I have two spring boot server applications (Spring boot 1.5.2), the first one is the resource server and the second is the authorisation server (oAuth2), I have added Spring boot actuator to both servers and configured both with the following properties:
management.security.roles=ROLE_MYADMINROLE
management.context-path=/myactuator
In the resource server, I can access the actuator endpoints using a token obtained from the authorisation server for a user who hold the role ROLE_MYADMINROLE.
But in the authorisation server itself, I could not get the token working at the first place (Http Basic was working), to use the tokens, I have added a resource server configuration to it, and set the filter order at 3 after reading Spring boot documentation
security.oauth2.resource.filter-order=3
OAuth2 resources are protected by a filter chain with order
security.oauth2.resource.filter-orderand the default is after the filter protecting the actuator endpoints by default (so actuator endpoints will stay on HTTP Basic unless you change the order).
In Spring boot release notes we have this regarding this filter order:
OAuth 2 Resource Filter
The default order of the OAuth2 resource filter has changed from 3 to SecurityProperties.ACCESS_OVERRIDE_ORDER - 1. This places it after the actuator endpoints but before the basic authentication filter chain. The default can be restored by setting
security.oauth2.resource.filter-order= 3
Now my actuator endpoint in the authorisation server accepts tokens issued from the same server, the question is why the default is Http Basic for the actuator endpoints? I assume oAuth2 is more secure than Http Basic? why I had to change the filter order in the authorisation server but not in the resource server? Here I am looking for an explanation for this rather than a solution as I have got this working as I want already.
