CODEWITHSUNDEEP
javaspringspring-bootspring-securityspring-boot-actuator
Denis Stephanov
Denis Stephanov

Reputation: 5231

How to secure actuator endpoints with role in Spring Boot 2?

Can you help to secure actuator endpoints in Spring Boot 2? I checked migration guide but it doesn't help me.

Here is my security config:

@Configuration
@EnableWebSecurity
public class SecConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ADMIN")    
                .anyRequest().authenticated();
    }

}

but when I go to http://localhost:8080/actuator/health it loads without login. Other endpoints with prefix /actuator doesn't require login as well. What I did wrong?

I also add OAuth with this configuration:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    @Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients
            .inMemory()
                .withClient("client-id")
                    .scopes("read", "write")
                    .authorizedGrantTypes("password")
                    .secret("xxxxxx")
                    .accessTokenValiditySeconds(6000);
}
}

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
       http
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .authorizeRequests()
                .antMatchers("/ajax/**").authenticated()
                .and()
            .csrf()
                .disable();
    }
}

Upvotes: 13

Views: 21801

Answers (3)

Adrian
Adrian

Reputation: 3701

@Configuration
@Order(1)
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        log.info("configuring actuator security");
        // secure actuator endpoints with with ADMIN role
        http.requestMatcher(EndpointRequest.toAnyEndpoint())
                .authorizeRequests()
                .anyRequest().hasRole("ADMIN");
        // but publicly allow the health endpoint
        http.requestMatchers(EndpointRequest.to(HealthEndpoint.class)).permitAll()
    }
}

See also the example from in the documentation:
https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator.endpoints.security:

@Configuration(proxyBeanMethods = false)
public class MySecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.requestMatcher(EndpointRequest.toAnyEndpoint())
                .authorizeRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
        http.httpBasic();
        return http.build();
    }

}

In this last example be aware that Spring Boot’s security configuration backs off completely in the presence of any SecurityFilterChain bean.

Upvotes: 0

Francesc Recio
Francesc Recio

Reputation: 2235

If your application is a resource server you don't need the SecConfig class.

So if you remove it, in your ResourceServerConfig class you can secure the actuators and just let admin through:

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
       http
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .authorizeRequests()
                .antMatchers("/ajax/**").authenticated()           
                .antMatchers("/actuator/**").hasRole("ADMIN")  
                .anyRequest().authenticated()  
                .and()
            .csrf()
                .disable();
    }
}

I add .anyRequest().authenticated() to secure the rest of the application endpoints.

Upvotes: 15

Raghav Sharma
Raghav Sharma

Reputation: 31

you can try below configuration

@Configuration
public class SecConfig extends WebSecurityConfigurerAdapter {

public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/actuator/**").hasRole("ACTUATOR")
            .anyRequest().permitAll();
}
}

Verify that you have the following in the application.properties:

spring.security.user.name=user
spring.security.user.password=pass
spring.security.user.roles=ACTUATOR,USER   # or any other role 
management.endpoint.health.roles=ACTUATOR

Upvotes: 2

Related Questions