2

First, I'm new to Spring Boot Framework. I have been working on actuator for few days now and was able to set up endpoints to monitor the system. How ever when I integrate JWT for the security all my actuator endpoints got broke.

How can I disable JWT security for actuator endpoints which is on top of spring boot security? Following is my application.yml file properties.

management:
  endpoint:
    metrics:
      enabled: true
  endpoints:
    web:
      exposure:
        include: health, metrics
Chrishan
  • 4,076
  • 7
  • 48
  • 67
  • Do you use the same port for Actuator and your main application? If you simply want to disable security for Actuator `management.security.enabled=false` should do. – Boris the Spider Apr 02 '18 at 12:09
  • 3
    @dur this property was removed in Spring Boot 2 - the equivalent now is management.endpoints.web.exposure.include=* – hovanessyan Apr 02 '18 at 17:11

2 Answers2

5

If you do have dependency on Spring Security you have to configure (disable) it specifically for the /actuator endpoints.

You have to extend WebSecurityConfigurerAdapter as described in the official documentation and permit all access to the desired endpoints. Check out this Spring Boot 2 Security example Disabling actuator security but not user-defined endpoints.

This is how you can disable the security to the actuator endpoints:

@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
            .anyRequest().permitAll()
    }

}

The custom security example is also useful.

hovanessyan
  • 30,580
  • 6
  • 55
  • 83
1

Complementing hovanessyan answer, if you are using @EnableResourceServer on your configuration, you also will need add the @Order(-1) annotation to your "ActuatorSecurity" class.

See more here: https://stackoverflow.com/a/50048440/9697259

Petter
  • 318
  • 2
  • 13