Spring Boot Actuator - Cannot disable /info endpoint

java spring-boot spring-boot-actuator
Saša picture Saša · Dec 21, 2015 · Viewed 11.4k times · Source

I tried disabling all actuator endpoints for production environment in application.yml configuration file:

endpoints.enabled: false

It works for all endpoints except for /info. How can I turn off all endpoints for given environment?

UPDATE:

Project I am working on is also acting as Eureka client. In documentation for Spring Cloud Netflix in section Status Page and Health Indicator (http://cloud.spring.io/spring-cloud-netflix/spring-cloud-netflix.html) it says that "Eureka instance default to "/info" and "/health" respectively".

Is there any solution to disable those endpoints?

I was able to disable /health endpoint with endpoints.enabled: false, but not the /info endpoint.

Answer

Saša picture Saša · Dec 24, 2015

Finally I managed to solve my problem. I enabled only /info and /health endpoints in actuator. And to allow access to /info endpoint only to users with role ADMIN I needed to mix actuator management security and spring security configuration.

So my application.yml looks like this:

endpoints.enabled: false

endpoints:
    info.enabled: true
    health.enabled: true

management.security.role: ADMIN

And spring security configuration like this (where I needed to change order of ManagementSecurityConfig to have higher priority):

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration {


    @Configuration
    protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {

        @Autowired
        private AuthenticationProvider authenticationProvider;

        public AuthenticationSecurity() {
            super();
        }

        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
             auth.inMemoryAuthentication().withUser("admin").password("secret").roles("ADMIN");
        }
    }

    @Configuration
    @Order(Ordered.HIGHEST_PRECEDENCE + 2)
    public static class ManagementSecurityConfig extends WebSecurityConfigurerAdapter {


        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable()
                    .requestMatchers()
                    .antMatchers("/info/**")
                    .and()
                    .authorizeRequests()
                    .anyRequest().hasRole("ADMIN")
                    .and()
                    .httpBasic();
        }
    }

    @Configuration
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        protected void configure(HttpSecurity http) throws Exception {
            // API security configuration
        }

    }
}

Related questions

How to enable all endpoints in actuator (Spring Boot 2.0.0 RC1)

I moved to Spring Boot 2.0.0 RC1 from 1.5.10 and I am stuck with actuator in the latest version. How can I enable expose and enable all actuator endpoints? The only endpoints that get exposed are: { "_links": { "self": { "href": "http://127.0.0.1:8080/actuator", "templated": …

Read More
How to measure service methods using spring boot 2 and micrometer

I started my first project on Spring Boot 2 (RC1). Thanks to the already good documentation this has not been to hard coming from Spring Boot 1.x. However now that I want to integrate metrics I'm stumbeling. As far as I …

Read More
Spring Boot Actuator Endpoints security doesn't work with custom Spring Security Configuration

This is my Spring Boot 1.5.1 Actuator application.properties: #Spring Boot Actuator management.contextPath: /actuator management.security.roles=R_0 This is my WebSecurityConfig: @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Value("${logout.success.url}") private String logoutSuccessUrl; @…

Read More