I am trying to configure my application to always expose actuator end points and if config is set to say security is required then apply it to my end points for websocket connectivity
As it stands i was under the impression that ant matchers matched in order - meaning that
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/health", "/actuator", "actuator/health").permitAll();
if (authenticationRequired) {
http.authorizeRequests().antMatchers("/**").authenticated().and().httpBasic();
}
}
the above code should permit the actuator end points ALWAYS
It seems as though however this is not the case. Please can someone help describe what is wrong with my approach here.
/health
and /actuator
to me should be governed by permitAll()
I Fixed this using the following matchers
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/health", "/actuator/**").permitAll();
if (authenticationRequired) {
http.authorizeRequests().antMatchers("/**").authenticated().and().httpBasic();
}
}
I was missing a leading /