How to Secure Spring Boot Actuator Endpoints with Basic Authentication

In this tutorial, I will explain in detail how to secure sensitive Spring Boot Actuator Endpoints using Spring Boot version 3. This tutorial is intended for beginners who want to learn how to monitor and manage their Spring Boot applications using Actuator.

Spring Boot Actuator is a sub-module of Spring Boot that provides production-ready features such as health checks, metrics, environment information, and more. Actuator exposes these features through HTTP endpoints or JMX beans that we can interact with.

However, exposing these endpoints without any security can be risky, as they may reveal sensitive information about our application or allow unauthorized access to modify its behaviour. Therefore, we need to secure our Actuator endpoints using Spring Security.

In this tutorial, I will show you how to:

  • Add the spring-boot-starter-actuator dependency to your project
  • Configure which Actuator endpoints are enabled and exposed over HTTP
  • Secure the Actuator endpoints with basic authentication
  • Test the secured endpoints using curl commands

Let’s get started!

Step 1: Add the spring-boot-starter-actuator Dependency

To enable Spring Boot Actuator in our project, we need to add the spring-boot-starter-actuator dependency to our pom.xml file:

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

This dependency will also bring in the spring-boot-starter-web dependency, which is required for exposing the Actuator endpoints over HTTP.

Step 2: Configure the Actuator Endpoints

By default, Spring Boot Actuator provides a number of built-in endpoints that we can use to monitor and manage our application. Some of the useful endpoints are:

  • /actuator/health: Shows application health information
  • /actuator/info: Displays arbitrary application information
  • /actuator/metrics: Shows metrics information for the current application
  • /actuator/env: Exposes properties from Spring’s ConfigurableEnvironment
  • /actuator/loggers: Shows and modifies the configuration of loggers in the application

We can configure which endpoints are enabled and exposed over HTTP by using properties in our application.properties file. For example, we can enable all endpoints but only expose health and info over HTTP by adding these properties:

management.endpoints.web.exposure.include=health,info
management.endpoints.enabled-by-default=true

2.1 Customize Actuator’s Base Path

We can also customize the base path for the Actuator endpoints by using the management.endpoints.web.base-path property. For example, we can change it from /actuator to /admin by adding this property:

management.endpoints.web.base-path=/admin

Now, if we run our application and visit http://localhost:8080/admin/health or http://localhost:8080/admin/info in our browser, we should see some JSON output with information about our application.

However, if we try to access any other endpoint such as http://localhost:8080/admin/metrics or http://localhost:8080/admin/env , we should get a 404 Not Found error, as they are not exposed over HTTP. To expose them, simply include them in the management.endpoints.web.exposure.include= property.

Step 3: Secure Spring Boot Actuator Endpoints

As we have seen, exposing some of the Actuator endpoints over HTTP can be useful for monitoring and managing our application. However, without any security mechanism in place, anyone who knows the URL can access them and potentially compromise our application.

Therefore, we need to secure our Actuator endpoints with some form of authentication and authorization. One of the simplest ways to do that is to use basic authentication with Spring Security.

3.1 Add Spring Security Dependency

To enable Spring Security in our project, we need to add the spring-boot-starter-security dependency to our pom.xml file:

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>

This dependency will automatically apply some default security configuration to our application. By default, it will secure all URLs with basic authentication and generate a random password at startup that we can use to log in.

3.2 Customize Username and Password

We can also customize the username and password by using properties in our application.properties file. For example, we can set them to admin and admin123 by adding these properties:

spring.security.user.name=admin
spring.security.user.password=admin123
spring.security.user.roles=ADMIN

3.3 Configure HttpSecurity

In order to configure Spring Security for Actuator endpoints, we need to create a SecurityConfiguration class that defines the authentication and authorization rules for the Actuator endpoints. This allows us to control access to these endpoints and ensure that they are only accessible to authorized users.

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class WebSecurity {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests()
            .requestMatchers("/actuator/**").hasRole("ADMIN")
            .anyRequest().authenticated()
            .and()
            .httpBasic();

        return http.build();
    }

}

The above code defines a configuration class that is annotated with @Configuration and @EnableWebSecurity. The @Configuration annotation tells Spring that this class provides configuration information that should be processed when the application starts up. The @EnableWebSecurity annotation tells Spring to enable web security for the application.

The WebSecurity class has a method annotated with @Bean called securityFilterChain. This method creates and returns a SecurityFilterChain object that defines how requests to the web application should be secured.

The securityFilterChain method takes an HttpSecurity object as a parameter. This object is used to configure the security settings for your application. The HttpSecurity object allows you to define which requests are allowed and which requests require authentication.

The first method call on the HttpSecurity object is authorizeHttpRequests(), which is used to configure authorization rules for incoming requests.

The next method call on the HttpSecurity object is requestMatchers("/actuator/**").hasRole("ADMIN"). This method call specifies that requests to the path “/actuator/**” require the “ADMIN” role to be authorized.

The next method call on the HttpSecurity object is anyRequest().authenticated(). This method call specifies that any request that does not match the previous rule should be authenticated.

The last method call on the HttpSecurity object is httpBasic(), which specifies that HTTP Basic authentication should be used for authentication.

Finally, the http.build() method is called to build the SecurityFilterChain object and return it.

Final words

In conclusion, securing Spring Boot Actuator endpoints is crucial for protecting sensitive information from unauthorized access. By implementing security measures such as role-based access control and HTTPS, you can ensure that your application is secure and your users’ data is protected. With the step-by-step guide provided in this tutorial, you should now have a better understanding of how to configure and secure Actuator endpoints in your Spring Boot application. Remember to always prioritize security in your development process and stay up-to-date with the latest security best practices.

To learn more, check out other Spring Boot and Spring Security tutorials.