Note that even /info
and /health
are secured. The EndpointRequest
has more options for granularity; additionally in Spring Boot 2 only info
, and health
are enabled by default.
Or you could just secure the paths behind whatever security mechanism you are using for your other APIs
I pushed an example app here,
https://github.com/DarrenForsythe/secure-spring-actuator-only
answered Nov 13 '18 at 21:32
Darren ForsytheDarren Forsythe
3,588723
3,588723
add a comment |
add a comment |
You can use below code and configurations
application.properties
spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN
Securing Actuator endpoints
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author dpoddar
*
*/
@Configuration
@EnableWebSecurity
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
.and()
.httpBasic()
;
}
}
add a comment |
You can use below code and configurations
application.properties
spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN
Securing Actuator endpoints
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author dpoddar
*
*/
@Configuration
@EnableWebSecurity
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
.and()
.httpBasic()
;
}
}
add a comment |
You can use below code and configurations
application.properties
spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN
Securing Actuator endpoints
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author dpoddar
*
*/
@Configuration
@EnableWebSecurity
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
.and()
.httpBasic()
;
}
}
You can use below code and configurations
application.properties
spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN
Securing Actuator endpoints
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author dpoddar
*
*/
@Configuration
@EnableWebSecurity
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
.and()
.httpBasic()
;
}
}
answered Nov 13 '18 at 23:25
DebopamDebopam
1,03721940
1,03721940
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53289032%2fspringboot-2-actuator-with-spring-security%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Actuator endpoints are accessible via
EndpointRequest.class
you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.– akuma8
Nov 13 '18 at 21:46