Reputation: 2377
Spring: Configure security for actuator endpoints with Spring Security
Is it possible to configure security for actuator endpoints of a Spring application with Spring Security in a generic way?
According to https://github.com/spring-projects/spring-boot/issues/8646 I need to do this in my custom Spring Security configuration.
But suppose I have both a custom request mapping for /info in my application (on port 8080) and also the actuator info endpoint enabled on port 8081. How can I distinguish these two in Spring Security?
Upvotes: 5
Views: 4551
Answers (2)
Reputation: 2377
I just found out that Spring Boot 2 explicitly addresses this problem. See https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#production-ready-endpoints-security
Upvotes: 0
Reputation: 12999
Yes it's possible but not particularly obvious. In your extension of WebSecurityConfigurerAdapter you can inject a collection of the actuator endpoints:
@Inject
private List<AbstractEndpointMvcAdapter<? extends Endpoint<?>>> actuatorEndpoints;
Then in your override of configureHttpSecurity(HttpSecurity http) you can use the getPath() member of each actuator endpoint to pass to the .requestMatchers(forPortAndPath(managementPort, actuatorPath)) builder available on the http argument.
Upvotes: 2
Related Questions
- How to secure actuator endpoints with role in Spring Boot 2?
- Spring Boot Actuator Endpoints security doesn't work with custom Spring Security Configuration
- Spring boot 2.1.x how to secure Actuator end points with basic auth
- Disable security for Springboot actuator endpoint /env
- Configure actuator endpoints security
- springboot actuator returns 401 for actuator endpoints
- Spring Boot Actuator - Endpoint sensitivity vs security enablement
- How to provide actuator security in non spring-security spring boot project
- Spring Boot - Only secure actuator endpoints
- Unable to secure Spring boot management actuator endpoints