CODEWITHSUNDEEP
springspring-bootspring-securityspring-security-oauth2spring-boot-actuator
solomkinmv
solomkinmv

Reputation: 1952

How to disable actuator security without disabling it totally with Spring Boot 2

I'm using Spring Boot Security with OAuth2. I wan't to disable security for health endpoint.

I can totally disable security or write my own implementation of WebSecurityConfigurerAdapter and disable autoconfigured one.

But how to modify existing implementation of WebSecurityConfigurerAdapter (OAuth2SsoDefaultConfiguration)?

I tried to create my own configuration without disabling autoconfigured one, but it is impossible due to Order conflicts.

Here is the error message:

Caused by: java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. 
Order of 100 was already used on SecurityConfiguration$$EnhancerBySpringCGLIB$$9505fc58@13f182b9,
 so it cannot be used on 
org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2SsoDefaultConfiguration$$EnhancerBySpringCGLIB$$dc290e2b@5ee0cf64 too.

Also, I tried to explicitly set higher order for my own security configuration, but looks like autoconfigured one overrides mine.

So how to override specific security rules without reimplementing whole configuration?

Upvotes: 10

Views: 36887

Answers (9)

Patrice Gagnon
Patrice Gagnon

Reputation: 1464

A quick update as I'm using a very recent Spring Boot 2.7.11. It seems like extending WebSecurityConfigurerAdapter is now deprecated.

Rather I simply do this:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;


@EnableWebSecurity
@Configuration
public class ActuatorSecurityFilter {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/actuator").permitAll();
        return http.build();
    }
}

Upvotes: 1

Janitha Madushan
Janitha Madushan

Reputation: 1543

For Kotlin

@Configuration
class SecurityConfiguration : WebSecurityConfigurerAdapter() {
    override fun configure(httpSecurity: HttpSecurity) {
        httpSecurity.authorizeRequests().antMatchers("/actuator").permitAll()
    }
}

Upvotes: 0

ziar-work
ziar-work

Reputation: 1

management.security.enabled: false

does not work with spring boot 2.x versions

Upvotes: 0

Yuva
Yuva

Reputation: 201

management.security.enabled: false is no longer valid in spring boot 2. we need to take ConfigurerAdapter way. Here is my code below when OAuth2 resource server is used.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

/**
 * to disable security for acutator endpoints.
 *
 */
@Configuration
public class ActuatorSecurityConfigurer extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests().antMatchers("/actuator").permitAll();
    }
}

Upvotes: 0

Nik.exe
Nik.exe

Reputation: 411

You can also use management.security.enabled: false In your application.propeeties (or. yaml). It will automatically remove any security for actuator exposed endpoints

Upvotes: -3

Andrew
Andrew

Reputation: 49656

@Configuration
@EnableOAuth2Sso
class MyConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/actuator/health")
                .permitAll()
            .anyRequest()
                .authenticated();
    }

}

Make sure you are using @EnableOAuth2Sso over a WebSecurityConfigurerAdapter class. It's important because it will include OAuth2SsoCustomConfiguration which basically copies the functionality of OAuth2SsoDefaultConfiguration#configure.

You might also want to show full health details:

management:
  endpoint:
    health:
      show-details: always

Upvotes: 8

Alexander Petrov
Alexander Petrov

Reputation: 991

You need to implement the following method in your

@SpringBootApplication class

 @SpringBootApplication
 @EnableResourceServer
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 @Configuration
 public class BusinessLogicServiceApplication extends ResourceServerConfigurerAdapter {

 public static void main(String[] args) throws IOException {
    ConfigurableApplicationContext context =  
    SpringApplication.run(BusinessLogicServiceApplication.class, args);
    }

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/health").permitAll().anyRequest().authenticated();

    }
}

Upvotes: 9

Alien
Alien

Reputation: 15908

Following are the possible checks.

Solution 1 : Ensure that you are using

org.springframework.core.annotation.Order

instead of

org.apache.logging.log4j.core.config.Order

Since Spring didn't parse the correct annotations, it was assuming the default value 100 for both configurations.

Solution 2:

Maybe you have annotated another class with the @EnableWebSecurity annotation. Be aware that only one class can implement this annotation.

Solution 3 : Refer this https://stackoverflow.com/a/44076087/6572971

Solution 4 :

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class DemoConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception{
        http.authorizeRequests().antMatchers("/health").permitAll();
        super.configure(http);
    }
}

Upvotes: 4

lapostoj
lapostoj

Reputation: 113

I think you could have your own implementation extending the one you use (OAuth2SsoDefaultConfiguration, if I got it right) and then extend the configure method to ignore your health endpoint. It would look more or less like this

@Override
public void configure(final HttpSecurity http) throws Exception {
    http.regexMatchers("/health",)
        .permitAll()
}

By the way about this Also, I tried to explicitly set higher order for my own security configuration, but looks like autoconfigured one overrides mine. The way @Order works, lower numbers have higher priority so it would explain why the autoconfigured was overriding yours. Doc here: https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/annotation/Order.html

Upvotes: 1

Related Questions