This post is about adding spring security to spring boot actuators endpoints. We will be discusing about securing actuator endpoints by using properties file configurations as well as AuthenticationManagerBuilder. Apart from this we will also take a loook into how can we disable restrictions to certain endpoints that are by default restricted as per spring boot actuators.
By default, there are 2 actuator endpoints, /health and /info, which are non restrictive and by default all other endpoints are secured such that only users that have an ACTUATOR role have access to them. Of course, you can override this default behaviour. You can define your custom role that have access to sensitive endpoints. All the actuator endpoints are by default exposed to context path but this again can be overriden and we will be doing that right in this post. So let us start by defining the project structure first.
You can check in the pom file that we are not including
spring-boot-starter-security artifact now. Actually, to access restricted actuator endpoints with default role configuration, it is not required to have spring-boot-starter-security artifact. You can manage security with the properties configurations.
We will see how can we use this artifact to override actuator default behaviour later in this post.
spring-boot-starter-parent: provides useful Maven defaults. It also provides a dependency-management section so that you can omit version tags for existing dependencies.
spring-boot-starter-web: includes all the dependencies required to create a web app. This will avoid lining up different spring common project versions.
spring-boot-starter-tomcat: enable an embedded Apache Tomcat 7 instance, by default. We have overriden this by defining our version. This can be also marked as provided if you wish to deploy the war to any other standalone tomcat.
spring-boot-starter-actuator: Enables spring boot actuator features in spring boot.
@SpringBootApplication enables many defaults. It also enables @EnableWebMvc that activates web endpoints.Application.java
Now let us start our Application.java as a java application and check the actuator behaviour.
You should be able to access the actuator endpoint
/info at this moment at localhost:8080/health and localhost:8080/health. But once you try to access
/beans or any other restricted endpoints you should ideally get an error message as Unauthorized access as below. This is because restricted endpoints require user to have ACTUATOR role by default to have access.
Now let us define our security parameters via properties.
Let us make below entries in
application.properties to enable the managaement security and override the default role from ACTUATOR to ACTRADMIN to access the management endpoints. Also, we are configuring username/password for ACTRADMIN role as act/act.
Also, add following maven dependencies to pom.xml to use default login feature of spring boot during unauthorised access.
Now let us try accessing the restricted endpoints at localhost:8080/manage/beans Remember, we got unauthorised exception while accessing restricted endpoints before. This time, you will be prompted for username/password. Enter the username and password as configured in application.properties as act/act and you can see all the beans listed similar to below screenshot.
Now if you do not want to hard code these security configurations in properties file then you need to extend
WebSecurityConfigurerAdapter and provide your custom authentication mechanism. Here we will be using
inMemoryAuthentication to provide authentication. To configure in hibernate with DB authentication check Spring Boot Security Hibernate Example. We have management user/password as admin/admin this time.
Now, remove or comment the properties configuration
security.user.password defined in application.prperties and hit th url localhost:8080/manage/beans. Again, you will be prompted for user/password and enter admin/admin this time and again you can see the same result.
By default, endpoints /health and /info are non-restricted but once you have enabled the security, you will have still access to /health endpoint but you can only see the status. To have full access to /health endpoint without actuator admin role, you need to configure it as below in
Also, you can make other restricted endpoints public. For example following configuration will make /beans endpoint as public.
I hope this article served you that you were looking for. If you have anything that you want to add or share then please share it below in the comment section.
5. Spring Boot Mvc Example