SpringTechnology

How to Secure Spring Boot Actuator Endpoints

Quick and Short Guide to Spring Boot Actuator Security. Learn how to secure actuator endpoints with the help of example.

This tutorial is an extension to Spring Boot Actuators tutorial and is limited to Securing the Actuator Endpoints.

Why Security?

The Actuator endpoints reveal sensitive information about the application. Hence, anyone who has access to the actuator endpoint can know things like the Beans, properties configurations and other metrics about the application. Therefore, it is really important to put some access restriction on those endpoints.

Sensitive Endpoints

Spring Boot treats all but “/health” and “/info” endpoints as sensitive. Hence, spring boot disables all those endpoints by-default. However, you can enable these endpoints using the properties configuration.

management:  
  endpoints:
    web:
      exposure:
        include: '*'                           // Enable All Endpoints


management:  
  endpoints:
    web:
      exposure:
        include: ["beans", "metrics"]         // Enable Only Given Endpoints

However, the endpoints are not secured. Because, now everyone can see the enabled endpoints. Hence we need to put a password protected mechanism to secure them.

Password Protected Actuator Endpoints

To password protect the endpoints, you need to add starter dependency on Spring Security.

Gradle

implementation 'org.springframework.boot:spring-boot-starter-security'

Maven

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Thanks to Spring Bot Auto Configuration. It automatically initialises all the security related components. However, you just need to define a username and password. See the below configuration.

spring:
  security:
    user:
      name: monitor
      password: monitor123

This is all you need to do, in order to secure spring boot actuator endpoints.

Access Secured Endpoints

Firstly, start the application and try accessing any sensitive endpoint and you should get “401 Unauthorized” response.

  ~ curl -X GET \
  http://localhost:8081/actuator/beans \
  -H 'Postman-Token: 08ac9b11-af5d-404e-83a9-e86c56bc9975' \
  -H 'cache-control: no-cache'

----
{
   "timestamp":"2019-02-25T20:44:35.388+0000",
   "status":401,
   "error":"Unauthorized",
   "message":"Unauthorized",
   "path":"/actuator/beans"
}

Then, Add Authorization Header with Basic Auth.
You can generate the Basic Auth Token in Postman. Otherwise, simply open actuator endpoint in a Browser and it will prompt from username/password.

➜  ~ curl -X GET \
  http://localhost:8081/actuator/beans \
  -H 'Authorization: Basic bW9uaXRvcjptb25pdG9yMTIz' \
  -H 'Postman-Token: ddad59a5-315e-483e-81a9-510b6fad4ce8' \
  -H 'cache-control: no-cache'

---
{
   "contexts":{
      "Songs Service":{
         "beans":{
            "endpointCachingOperationInvokerAdvisor":{
               "ali 
...... //Skipped

Summary

To sum up, in this Spring Boot Actuator Security tutorial you learnt How to secure actuator endpoints. Also you learnt that the spring boot actuator endpoints are secured by default. Which can be enabled using the properties configuration. Moreover, you can also password protect the endpoints using Spring Security module.

Also, Spring Boot auto configures the Spring Security module and you only need to define username and password for the endpoints. Finally, direct access to endpoints results in “401 Unauthorized” response.