Overriding spring security actuator without loosing configurable endpoints

Question

I'm trying to secure endpoints Actuators inside Spring Boot project. However instead using ready-to-run Spring Security configuration for Actuators:

management:
  security:
    enabled: true
    role: ADMINISTRATOR

That too easy I need to plug Actuators with our custom security (here CAS SSO).

First try it was to add context-path for Actuators:

management:
  security:
    enabled: true
    role: ADMINISTRATOR
  context-path: /management

And update my WebSecurityConfigurerAdapter configuration

@Override
protected void configure(HttpSecurity http) throws Exception {
    ...
    http.authorizeRequests()..antMatchers("/management/**").hasRole(Role.ADMINISTRATOR.toString());
    ...
} 

It works but I must hardcode Actuators context-path, so when I want to update management.context-path I have to update my security.

I know it's possible to retrieve value of management.context-path but how to manage it when value equals ""?

You can answer me to @Autowired EndpointHandlerMapping and retrieve list of Actuators endpoints... Finally I will copy-past same logic as ManagementSecurityAutoConfiguration.ManagementWebSecurityConfigurerAdapter.

Furthermore ManagementSecurityAutoConfiguration.ManagementWebSecurityConfigurerAdapter @ConditionalOnMissingBean is pointing itself but ManagementSecurityAutoConfiguration.ManagementWebSecurityConfigurerAdapter is inner-static protected class so not possible to disable it without passing parameter management.security.enabled=false and that can be strange because your configuration said management.security.enabled=false but in reality endpoints are secured...

---

Conclusion

1. Is there a way to override (just a part of) properly Actuators security
2. May I miss something and I'm totally wrong?

Answer 1

There is already a pending Issue on Github. For the moment Dave Syer proposes:

I think copy-paste of all the code in there is actually the best solution for now (and set management.security.enabled=false to let Boot know you want to do it yourself).

I have not tested whether a runtime exception will be thrown but I think that you can reuse ManagementWebSecurityConfigurerAdapter and save a lot of copy-paste action. At least compiler doesn't complain.

Put your configuration class under package org.springframework.boot.actuate.autoconfigure in your project and extend from ManagementWebSecurityAutoConfiguration.ManagementWebSecurityConfigurerAdapter. Don't miss all the annotations from ManagementWebSecurityConfigurerAdapter. That is the only copy-paste action here because class annotations can not be inherited by subclass.

package org.springframework.boot.actuate.autoconfigure;

import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;

@Configuration
@ConditionalOnProperty(prefix = "management.security", name = "enabled", matchIfMissing = true)
@Order(ManagementServerProperties.BASIC_AUTH_ORDER)
public class SsoManagementWebSecurityConfigurerAdapter extends ManagementWebSecurityAutoConfiguration.ManagementWebSecurityConfigurerAdapter {

    //TODO your SSO configuration

}

Don't forget to @Import your configuration in your @SpringBootApplication.