SpringBoot - Securing HTTP Endpoints

Securing HTTP Endpoints

You should take care to secure HTTP endpoints in the same way that you would any other sensitive
URL. If Spring Security is present, endpoints are secured by default using Spring Security’s contentnegotiation
strategy. If you wish to configure custom security for HTTP endpoints, for example, only
allow users with a certain role to access them, Spring Boot provides some convenient
RequestMatcher objects that can be used in combination with Spring Security.

A typical Spring Security configuration might look something like the following example:

@Configuration(proxyBeanMethods = false)
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
http.httpBasic();
}
}

The preceding example uses EndpointRequest.toAnyEndpoint() to match a request to any endpoint
and then ensures that all have the ENDPOINT_ADMIN role. Several other matcher methods are also
available on EndpointRequest.

If you deploy applications behind a firewall, you may prefer that all your actuator endpoints can be
accessed without requiring authentication. You can do so by changing the
configprop:management.endpoints.web.exposure.include[] property, as follows:

application.properties
management.endpoints.web.exposure.include=*

Additionally, if Spring Security is present, you would need to add custom security configuration that
allows unauthenticated access to the endpoints as shown in the following example:

@Configuration(proxyBeanMethods = false)
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
requests.anyRequest().permitAll());
}
}




Comments

Popular posts from this blog

Today Walkin 14th-Sept

Hibernate Search - Elasticsearch with JSON manipulation

Spring Elasticsearch Operations