The Spring Boot Actuator Endpoints are by default protected by basic http security.
Can this be changed to use Spring Security?
I've setup Spring Security successfully and use this to protect my other pages.
I tried security.basic.enabled: false
and adding .antMatchers("/manage/**").hasRole("ADMIN")
in my authorize requests (note I'm using a different url as root for the endpoints) but this didn't help.
I keep getting a basic http auth log, which does not users configured in the AuthenticationManager.
Any idea?
EDIT - providing more details -
My Application.java looks like:
@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application extends WebMvcConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/app").setViewName("app/index");
registry.addViewController("/app/login").setViewName("app/login");
}
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Order(Ordered.LOWEST_PRECEDENCE - 8)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// @formatter:off
auth.inMemoryAuthentication()
.withUser("test1")
.password("test1pw")
.roles("USER", "ADMIN")
.and()
.withUser("test2")
.password("test2pw")
.roles("USER");
// @formatter:on
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/app/login").permitAll()
.antMatchers("/app/**").hasRole("USER")
.antMatchers("/manage/**").hasRole("ADMIN")
.and()
.formLogin()
.loginPage("/app/login")
.failureUrl("/app/login?error")
.defaultSuccessUrl("/app")
.permitAll()
.and()
.logout()
.logoutUrl("/app/logout")
.logoutSuccessUrl("/app/login?logout");
// @formatter:on
}
@Override
public void configure(WebSecurity web) throws Exception {
// @formatter:off
web
.ignoring()
.antMatchers("/assets/**");
// @formatter:on
}
}
}
In my application.yml
I also have:
management:
context-path: /management
Note that is setup is the same as you the guide you mentioned.
Now what I would expect - or like to configure - is that the /manage endpoints like health, mappings etc would be protected with users from the customized AuthenticationManager.
I also tried to add management.security.enabled=false
and this indeed switches off authentication for e.g. /manage/mappings.
The problematic thing however is that I explicitly told Spring Security to protect these urls's via:
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/app/login").permitAll()
.antMatchers("/app/**").hasRole("USER")
.antMatchers("/manage/**").hasRole("ADMIN")
but this does not work. Note other authorize matchers do work.
I wonder if has something to do within timing/order. I copied @Order(Ordered.LOWEST_PRECEDENCE - 8)
from the sample but I don't know why - 8 is used.
To delve a little bit deeper I've also run the sample (https://github.com/spring-projects/spring-boot/blob/master/spring-boot-samples/spring-boot-sample-web-method-security) myself and I see the same behaviour in the sample application.
The management security is seems completely independent of the user
and admin
users configured in the sample's in memory authentication.