Spring Security - Custom Authentication Provider and HTTP Basic for Actuator Endpoints

Question

I´ve got a running Spring Boot Application (Spring Boot v2.4.1) and I would like to monitor it using Spring Boot Admin.

I have already setup the server and I can monitor the instance of my application with the /actuator/ endpoint not secured. I have a permitAll() on it.

Now I´d like to secure it, but I do not know how to do it without messing with my current Security Configuration.

I have Spring Security configured to match username and password from a DB and with a CustomAuthenticationProvider. If possible I would like to add a Actuator Endpoints with a HTTP Basic authentication.

This is my current security config:

http.
            authorizeRequests()
            .antMatchers("/admin/**").hasAuthority(AUTHORITY_ADMIN)
            .antMatchers("/user/**").hasAnyAuthority(AUTHORITY_ADMIN, AUTHORITY_USER)
            .anyRequest().authenticated()
            .and()
            .csrf().disable()
            .formLogin()
            .loginPage("/login")
            .failureUrl("/login?error=true")
            .successHandler(new CustomUrlAuthenticationSuccessHandler(translator))
            .usernameParameter("username")
            .passwordParameter("password")
            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/")
            .and()
            .exceptionHandling().accessDeniedPage("/403")
            .and()
            .headers().frameOptions().sameOrigin();

I would like to keep that configuration and also tell spring that whenever a user hits /actuator/ endpoint, it will requiere HTTP Basic Security credentials.

I was thinking on having two @Configuration classes, extending WebSecurityConfigurerAdapter. One would be the one I´ve already got and the other one for the actuator endpoints. But I had no luck with it.

Thank you

Thank you very much

Answer 1

This is how I solve it: I create a new @Configuraiton class extending WebSecurityConfigurerAdapter,

I was unable to stop using WebSecurityConfigurerAdapter (as suggested by @Marcus-Hert-da-Coregio in the comments) because if I do not extend it I was not able to define my custom AuthenticationProvider.

This class has @Order(1) so it would take precedence over my other initial configuration (which I set to @Order(2)). And this is it's content:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .antMatcher("/actuator/**")
                .csrf().disable()
                .authorizeRequests()
                    .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

Then my custom AuthenticationProvider will verify if the given credentials for accessing the actuator endpoints are valid.

Addittional information

The reason why this fails the first time I test it was because I was not setting the initial

.antMatcher("/actuator/**")

by adding it I was telling SpringSecurity that this configuration should only be applied to those endpoints. I get that notion from this article

I hope this helps someone in the future

Answer 2

You can create two SecurityFilterChain beans, one for your /actuator/** endpoint with higher priority, and other to every other endpoint with lower priority, like so:

@Bean
@Order(1)
public SecurityFilterChain actuatorWebSecurity(HttpSecurity http) throws Exception {
    http.requestMatchers((matchers) -> matchers
        .antMatchers("/actuator/**"));
    http.authorizeRequests((authz) -> authz
        .anyRequest().authenticated());
    http.httpBasic();
    http.userDetailsService(myUserDetailsService);
    ...
    return http.build();
}

@Bean
@Order(2)
public SecurityFilterChain defaultWebSecurity(HttpSecurity http) throws Exception {
    // your current configuration
}

In this configuration, the @Order annotation tells the order that the SecurityFilterChains are gonna be matched against the requests.