Spring Boot actuator health endpoint not accessible after upgrading to Boot 1.2

I'm having trouble upgrading Spring Boot from 1.1.12 to 1.2.5 but have the same issue in all versions of 1.2.x. The /health endpoint provided by Actuator is now returning 401 Unauthorized to an integration test that used to work. No code has changed while upgrading the dependency.

Here's the test case:

public void testNoUserForStatusEndpoint() throws Exception {
    HttpEntity<String> entity = new HttpEntity<>(null, headers);
    ResponseEntity<String> response = template
            .exchange(base + "/health", HttpMethod.GET, entity, String.class);
    assertEquals(HttpStatus.OK, response.getStatusCode());
    assertEquals("{\"status\":\"UP\"}", response.getBody());

I expect to see the basic "UP" status but no further details as the user is anonymous and not authenticated.

Setting in causes the endpoint to return the complete health information. This is not desirable.

Setting does nothing.

The security configuration has not changed. It is based on Apache termination and a certificate whitelist, which also hasn't changed.

public void configure(HttpSecurity http) throws Exception {
    http.addFilterBefore(new CustomAuthenticationFilter(authenticationManager(), Environment.getUserWhitelist()), BasicAuthenticationFilter.class);

How can I make the test pass?


Originally the only relevant setting in that was defined is

Adding,DOWN,OUT_OF_SERVICE,UNKNOWN to makes no difference.

Using all three properties results in a 401 (doesn't work):,DOWN,OUT_OF_SERVICE,UNKNOWN

The main class is just a stripped down Spring Boot application launcher:

public class Application {
    public static void main(String[] args) {, args);

I have tried adding http.authorizeRequests().antMatchers("/health**").permitAll(); to the first line of the security configuration method detailed above. It did not make a difference.

According to Spring Boot issue 2120, The property is ignored when using custom security. I found no mention of this in the documentation.


  • I have found a solution.

    Adding @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) to my custom authentication filter (referred to as CustomAuthenticationFilter in the question) changes the semantics of defining a security filter bean.

    Without the annotation, Spring Boot assumes I want to override all the filters and just use my custom filter in isolation.

    With the annotation, Spring Boot adds my filter to the list of predefined filters. This allows the /health endpoint to work again.

    See Spring Boot issue 2120 on GitHub for details.