Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WhyI am Getting 403 Forbidden error for actuator /refresh endpoint on Spring Boot 2 on Cloud Foundry{using Cloud Config Server service}

Within my project, I have the following bootstrap.properties file:

spring.application.name=vault-demo
management.endpoints.web.exposure.include=*

Additionally to that, I defined the following dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-actuator</artifactId>
</dependency>

The config server is able to access the property but when I update that property in GitHub and POST to /refresh I get a 403: Forbidden. Do I need to make any change in my application or bootstrap.properties?

like image 893
Shivi Sharma Avatar asked Sep 12 '18 15:09

Shivi Sharma


People also ask

How does Spring Security handle 403 Forbidden error?

Simply disabling CSRF on your configure method with http. csrf(). disable(); is all that needed to be done for my put requests to stop receiving 403. Save this answer.

How do you turn on actuator endpoints in spring boot?

To enable Spring Boot actuator endpoints to your Spring Boot application, we need to add the Spring Boot Starter actuator dependency in our build configuration file. Maven users can add the below dependency in your pom. xml file. Gradle users can add the below dependency in your build.

How do you turn off actuator endpoint security in spring boot?

You can enable or disable an actuator endpoint by setting the property management. endpoint. <id>. enabled to true or false (where id is the identifier for the endpoint).

Which endpoint is disabled by default in spring boot actuator?

In order to access the actuator endpoints using HTTP, we need to both enable and expose them. By default, all endpoints but /shutdown are enabled. Only the /health and /info endpoints are exposed by default.


1 Answers

I got the solution, I needed to add a security configuration, for example:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
    }
}

Additionally, I had to add the following dependency:

<dependency> 
    <groupId>org.springframework.security</groupId> 
    <artifactId>spring-security-rsa</artifactId> 
    <version>1.0.5.RELEASE</version> 
</dependency>

I found this solution within the following GitHub issue: https://github.com/spring-cloud/spring-cloud-config/issues/950

like image 131
Shivi Sharma Avatar answered Sep 19 '22 16:09

Shivi Sharma