Reputation: 539
Spring-Boot actuator /shutdown endpoint forbidden
My first-pass with my Spring Boot app had the actuator unsecured, so it was easy to shut down remotely via the /actuator/shutdown endpoint. Recently, I have secured my actuator using Spring security, and it has worked. Now I need to supply http basic credentials to access the endpoints, but now curl calls to the /actuator/shutdown endpoint fail with a Forbidden error. I must have configuration incorrect somewhere.
My curl command:
curl -XPOST -u actuator:password http://host:port/actuator/shutdown -k
I am able to call other endpoints, it seems only the shutdown endpoint is forbidden.
My config:
management.endpoints.web.exposure.include=*
management.endpoint.health.show-details=always
management.info.git.mode=full
management.endpoint.shutdown.enabled=true
management.server.port=8081
spring.security.user.name=actuator
spring.security.user.roles=ACTUATOR
spring.security.user.password=password
EDIT:
@Configuration
public static class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
.anyRequest().hasRole("ACTUATOR")
.and()
.httpBasic();
}
}
Upvotes: 1
Views: 4235
Answers (2)
Reputation: 11
I had the same problem. No matter what I did, the actuator/shutdown would return forbidden. The answer above with the http.csrf().disable(); was the only thing that worked. Please find the reference: https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-security-csrf
package com.broadridge.services.calendar2.security;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
@Configuration
public class ApiSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().
requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll();
}
}
Upvotes: 1
Reputation: 539
The solution was to disable csrf in the WebSecurityConfigureAdapter configure method.
http.csrf().disable();
Upvotes: 6
Related Questions
- Unable to Access Spring Boot Actuator Endpoints
- Spring Boot Actuator empty response
- Unable to access Spring Boot Actuator "/actuator" endpoint
- Spring-boot actuator: only some endpoints work
- Spring Boot 2 Actuator endpoints return 405 on GET request
- Spring boot actuator/http.server.requests endpoint not working
- Spring Boot Actuator 2.0.0 ShutDown endpoint returns error 415 when invoked with POST request
- springboot actuator returns 401 for actuator endpoints
- Spring Boot Actuator endpoint configuration doesn't seem to be working as expected
- Spring Boot Actuator Liquibase endpoint fail