Spring Boot actuator health endpoint not accessible after upgrading to Boot 1.2

Question

I'm having trouble upgrading Spring Boot from 1.1.12 to 1.2.5 but have the same issue in all versions of 1.2.x. The /health endpoint provided by Actuator is now returning 401 Unauthorized to an integration test that used to work. No code has changed while upgrading the dependency.

Here's the test case:

@Test
public void testNoUserForStatusEndpoint() throws Exception {
    HttpEntity<String> entity = new HttpEntity<>(null, headers);
    ResponseEntity<String> response = template
            .exchange(base + "/health", HttpMethod.GET, entity, String.class);
    assertEquals(HttpStatus.OK, response.getStatusCode());
    assertEquals("{\"status\":\"UP\"}", response.getBody());
}

I expect to see the basic "UP" status but no further details as the user is anonymous and not authenticated.

Setting management.security.enabled=false in application.properties causes the endpoint to return the complete health information. This is not desirable.

Setting endpoints.health.sensitive=false does nothing.

The security configuration has not changed. It is based on Apache termination and a certificate whitelist, which also hasn't changed.

@Override
public void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
    http.addFilterBefore(new CustomAuthenticationFilter(authenticationManager(), Environment.getUserWhitelist()), BasicAuthenticationFilter.class);
}

How can I make the test pass?

Updates:

Originally the only relevant setting in application.properties that was defined is endpoints.health.enabled=true.

Adding management.health.status.order=UP,DOWN,OUT_OF_SERVICE,UNKNOWN to application.properties makes no difference.

Using all three properties results in a 401 (doesn't work):

endpoints.health.enabled=true
endpoints.health.sensitive=false
management.health.status.order=UP,DOWN,OUT_OF_SERVICE,UNKNOWN

The main class is just a stripped down Spring Boot application launcher:

@Configuration
@EnableAutoConfiguration
@ComponentScan
public class Application {
    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

I have tried adding http.authorizeRequests().antMatchers("/health**").permitAll(); to the first line of the security configuration method detailed above. It did not make a difference.

According to Spring Boot issue 2120, The endpoints.health.sensitive property is ignored when using custom security. I found no mention of this in the documentation.

Similar to [this question](http://stackoverflow.com/questions/32121635/how-to-re-enable-anonymous-access-to-spring-boot-health-endpoint) but the security details are different. — Ian Gilham, Sep 17 '15 at 11:27

score 4 · Answer 1 · answered Jun 25 '17 at 17:50

4

Or add management.security.enabled=false to the application.properties

answered Jun 25 '17 at 17:50

IKo

4,998
8
34
54

score 2 · Accepted Answer · answered Sep 23 '15 at 13:52

2

I have found a solution.

Adding @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) to my custom authentication filter (referred to as CustomAuthenticationFilter in the question) changes the semantics of defining a security filter bean.

Without the annotation, Spring Boot assumes I want to override all the filters and just use my custom filter in isolation.

With the annotation, Spring Boot adds my filter to the list of predefined filters. This allows the /health endpoint to work again.

See Spring Boot issue 2120 on GitHub for details.

answered Sep 23 '15 at 13:52

Ian Gilham

1,916
3
20
31

what do you mean "to the custom authentication filter". Which object? I have the same issue. See hier: http://stackoverflow.com/questions/32957553/spring-boot-request-endpoints-return-404?noredirect=1#comment53757469_32957553 – emoleumassi Oct 06 '15 at 19:14
@emoleumassi It means a `javax.servlet.Filter` instance used for authentication. I am using a custom class for this. – Ian Gilham Oct 06 '15 at 19:22
hummm. could you should some inputs for my problem :-(. Thanks for help – emoleumassi Oct 06 '15 at 19:38

score 1 · Answer 3 · answered Sep 27 '18 at 00:31

1

I was getting 404 error with /health url. However its worked with /actuator/health url instead of /health.

answered Sep 27 '18 at 00:31

Happy

11
1

Avis · Answer 4 · 2015-09-17T11:39:58.410

0

Pls try this on the application.properties or application.yml :-

management.health.status.order=UP,DOWN,OUT_OF_SERVICE,UNKNOWN

edited Sep 17 '15 at 11:39

answered Sep 17 '15 at 11:34

Avis

2,197
18
28

Thanks. This makes no difference. – Ian Gilham Sep 17 '15 at 12:25
Pls try these as well :- endpoints.health.enabled=true & endpoints.health.sensitive=false – Avis Sep 17 '15 at 14:34
I already did that. I'm still getting a 401 response in my test case. – Ian Gilham Sep 17 '15 at 14:57
Can you share application properties used by the app along with main class details. – Avis Sep 17 '15 at 15:03
Sry i missed main point. Its 401 so problem is with WebSesurity config. Can you try this as your first line in **configure** method:- http.authorizeRequests().antMatchers("/health**").permitAll(); – Avis Sep 17 '15 at 16:04
Unfortunately that doesn't work either. Unfortunately there is no documentation to suggest why this behaviour has changed between Spring Boot 1.1.x and 1.2.x. – Ian Gilham Sep 17 '15 at 16:33
Yes, I have spring boot (with security enabled) project on 1.2.x as well and my health & info endpoints are working good. I suspect its some jar mismatch issue on your app which comes very often on any upgradation task. I suggest check logs on DEBUG mode to see any error trace. – Avis Sep 21 '15 at 11:21

Spring Boot actuator health endpoint not accessible after upgrading to Boot 1.2

4 Answers4