Unable to secure Spring boot management actuator endpoints

Question

I am trying to secure the Spring Boot actuactor endpoints. I have working security on my /api REST interface, but trying to add security on the built-in endpoints does not seem to work.

I have set up grouping of the endpoints in my application.properties:

management.context-path=/management

I have this in my Java Config

@Override
protected void configure( HttpSecurity http ) throws Exception
{
    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );

    http.authorizeRequests()
        .antMatchers( "/api/**" ).hasRole( "READONLY" )
        .antMatchers( "/management/**" ).hasRole( "ADMIN" );


    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
    http.apply( securityConfigurer );
}

When I use my browser to go to anything below /api, I get a 403 back as expected. When going to /management/info for example, I see the JSON being returned where I would also expect a 403.

I also tried adding this to my application.properties file:

management.security.role=ADMIN

But that did not help either.

The DEBUG output shows:

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_READONLY')', for Ant [pattern='/api/**']

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_ADMIN')', for Ant [pattern='/management/**']

And then why I try the HTTP GET:

2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/css/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/js/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/images/**'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/**/favicon.ico'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] AntPathRequestMatcher - Checking match of request : '/management/info'; against '/management/info'
2014-05-02 10:16:39 DEBUG [http-nio-8443-exec-4] FilterChainProxy - /management/info has an empty filter list

Answer 1

The log that tells the story is: "/management/info has an empty filter list" because it is explicitly marked as ignored (/info is always supposed to be available). Try one of the other actuator endpoints and see if those behave as you expect. If you really need to secure the info endpoint you can set endpoints.info.sensitive=true (I think).