- Mastering Spring Boot 2.0
- Dinesh Rajput
- 328字
- 2021-06-25 21:29:21
Securing the Actuator endpoints
The Actuator's endpoints provide many insights into your Spring application to callers, but some of that information might be unsafe if you expose it to the caller. For example, the /shutdown endpoint can kill your application in production. So the /shutdown endpoint can be very dangerous for your application if you expose it publicly. Similarly, many endpoints in Spring Boot's Actuator expose information that might be very sensitive. So, you have to secure those Actuator endpoints and make them only available to authorized callers. You can use Spring Security to make secure the Actuator endpoints.
Although Spring Boot will not apply any security on your behalf, it does provide some convenient RequestMatchers that can be used in combination with Spring Security. In a Spring Boot application, this means adding the Security Starter as a build dependency and letting security auto-configuration take care of locking down the application, including the Actuator endpoints.
Let's add the following Starter dependency for Spring Security:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
It will secure all Actuator endpoints, but you can disable basic security as follows:
In the application.properties file:
security.basic.enabled=false
In the application.yml file, it looks like this:
basic:
enabled: false
The preceding configuration change leaves only the sensitive Actuator endpoints secured and leaves the rest open for access.
Now you can secure sensitive endpoints by defining the default security properties, such username, password, and role, in the application.properties file:
security.user.name=admin security.user.password=secret management.security.role=SUPERUSER
The preceding configuration will secure the Actuator endpoints. If any call reaches these endpoints, then it asks for username and password. That means no one can access these Actuator endpoints without authentication.
This Spring Security configuration is provided by the auto-configuration of the Spring Boot. You can also customize the Spring Security configuration to lock some of the more dangerous Actuator endpoints such as /shutdown or provide this Actuator endpoint for a very specific role.
Let's see what changes are introduced with Spring Boot 2.0.
- Word/Excel/PowerPoint 2013三合一高效辦公超級(jí)手冊(cè)
- 從原始數(shù)據(jù)到分析報(bào)告:Excel數(shù)據(jù)透視表高效達(dá)人養(yǎng)成記
- PERFORM-3D基本操作與實(shí)例
- Word/Excel 2016商務(wù)辦公實(shí)戰(zhàn)從新手到高手
- Keynote:超越PPT的蘋果商業(yè)幻燈片(第2版)
- Word/Excel/PPT實(shí)戰(zhàn)技術(shù)大全
- Office 2016從新手到高手
- Photoshop+Illustrator平面設(shè)計(jì)案例實(shí)戰(zhàn)從入門到精通:視頻自學(xué)全彩版
- Word綜合應(yīng)用簡(jiǎn)明教程
- 別讓PPT拖后腿
- Excel數(shù)據(jù)可視化:從圖表到數(shù)據(jù)大屏
- Word/Excel/PPT 2016高效辦公實(shí)戰(zhàn)從入門到精通
- PPT2013制作超級(jí)應(yīng)用大全(實(shí)戰(zhàn)案例版)
- Word Excel PPT 2013:辦公應(yīng)用從入門到精通
- Java語言程序設(shè)計(jì)教程