SpringBoot 2 Actuator with Spring Security












1















How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/ endpoints.



To achieve this, I've added the following to the initialization class.



@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })


With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?










share|improve this question























  • Actuator endpoints are accessible via EndpointRequest.class you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.

    – akuma8
    Nov 13 '18 at 21:46
















1















How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/ endpoints.



To achieve this, I've added the following to the initialization class.



@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })


With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?










share|improve this question























  • Actuator endpoints are accessible via EndpointRequest.class you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.

    – akuma8
    Nov 13 '18 at 21:46














1












1








1


1






How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/ endpoints.



To achieve this, I've added the following to the initialization class.



@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })


With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?










share|improve this question














How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/ endpoints.



To achieve this, I've added the following to the initialization class.



@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })


With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?







spring spring-boot spring-security






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 13 '18 at 20:30









RKodakandlaRKodakandla

1,48594368




1,48594368













  • Actuator endpoints are accessible via EndpointRequest.class you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.

    – akuma8
    Nov 13 '18 at 21:46



















  • Actuator endpoints are accessible via EndpointRequest.class you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.

    – akuma8
    Nov 13 '18 at 21:46

















Actuator endpoints are accessible via EndpointRequest.class you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.

– akuma8
Nov 13 '18 at 21:46





Actuator endpoints are accessible via EndpointRequest.class you can apply your security policy from there. And I suggest you to let the security autoconfiguration and just customize it.

– akuma8
Nov 13 '18 at 21:46












2 Answers
2






active

oldest

votes


















0














There isn't a separate context for the actuator anymore.



Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.



@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
.and().formLogin();
}
}


The EndpointRequest handles matching any Actuator endpoint, giving a form login for the sake of testing. Note that even /info and /health are secured. The EndpointRequest has more options for granularity; additionally in Spring Boot 2 only info, and health are enabled by default.



Or you could just secure the paths behind whatever security mechanism you are using for your other APIs



I pushed an example app here,



https://github.com/DarrenForsythe/secure-spring-actuator-only






share|improve this answer































    0














    You can use below code and configurations



    application.properties



    spring.security.user.name=user
    spring.security.user.password=password
    spring.security.user.roles=ENDPOINT_ADMIN


    Securing Actuator endpoints



    import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

    /**
    * @author dpoddar
    *
    */
    @Configuration
    @EnableWebSecurity
    public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf().disable()
    .authorizeRequests()
    .requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
    .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
    .and()
    .httpBasic()
    ;
    }

    }





    share|improve this answer























      Your Answer






      StackExchange.ifUsing("editor", function () {
      StackExchange.using("externalEditor", function () {
      StackExchange.using("snippets", function () {
      StackExchange.snippets.init();
      });
      });
      }, "code-snippets");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "1"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53289032%2fspringboot-2-actuator-with-spring-security%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      There isn't a separate context for the actuator anymore.



      Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.



      @Configuration
      public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
      http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
      .and().formLogin();
      }
      }


      The EndpointRequest handles matching any Actuator endpoint, giving a form login for the sake of testing. Note that even /info and /health are secured. The EndpointRequest has more options for granularity; additionally in Spring Boot 2 only info, and health are enabled by default.



      Or you could just secure the paths behind whatever security mechanism you are using for your other APIs



      I pushed an example app here,



      https://github.com/DarrenForsythe/secure-spring-actuator-only






      share|improve this answer




























        0














        There isn't a separate context for the actuator anymore.



        Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.



        @Configuration
        public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
        .and().formLogin();
        }
        }


        The EndpointRequest handles matching any Actuator endpoint, giving a form login for the sake of testing. Note that even /info and /health are secured. The EndpointRequest has more options for granularity; additionally in Spring Boot 2 only info, and health are enabled by default.



        Or you could just secure the paths behind whatever security mechanism you are using for your other APIs



        I pushed an example app here,



        https://github.com/DarrenForsythe/secure-spring-actuator-only






        share|improve this answer


























          0












          0








          0







          There isn't a separate context for the actuator anymore.



          Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.



          @Configuration
          public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
          @Override
          protected void configure(HttpSecurity http) throws Exception {
          http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
          .and().formLogin();
          }
          }


          The EndpointRequest handles matching any Actuator endpoint, giving a form login for the sake of testing. Note that even /info and /health are secured. The EndpointRequest has more options for granularity; additionally in Spring Boot 2 only info, and health are enabled by default.



