Introduction
Here we will see example on securing HTTP endpoints in Spring Boot application. Like other sensitive URLs, you should take care to secure HTTP endpoints. If Spring Security is present, endpoints are secured by default using Spring Security’s content-negotiation strategy.
If you wish to configure custom security for HTTP endpoints, for example, only allow users with a certain role to access them, Spring Boot provides some convenient RequestMatcher objects that can be used in combination with Spring Security.
You may also like to read Spring Boot Actuator – Accessing Endpoints via JMX.
Prerequisites
First go through the example Spring Boot Actuator – Production Ready Features
Add Spring Security Starter
Add spring security starter dependency to build.gradle script in addition to other dependencies, such as, web and actuator starters, to work with the spring security in Spring Boot application.
implementation("org.springframework.boot:spring-boot-starter-security:${springBootVersion}")For maven based configuration use below dependency in pom.xml file:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>Spring Security Configuration
Create below Spring Security configuration class in order to support Spring Security to the Spring Boot application:
package com.roytuts.springboot.actuator.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
private static final String PASSWORD_ENCODED = "$2a$10$B18wGZhRjNau6ZBcI/NBQO6EEdJ7GyVvjjWfAK20ODz4B6LmXicRa";// roy
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().hasRole("ADMIN").and()
.httpBasic();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(passwordEncoder()).withUser("roy").password(PASSWORD_ENCODED)
.roles("ADMIN");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}In the above class we are authenticating a user having username “roy” and password “roy” with in-memory authentication mechanism.
We are using BCrypt password encoder here to encode the password.
Updating Main Class
Scan the package for above security configuration class:
package com.roytuts.springboot.actuator.main;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication(scanBasePackages = "com.roytuts.springboot.actuator")
public class ActuatorApplication {
public static void main(String[] args) {
SpringApplication.run(ActuatorApplication.class, args);
}
}Testing the Application
Now when you hit the URL http://localhost:8080/actuator/health then you will be asked to enter username/password to authenticate your credentials. The security form is shown below in the image:
Once you enter “roy/roy” as username and password then you will be able to see the output for /actuator/health on browser.
Source Code
You may also like to read Spring Boot Actuator – Accessing Endpoints via JMX.
Thanks for reading.