Spring boot 2 enabling a non-secure /health endpoint

Question

I have a Spring Boot 2 project with client and server authentication, and I'm trying to expose only the /actuator/health endpoint so it won't need any authentication.

My initial WebSecurityConfigurerAdapter was:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
...
    private void configureWithSsl(@NotNull HttpSecurity http) throws Exception {
        LOG.info("configuring access with ssl");
        http
                .csrf().disable()
                .authorizeRequests()
                .anyRequest().authenticated()
                .and().x509()
                .and().userDetailsService(userDetailsService());
    }
...
}

and application.yaml

server:
  port: 8443
  ssl:
    enabled: true
    key-store: 'paht/to/kestore/keystore.jks'
    key-store-password: 123456
    key-store-type: JKS
    client-auth: need
    trust-store: 'paht/to/truststore/truststore.jks'
    trust-store-type: JKS
    trust-store-password: 123456
    protocol: TLS
    enabled-protocols: TLSv1.2

I've tried: 1. Configuring 'channel' as insecure for the endpoint

    private void configureWithSsl(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .requiresChannel().requestMatchers(EndpointRequest.to("health")).requiresInsecure()
                .and()
                .authorizeRequests()
                .anyRequest().authenticated()
                .and().x509()
                .and().userDetailsService(userDetailsService());
    }

1. add matchers to the endpoint:

    private void configureWithSsl(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                .requestMatchers(EndpointRequest.to("health")).permitAll()
                .anyRequest().authenticated()
                .and().x509()
                .and().userDetailsService(userDetailsService());
    }

1. Add ignore to the endpoint:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().requestMatchers(EndpointRequest.to("health"));
}

I've tried all these combinations, and still I get

curl -k  https://localhost:8443/actuator/health
curl: (35) error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate

curl http://localhost:8443/actuator/health
Bad Request
This combination of host and port requires TLS.

I want just the health endpoint to be not secured, the rest of the actuator endpoints I do need secured, so configuring management.server.ssl.enabled=false won't solve the problem...

EDIT:

As per @Aritra Paul answer, I've also tried:

http
        .csrf().disable()
        .authorizeRequests()
        .antMatchers( "/actuator/health/**").permitAll()
        .antMatchers( "/**").authenticated()
        .and().x509()
        .and().userDetailsService(userDetailsService());

But I still get the same result.

Answer 1

I had a very similar case where we added X.509 authentication to our endpoints but wanted to keep the Spring actuator endpoints authentication-free.

With Spring 2.2.3 it is possible to configure your server with ssl as you have done, but disable ssl in your management config (which is used to configure the actuator endpoints) like this:

management:
  server:
    port: 8080
    ssl:
      enabled: false

This simple combination allowed us to hit the actuator endpoints with no auth on port 8080, while we hit the other endpoints with ssl on port 8443.