          Or you could just secure the paths behind whatever security mechanism you are using for your other APIs



          I pushed an example app here,



          https://github.com/DarrenForsythe/secure-spring-actuator-only






          share|improve this answer













          There isn't a separate context for the actuator anymore.



          Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.



          @Configuration
          public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
          @Override
          protected void configure(HttpSecurity http) throws Exception {
          http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
          .and().formLogin();
          }
          }


          The EndpointRequest handles matching any Actuator endpoint, giving a form login for the sake of testing. Note that even /info and /health are secured. The EndpointRequest has more options for granularity; additionally in Spring Boot 2 only info, and health are enabled by default.



          Or you could just secure the paths behind whatever security mechanism you are using for your other APIs



          I pushed an example app here,



          https://github.com/DarrenForsythe/secure-spring-actuator-only







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 13 '18 at 21:32









          Darren ForsytheDarren Forsythe

          3,588723




          3,588723

























              0














              You can use below code and configurations



              application.properties



              spring.security.user.name=user
              spring.security.user.password=password
              spring.security.user.roles=ENDPOINT_ADMIN


              Securing Actuator endpoints



              import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
              import org.springframework.context.annotation.Configuration;
              import org.springframework.security.config.annotation.web.builders.HttpSecurity;
              import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
              import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

              /**
              * @author dpoddar
              *
              */
              @Configuration
              @EnableWebSecurity
              public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

              @Override
              protected void configure(HttpSecurity http) throws Exception {
              http
              .csrf().disable()
              .authorizeRequests()
              .requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
              .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
              .and()
              .httpBasic()
              ;
              }

              }





              share|improve this answer




























                0














                You can use below code and configurations



                application.properties



                spring.security.user.name=user
                spring.security.user.password=password
                spring.security.user.roles=ENDPOINT_ADMIN


                Securing Actuator endpoints



                import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
                import org.springframework.context.annotation.Configuration;
                import org.springframework.security.config.annotation.web.builders.HttpSecurity;
                import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
                import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

                /**
                * @author dpoddar
                *
                */
                @Configuration
                @EnableWebSecurity
                public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

                @Override
                protected void configure(HttpSecurity http) throws Exception {
                http
                .csrf().disable()
                .authorizeRequests()
                .requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
                .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
                .and()
                .httpBasic()
                ;
                }

                }





                share|improve this answer


























                  0












                  0








                  0







                  You can use below code and configurations



                  application.properties



                  spring.security.user.name=user
                  spring.security.user.password=password
                  spring.security.user.roles=ENDPOINT_ADMIN


                  Securing Actuator endpoints



                  import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
                  import org.springframework.context.annotation.Configuration;
                  import org.springframework.security.config.annotation.web.builders.HttpSecurity;
                  import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
                  import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

                  /**
                  * @author dpoddar
                  *
                  */
                  @Configuration
                  @EnableWebSecurity
                  public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

                  @Override
                  protected void configure(HttpSecurity http) throws Exception {
                  http
                  .csrf().disable()
                  .authorizeRequests()
                  .requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
                  .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
                  .and()
                  .httpBasic()
                  ;
                  }

                  }





                  share|improve this answer













                  You can use below code and configurations



                  application.properties



                  spring.security.user.name=user
                  spring.security.user.password=password
                  spring.security.user.roles=ENDPOINT_ADMIN


                  Securing Actuator endpoints



                  import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
                  import org.springframework.context.annotation.Configuration;
                  import org.springframework.security.config.annotation.web.builders.HttpSecurity;
                  import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
                  import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

                  /**
                  * @author dpoddar
                  *
                  */
                  @Configuration
                  @EnableWebSecurity
                  public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

                  @Override
                  protected void configure(HttpSecurity http) throws Exception {
                  http
                  .csrf().disable()
                  .authorizeRequests()
                  .requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
                  .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
                  .and()
                  .httpBasic()
                  ;
                  }

                  }






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 13 '18 at 23:25









                  DebopamDebopam

                  1,03721940




                  1,03721940






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Stack Overflow!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53289032%2fspringboot-2-actuator-with-spring-security%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      這個網誌中的熱門文章

                      Xamarin.form Move up view when keyboard appear

                      Post-Redirect-Get with Spring WebFlux and Thymeleaf

                      Anylogic : not able to use stopDelay()