How to get all actuator endpoints programatically using spring boot 2?

Question

In spring boot 1.x it was possible to resolve all actuator endpoints programatically. I have a bean that exposes all actuator endpoints paths

@Component
public class MyProjectActuatorEndpoints {

    @Autowired
    private MvcEndpoints endpoints;

    public String[] getActuatorEndpointPaths() {
        return endpoints.getEndpoints().stream()
            .map(MvcEndpoint::getPath)
            .map(path -> path + "/**")
            .toArray(String[]::new);
    }
}

Unfortunately in spring boot actuator 2.0.5.RELEASE there is no such class MvcEndpoints. Is there any replacement for this class in the new spring version?

Answer 1

Everything you need is in the org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints bean. This should set you on the right path, if you'll pardon the pun:

@Slf4j
@Component
public class ActuatorLogger {

  public ActuatorLogger(@Autowired PathMappedEndpoints pme) {
    log.info("Actuator base path: {}", pme.getBasePath());
    pme.getAllPaths().forEach(p -> log.info("Path: {}", p));
  }
}

org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest is available to help you set spring security rules for actuator endpoints when you need to do it from code. For example, in your WebSecurityConfigurerAdapter implementation, this fragment could be merged in to your existing rules:

http.authorizeRequests()
      .requestMatchers(EndpointRequest.to(ShutdownEndpoint.class))
      .hasAnyAuthority("ROLE_ADMIN", "ROLE_SUPPORT")

Answer 2

@Autowired
private HealthEndpoint healthEndpoint;

public Health getAlive() {
    return healthEndpoint.health();
}

Answer 3

Spring Boot Actuator 2.x exposes /actuator endpoints as configurable environment variables.

Enabling Acutator Endpoints

You can enable these actuator endpoints in your application.properties

management.endpoints.web.exposure.include=info, health

or (with extreme caution) enable them all. Keep in mind that many of these are sensitive in nature.

management.endpoints.web.exposure.include=*

Securing Actuator Endpoints (reference)

The documentation specifies this as a strategy to secure all endpoints. The EndpointRequest itself would be the closest alternative to what you were looking for (MvcEndpoints)

@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
            .anyRequest().hasRole("ENDPOINT_ADMIN")
            .and()
            .httpBasic();
    }

}

You may also set up a particular antmatcher in case you have a different strategy or role that you would like to assign just to these endpoints

httpRequest.authorizeRequests().antMatcher("/actuator/*").hasRole("ENDPOINT_ADMIN")