How to Secure Spring Boot Actuator Endpoints

A Quick Guide to Spring Boot Actuator Security. Learn how to secure actuator endpoints with the help of examples.

Why Secure Spring Boot Actuator Endpoints?

Spring Boot Actuator provides several endpoints that help diagnose and monitor a Spring Boot Actuator. These endpoints, however, reveal critical details about the application, like configurations, Beans, etc. Therefore, it is essential to put some access restrictions upon these Spring Boot actuator endpoints.

Disable Unwanted Actuator Endpoints

Spring Boot treats all but ‘/health‘ and ‘/info‘ endpoints as sensitive. Thus, spring boot disables all those endpoints by default. We can enable all or specific endpoints using Properties or YAML configuration as and when required.

How to enable all Spring Boot Actuator Endpoints

management:  
  endpoints:
    web:
      exposure:
        include: '*'     Code language: YAML (yaml)

How to allow specific Spring Boot Actuator Endpoints

management:  
  endpoints:
    web:
      exposure:
        include: ["beans", "metrics"]Code language: YAML (yaml)

Keeping the unwanted endpoints disabled is a good practice. However, the Spring Boot actuator endpoints that are allowed are unprotected. That means anyone with access to the application can access the enabled endpoints.

Thankfully, Spring Boot allows us to password-protect Spring Boot actuator endpoints, as described in the following section.

Password Protected Actuator Endpoints

The best way to secure the Spring Boot actuator endpoints is to set an access barrier so only a user with a valid username and password can invoke the endpoints. Thanks to Spring Boot’s Auto Configuration, securing the actuator endpoints is only a two-step process.

Firstly, add the Spring Security starter dependency in our Gradle or Maven files.
Gradle

implementation 'org.springframework.boot:spring-boot-starter-security'Code language: Gradle (gradle)

Maven

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
</dependency>Code language: HTML, XML (xml)

Doing that, Spring Boot automatically initializes all the Spring Security beans along with default configurations. However, we still need to specify the username and password.

Configure username and password for Spring Boot actuator security.

spring:
  security:
    user:
      name: monitor
      password: monitor123Code language: YAML (yaml)

Accessing Secured Spring Boot Actuator Endpoints

Now that we have enabled Spring Security on the Spring Boot actuator endpoints, we can test it by starting the application and invoking an actuator endpoint.

~ curl -X GET http://localhost:8081/actuator/beans 
----
{
 "timestamp":"2019-02-25T20:44:35.388+0000",
 "status":401,
 "error":"Unauthorized",
 "message":"Unauthorized",
 "path":"/actuator/beans"
}Code language: Bash (bash)

As expected, without providing any username or password, the request failed with a “401 Unauthorized” response.

Let’s add the username and password using the Authorization header.
One of the ways to generate the Basic Auth Token is to use Postman. Alternatively, we can access an actuator endpoint through a web browser, displaying a pop-up prompt for the credentials.

➜  ~ curl -X GET \
  http://localhost:8081/actuator/beans \
  -H 'Authorization: Basic bW9uaXRvcjptb25pdG9yMTIz' 

---
{
  "contexts":{
    "Songs Service":{
      "beans":{
        "endpointCachingOperationInvokerAdvisor":{
          "ali 
//...SkippedCode language: Bash (bash)

With a valid Auth token, our request returned successfully.

Summary

This Spring Boot Boot Actuator Security tutorial covered ways to restrict access to various actuator endpoints. Most of the endpoints, which reveal sensitive information about the application, are disabled by Spring Boot by default. We should enable only the endpoints we need.

We then learned how to password-protect Spring Boot Actuator endpoints so that only a user with a valid username and password combination can access them.

The complete source code of the examples used in this tutorial is available at our Github Repository.