CODEWITHSUNDEEP
spring-bootspring-security
Chandru
Chandru

Reputation: 336

Disable security for Springboot actuator endpoint /env

Requirement :
 I have a small springboot 2 , config-server project with just one java file (SpringBootApplication). My requirement is that actuator endpoint /actuator/env alone should be not challenged with spring security.

What I am able to do:
 I am able to bypass security for /actuator/health by using http.csrf().disable().authorizeRequests().antMatchers("/actuator/health").permitAll() - [WebSecurityConfigurerAdapter] , so that opening that link will not ask credentials.

What I'd like to do:
 But if I do the same for /env (.antMatchers("/actuator/env").permitAll()) , it still shows the default spring security credentials page. Please help.

Actuators Config in application.yml
management: endpoints: web: base-path: /actuator exposure: include: health,env endpoint: health: show-details: always

Security Config:

`@Configuration
@EnableWebSecurity
public class SecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception{
        http.csrf().disable().authorizeRequests()
        .antMatchers("/actuator/env").permitAll()
        .antMatchers("/actuator/env/**").permitAll()
        .antMatchers("/actuator/health").permitAll();
        super.configure(http);
    }
}`

Upvotes: 0

Views: 14012

Answers (1)

pepevalbe
pepevalbe

Reputation: 1380

/actuator/env endpoint is disabled by default. You need to include it in your application.properties:

management.endpoints.web.exposure.include=env

Also this:

http.csrf().disable().authorizeRequests().antMatchers("/actuator/**").permitAll();

will you allow anything under /actuator path

Upvotes: 4

Related Questions