Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SpringBoot 2 Actuator with Spring Security

How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/ endpoints.

To achieve this, I've added the following to the initialization class.

@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })

With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?

like image 223
RKodakandla Avatar asked Nov 13 '18 20:11

RKodakandla


People also ask

How do I disable Spring Security for actuator endpoints?

You can enable or disable an actuator endpoint by setting the property management. endpoint. <id>. enabled to true or false (where id is the identifier for the endpoint).

How do you call an actuator endpoint in a spring boot?

When we add Spring Actuator Dependencies to our spring boot project, it automatically enables actuator endpoints. Add below dependencies to your spring application to enable spring boot actuator endpoints. Now when you will run the application, you will see actuator endpoints being mapped in the logs.

How do I customize my spring boot actuator?

To create a custom actuator endpoints, Use @Endpoint annotation on a class. Then leverage @ReadOperation / @WriteOperation / @DeleteOperation annotations on the methods to expose them as actuator endpoint bean as needed.


2 Answers

You can use below code and configurations

application.properties

spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN

Securing Actuator endpoints

import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * @author dpoddar
 *
 */
@Configuration
@EnableWebSecurity
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf().disable()
        .authorizeRequests()
        .requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
        .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
        .and()
        .httpBasic()
            ;
    }

}
like image 142
Debopam Avatar answered Oct 18 '22 22:10

Debopam


There isn't a separate context for the actuator anymore.

Assumption is that as long as the non-actuator endpoints just need no security restrictions the following configuration would work.

@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest().permitAll()
                .and().formLogin();
    }
}

The EndpointRequest handles matching any Actuator endpoint, giving a form login for the sake of testing. Note that even /info and /health are secured. The EndpointRequest has more options for granularity; additionally in Spring Boot 2 only info, and health are enabled by default.

Or you could just secure the paths behind whatever security mechanism you are using for your other APIs

I pushed an example app here,

https://github.com/DarrenForsythe/secure-spring-actuator-only

like image 4
Darren Forsythe Avatar answered Oct 18 '22 20:10

Darren Forsythe