Secure Eureka Dashboard with Spring Security

In this tutorial, I will share with you how to secure Spring Cloud Eureka dashboard with Spring Security.

Add Spring Security to Eureka

To secure Eureka with Spring Security, we will need to add Spring Security dependency to a pom.xml file of our Eureka Discovery Server Spring Boot project. Open the pom.xml file of your Eureka Discovery Server project and add the following dependency.


Eureka Discovery Server Application Properties File

Once you have added the Spring Security dependency to the pom.xml file, as shown above, open file of your Eureka Discovery Server and add the following configuration properties:

Configure HttpSecurity

The next step is to configure the HttpSecurity object in Eureka Discovery Server. To do that, create a new Java class and make it extend WebSecurityConfigurerAdapter, as it is shown in the example below. Override the configure() method and configure the HttpSecurity object, as shown below.

Note: WebSecurityConfigurerAdapter is depricated. Read the following tutorial to learn how to migrate from a depricated WebSecurityConfigurerAdapter.

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

public class WebSecurity {

    public SecurityFilterChain configure(HttpSecurity http) throws Exception {

In the code above we configure authorization rules for incoming HTTP requests to our application.

  • The method authorizeHttpRequests() returns an instance of ExpressionInterceptUrlRegistry that provides methods for defining authorization rules for URL patterns. I am not going to configure any specific URL patterns here and this will mean that the configuration will apply to all request URLs.
  • The method anyRequest() specifies that the authorization rule should apply to any incoming HTTP request that matches the previously defined URL pattern.
  • The method authenticated() specifies that the authenticated user is required to access the requested URL. If the user is not authenticated, the request will be denied and the user will be redirected to the login page.Therefore, the combination of authorizeHttpRequests() with anyRequest().authenticated() configures Spring Security to require authentication for any incoming HTTP request, regardless of its URL pattern.
  • .httpBasic() is a method in Spring Security that configures HTTP Basic authentication for the application.When .httpBasic() is called in Spring Security configuration, it sets up the application to use HTTP Basic authentication. If client application does not provide username and password to access Eureka, then the request will be denied with HTTP response code  “401 Unauthorized”.

Overall, this configuration is a common way to ensure that only authenticated users are allowed to access protected resources of our application.

Do not forget to annotate this class with @EnableWebSecurity and @Configuration annotations.

Eureka Discovery Server is now protected with Spring Security and is ready to be used.

If you attempt to open the Eureka dashboard in the browser window now, you should be prompted to provide a username and a password first.

Eureka Client Configuration

To make your Microservices and other Eureka clients able to authenticate with Eureka and register with it, add the following configuration properties to file of your Eureka Client:


Notice that the Eureka Default Zone URL now has the username and password added. If the username and the password match the ones you have configured in the file of your Discovery Server, then your Eureka Client should be able to successfully authenticate and register.

I hope this tutorial was helpful to you.

