Spring Boot Actuator – Securing HTTP Endpoints

Introduction

Here we will see example on securing HTTP endpoints in Spring Boot application. Like other sensitive URLs, you should take care to secure HTTP endpoints. If Spring Security is present, endpoints are secured by default using Spring Security’s content-negotiation strategy.

If you wish to configure custom security for HTTP endpoints, for example, only allow users with a certain role to access them, Spring Boot provides some convenient RequestMatcher objects that can be used in combination with Spring Security.

You may also like to read Spring Boot Actuator – Accessing Endpoints via JMX.

Prerequisites

First go through the example Spring Boot Actuator – Production Ready Features

Add Spring Security Starter

Add spring security starter dependency to build.gradle script in addition to other dependencies, such as, web and actuator starters, to work with the spring security in Spring Boot application.

implementation("org.springframework.boot:spring-boot-starter-security:${springBootVersion}")

For maven based configuration use below dependency in pom.xml file:

<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-security</artifactId>
</dependency>

Spring Security Configuration

Create below Spring Security configuration class in order to support Spring Security to the Spring Boot application:

package com.roytuts.springboot.actuator.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
	private static final String PASSWORD_ENCODED = "$2a$10$B18wGZhRjNau6ZBcI/NBQO6EEdJ7GyVvjjWfAK20ODz4B6LmXicRa";// roy

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().hasRole("ADMIN").and()
				.httpBasic();
	}

	@Autowired
	public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication().passwordEncoder(passwordEncoder()).withUser("roy").password(PASSWORD_ENCODED)
				.roles("ADMIN");
	}

	@Bean
	public PasswordEncoder passwordEncoder() {
		return new BCryptPasswordEncoder();
	}
}

In the above class we are authenticating a user having username “roy” and password “roy” with in-memory authentication mechanism.

We are using BCrypt password encoder here to encode the password.

Updating Main Class

Scan the package for above security configuration class:

package com.roytuts.springboot.actuator.main;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication(scanBasePackages = "com.roytuts.springboot.actuator")
public class ActuatorApplication {

	public static void main(String[] args) {
		SpringApplication.run(ActuatorApplication.class, args);
	}

}

Testing the Application

Now when you hit the URL http://localhost:8080/actuator/health then you will be asked to enter username/password to authenticate your credentials. The security form is shown below in the image:

spring boot actuator securing http endpoints

Once you enter “roy/roy” as username and password then you will be able to see the output for /actuator/health on browser.

Source Code

download source code

You may also like to read Spring Boot Actuator – Accessing Endpoints via JMX.

Thanks for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *