I have a Spring Boot 2 project with client and server authentication, and I'm trying to expose only the /actuator/health
endpoint so it won't need any authentication.
My initial WebSecurityConfigurerAdapter
was:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
private void configureWithSsl(@NotNull HttpSecurity http) throws Exception {
LOG.info("configuring access with ssl");
http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
...
}
and application.yaml
server:
port: 8443
ssl:
enabled: true
key-store: 'paht/to/kestore/keystore.jks'
key-store-password: 123456
key-store-type: JKS
client-auth: need
trust-store: 'paht/to/truststore/truststore.jks'
trust-store-type: JKS
trust-store-password: 123456
protocol: TLS
enabled-protocols: TLSv1.2
I've tried: 1. Configuring 'channel' as insecure for the endpoint
private void configureWithSsl(HttpSecurity http) throws Exception {
http
.csrf().disable()
.requiresChannel().requestMatchers(EndpointRequest.to("health")).requiresInsecure()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
private void configureWithSsl(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health")).permitAll()
.anyRequest().authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().requestMatchers(EndpointRequest.to("health"));
}
I've tried all these combinations, and still I get
curl -k https://localhost:8443/actuator/health
curl: (35) error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate
curl http://localhost:8443/actuator/health
Bad Request
This combination of host and port requires TLS.
I want just the health endpoint to be not secured, the rest of the actuator endpoints I do need secured, so configuring management.server.ssl.enabled=false
won't solve the problem...
EDIT:
As per @Aritra Paul answer, I've also tried:
http
.csrf().disable()
.authorizeRequests()
.antMatchers( "/actuator/health/**").permitAll()
.antMatchers( "/**").authenticated()
.and().x509()
.and().userDetailsService(userDetailsService());
But I still get the same result.
I had a very similar case where we added X.509
authentication to our endpoints but wanted to keep the Spring actuator endpoints authentication-free.
With Spring 2.2.3 it is possible to configure your server
with ssl as you have done, but disable ssl in your management
config (which is used to configure the actuator endpoints) like this:
management:
server:
port: 8080
ssl:
enabled: false
This simple combination allowed us to hit the actuator endpoints with no auth on port 8080, while we hit the other endpoints with ssl on port 8443.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With