I have Spring Security on my classpath (and verified working for my own REST controllers), yet my Actuator endpoints are all publicly available by default (except for /shutdown).
I can disable endpoints as I please (after reading through this question), but enabled ones are always available without authentication and without the role required by management.security.role in my properties.
Even when I explicitly set endpoints.beans.sensitive=true for instance, it's still accessible without authentication.
My Security configuration which uses LDAP for authentication:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private LdapContextSource contextSource;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.contextSource(contextSource)
.groupRoleAttribute("<hidden>")
.groupSearchBase("<hidden>")
.groupSearchFilter("<hidden>")
.userDnPatterns("<hidden>");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic();
}
}
My application.properties during this test:
# Log4J properties
logging.file=${user.home}/nubis-log.log
logging.level.org.springframework.web=INFO
logging.level.org.hibernate=INFO
logging.register-shutdown-hook=true
# SSL configuration
server.ssl.key-store=<hidden>
server.ssl.key-store-password=<hidden>
server.ssl.keyStoreType=<hidden>
server.ssl.key-password=<hidden>
# Spring actuator
endpoints.enabled=false
endpoints.info.enabled=true
endpoints.health.enabled=true
endpoints.beans.enabled=true
endpoints.beans.sensitive=true
management.security.role=ADMIN
My console output:
[2016-04-15 12:30:05.742] boot - 2754 INFO [localhost-startStop-1] --- DelegatingFilterProxyRegistrationBean: Mapping filter: 'springSecurityFilterChain' to: [/*]
[2016-04-15 12:30:05.742] boot - 2754 INFO [localhost-startStop-1] --- FilterRegistrationBean: Mapping filter: 'webRequestLoggingFilter' to: [/*]
[2016-04-15 12:30:05.743] boot - 2754 INFO [localhost-startStop-1] --- FilterRegistrationBean: Mapping filter: 'CORSFilter' to: [/*]
[2016-04-15 12:30:05.743] boot - 2754 INFO [localhost-startStop-1] --- FilterRegistrationBean: Mapping filter: 'applicationContextIdFilter' to: [/*]
[2016-04-15 12:30:05.743] boot - 2754 INFO [localhost-startStop-1] --- ServletRegistrationBean: Mapping servlet: 'dispatcherServlet' to [/]
[2016-04-15 12:30:05.800] boot - 2754 DEBUG [localhost-startStop-1] --- DelegatingFilterProxy: Initializing filter 'springSecurityFilterChain'
[2016-04-15 12:30:07.059] boot - 2754 INFO [localhost-startStop-1] --- EndpointHandlerMapping: Mapped "{[/info || /info.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
[2016-04-15 12:30:07.061] boot - 2754 INFO [localhost-startStop-1] --- EndpointHandlerMapping: Mapped "{[/beans || /beans.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
[2016-04-15 12:30:07.063] boot - 2754 INFO [localhost-startStop-1] --- EndpointHandlerMapping: Mapped "{[/health || /health.json],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.HealthMvcEndpoint.invoke(java.security.Principal)
Could there be a configuration/property blocking Spring Security somewhere? Do I need to configure something extra to make it work with LDAP?
Best Answer
All the endpoints have a sensitive property that needs to be set to
truelook at Apedenix A https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html
search for ACTUATOR PROPERTIES on that page.