How do I make use of Spring Security for securing the actuator endpoints but not interfere with any of the other application URLs? The security mechanism in our application is handled by a different framework so I would like to disable Spring Security by default and only enabled for /actuator/ endpoints.
To achieve this, I've added the following to the initialization class.
@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
With that, the Spring Security default configuration is disabled. After this, what changes do I need to make configure security for actuator endpoints?
You can use below code and configurations
application.properties
spring.security.user.name=user
spring.security.user.password=password
spring.security.user.roles=ENDPOINT_ADMIN
Securing Actuator endpoints
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* @author dpoddar
*
*/
@Configuration
@EnableWebSecurity
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "flyway","info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ENDPOINT_ADMIN")
.and()
.httpBasic()
;
}
}