How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/
endpoints.
To achieve this, I've added the following to the initialization class.
@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?
You can enable or disable an actuator endpoint by setting the property management. endpoint. <id>. enabled to true or false (where id is the identifier for the endpoint).
When we add Spring Actuator Dependencies to our spring boot project, it automatically enables actuator endpoints. Add below dependencies to your spring application to enable spring boot actuator endpoints. Now when you will run the application, you will see actuator endpoints being mapped in the logs.
To create a custom actuator endpoints, Use @Endpoint annotation on a class. Then leverage @ReadOperation / @WriteOperation / @DeleteOperation annotations on the methods to expose them as actuator endpoint bean as needed.
You can use below code and configurations
application.properties
spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN
Securing Actuator endpoints
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author dpoddar
*
*/
@Configuration
@EnableWebSecurity
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
.and()
.httpBasic()
;
}
}
There isn't a separate context for the actuator anymore.
Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
.and().formLogin();
}
}
The EndpointRequest
handles matching any Actuator
endpoint, giving a form login for the sake of testing. Note that even /info
and /health
are secured. The EndpointRequest
has more options for granularity; additionally in Spring Boot 2 only info
, and health
are enabled by default.
Or you could just secure the paths behind whatever security mechanism you are using for your other APIs
I pushed an example app here,
https://github.com/DarrenForsythe/secure-spring-actuator-only
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With