How to disable actuator security without disabling it totally with Spring Boot 2

Question

I'm using Spring Boot Security with OAuth2. I wan't to disable security for health endpoint.

I can totally disable security or write my own implementation of WebSecurityConfigurerAdapter and disable autoconfigured one.

But how to modify existing implementation of WebSecurityConfigurerAdapter (OAuth2SsoDefaultConfiguration)?

I tried to create my own configuration without disabling autoconfigured one, but it is impossible due to Order conflicts.

Here is the error message:

Caused by: java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. 
Order of 100 was already used on SecurityConfiguration$$EnhancerBySpringCGLIB$$9505fc58@13f182b9,
 so it cannot be used on 
org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2SsoDefaultConfiguration$$EnhancerBySpringCGLIB$$dc290e2b@5ee0cf64 too.

Also, I tried to explicitly set higher order for my own security configuration, but looks like autoconfigured one overrides mine.

So how to override specific security rules without reimplementing whole configuration?

Answer 1

You need to implement the following method in your

@SpringBootApplication class

 @SpringBootApplication
 @EnableResourceServer
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 @Configuration
 public class BusinessLogicServiceApplication extends ResourceServerConfigurerAdapter {

 public static void main(String[] args) throws IOException {
    ConfigurableApplicationContext context =  
    SpringApplication.run(BusinessLogicServiceApplication.class, args);
    }

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/health").permitAll().anyRequest().authenticated();

    }
}

Answer 2

@Configuration
@EnableOAuth2Sso
class MyConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/actuator/health")
                .permitAll()
            .anyRequest()
                .authenticated();
    }

}

Make sure you are using @EnableOAuth2Sso over a WebSecurityConfigurerAdapter class. It's important because it will include OAuth2SsoCustomConfiguration which basically copies the functionality of OAuth2SsoDefaultConfiguration#configure.

You might also want to show full health details:

management:
  endpoint:
    health:
      show-details: always