SpringBoot - Securing HTTP Endpoints
Securing HTTP Endpoints
You should take care to secure HTTP endpoints in the same way that you would any other sensitiveURL. If Spring Security is present, endpoints are secured by default using Spring Security’s contentnegotiation
strategy. If you wish to configure custom security for HTTP endpoints, for example, only
allow users with a certain role to access them, Spring Boot provides some convenient
RequestMatcher objects that can be used in combination with Spring Security.
A typical Spring Security configuration might look something like the following example:
@Configuration(proxyBeanMethods = false)
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
http.httpBasic();
}
}
The preceding example uses EndpointRequest.toAnyEndpoint() to match a request to any endpoint
and then ensures that all have the ENDPOINT_ADMIN role. Several other matcher methods are also
available on EndpointRequest.
If you deploy applications behind a firewall, you may prefer that all your actuator endpoints can be
accessed without requiring authentication. You can do so by changing the
configprop:management.endpoints.web.exposure.include[] property, as follows:
application.properties
management.endpoints.web.exposure.include=*
Additionally, if Spring Security is present, you would need to add custom security configuration that
allows unauthenticated access to the endpoints as shown in the following example:
@Configuration(proxyBeanMethods = false)
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
requests.anyRequest().permitAll());
}
}
Comments
Post a Comment