root
/
spring-boot
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Remove management.security.enabled from documentation

Browse Source 
Fixes gh-11383
pull/11510/merge
Madhura Bhave 7 years ago
parent fc3b43e832
commit 7c5cf903fc
2 changed files with 29 additions and 29 deletions
Show Stats Download Patch File Download Diff File

36
spring-boot-project/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc
Unescape Escape View File

@ -181,8 +181,9 @@ register an `EndpointFilter` bean.
[[production-ready-endpoints-security]]
=== Securing HTTP Endpoints
You should take care to secure HTTP endpoints in the same way that you would any other
sensitive URL. Spring Boot does not apply any security on your behalf. However, it does
provide some convenient RequestMatcher` objects that can be used in combination with
sensitive URL. If Spring Security is present, endpoints are secured by default using Spring Securitys
content-negotiation strategy. If you wish to configure custom security for HTTP endpoints, for example, only allow users
with a certain role to access them, Spring Boot provides some convenient `RequestMatcher` objects that can be used in combination with
Spring Security.
A typical Spring Security configuration might look something like the following example:
@ -219,6 +220,23 @@ endpoints can be accessed without requiring authentication. You can do so by cha
management.endpoints.web.expose=*
----
Additionally, if Spring Security is present, you would need to add custom security configuration
that allows unauthenticated access to the endpoints. For example,
[source,java,indent=0]
----
@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
.anyRequest().permitAll()
}
}
----
[[production-ready-customizing-endpoints]]
@ -715,20 +733,6 @@ the following example:
management.server.port=8081
----
Since your management port is often protected by a firewall and not exposed to the
public, you might not need security on the management endpoints, even if your main
application is secure. In that case, you should have Spring Security on the classpath,
and you can disable management security, as follows:
[source,properties,indent=0]
----
management.security.enabled=false
----
CAUTION: If you do not have Spring Security on the classpath, there is no need to
explicitly disable the management security in this way. Doing so might even break the
application.
[[production-ready-management-specific-ssl]]

22
spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
Unescape Escape View File

@ -2997,19 +2997,15 @@ In other words, the two configurations in the following example use the Google p
[[boot-features-security-actuator]]
=== Actuator Security
If the Actuator is also in use:
* The management endpoints are secure even if the application endpoints are insecure.
* Security events are transformed into `AuditEvent` instances and published to the
`AuditEventRepository`.
* The default user has the `ACTUATOR` role as well as the `USER` role.
The Actuator security features can be modified by using external properties
(`+management.security.*+`). To override the application access rules but not the
actuator access rules, add a `@Bean` of type `WebSecurityConfigurerAdapter` and use
`@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)`. Use
`@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)` if you _do_ want to override
the application access rules and the actuator access rules.
For security purposes, all actuators other than `/health` and `/info` are disabled by default.
The `management.endpoints.web.expose` flag can be used to enable the actuators.
If Spring Security is on the classpath and no other WebSecurityConfigurerAdapter is present,
the actuators are secured by Spring Boot auto-config. If you define a custom `WebSecurityConfigurerAdapter`,
Spring Boot auto-config will back off and you will be in full control of actuator access rules.
NOTE: Before setting the `management.endpoints.web.expose`, ensure that the exposed actuators
do not contain sensitive information and/or are secured by placing them behind a firewall or by
something like Spring Security.

Write Preview
Loading…
Cancel
Save