Can you help to secure actuator endpoints in Spring Boot 2? I checked migration guide but it doesn't help me.
Here is my security config:
@Configuration
@EnableWebSecurity
public class SecConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ADMIN")
.anyRequest().authenticated();
}
}
but when I go to http://localhost:8080/actuator/health
it loads without login. Other endpoints with prefix /actuator
doesn't require login as well. What I did wrong?
I also add OAuth with this configuration:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("client-id")
.scopes("read", "write")
.authorizedGrantTypes("password")
.secret("xxxxxx")
.accessTokenValiditySeconds(6000);
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/ajax/**").authenticated()
.and()
.csrf()
.disable();
}
}
Use Method-level Authorization To Restrict An Endpoint This tells Spring to check that the authenticated user has the Admin authority, and if not, deny the request. Run the app: ./gradlew bootRun . Navigate to http://localhost:8080/restricted . You'll get a 403 / Unauthorized whitepage error.
To enable Spring Boot actuator endpoints to your Spring Boot application, we need to add the Spring Boot Starter actuator dependency in our build configuration file. Maven users can add the below dependency in your pom. xml file. Gradle users can add the below dependency in your build.
You can enable or disable an actuator endpoint by setting the property management. endpoint. <id>. enabled to true or false (where id is the identifier for the endpoint).
2. What are the two protocols you can use to access actuator endpoints? Spring Boot allows you to access actuator endpoints using both HTTP and JMX. You can also secure endpoints using Spring Security, and in that case, Spring Security's content negotiation strategy is used.
If your application is a resource server you don't need the SecConfig class.
So if you remove it, in your ResourceServerConfig
class you can secure the actuators and just let admin through:
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/ajax/**").authenticated()
.antMatchers("/actuator/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.csrf()
.disable();
}
}
I add .anyRequest().authenticated()
to secure the rest of the application endpoints.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With