CODEWITHSUNDEEP
spring-securityspring-bootspring-boot-actuator
Hylton Peimer
Hylton Peimer

Reputation: 648

spring-boot Actuator together with Spring Security and Form Basic Auth

I have added "spring-boot-starter-actuator" dependency to my spring-boot project.

The project already has form based security.

The root context for the application is "/".

I have added the actuator at the context root "/actuators" by adding to application.yaml:

management: context-path: /actuators

The non-sensitive actuators are working, such as "health".

When I try to access the sensitive actuators, the popup appears for username/password. The authentication takes place, but then I see "403" Access is Denied.

Here is the configuration for Web security:

@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private AuthenticationLookupService authenticationLookupService;
private AuthenticationManagerBuilder authenticationManagerBuilder;
private UrlSuccessAuthenticationHandler successHandler;

@Autowired
public void setAuthenticationLookupService(AuthenticationLookupService authenticationLookupService) {
    this.authenticationLookupService = authenticationLookupService;
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
    this.authenticationManagerBuilder = auth;
}

@Autowired
public void setSuccessHandler(UrlSuccessAuthenticationHandler successHandler) {
    this.successHandler = successHandler;
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/", "/index.html", "/auth/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .loginPage("/index.html").successHandler(successHandler)
            .permitAll()
            .and()
            .logout()
            .permitAll();

    http.csrf().disable(); // todo: fix later
}

@PostConstruct
public void process() throws Exception {
    this.authenticationManagerBuilder.userDetailsService(this.authenticationLookupService).passwordEncoder(new ShaPasswordEncoder());
}

}

Upvotes: 1

Views: 1689

Answers (1)

rajadilipkolli
rajadilipkolli

Reputation: 3601

Add below values in application.properties or application.yml and then when popup asks for username and password provide this credentials

security.user.name=admin
security.user.password=secret

If you are providing your values check if that user has ADMIN role, because actuator needs ADMIN role user to access sensitive end points.

Update If you are using spring-boot 1.5.*+ then user should have ACTUATOR role

Upvotes: 1

Related Questions