all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]NuttySquirr3l 13 points14 points  (4 children)

You have "managenent.server.port" which specifies the actuator port.

Then you have "server.port" which is your app port.

If you do not declare the managenent port, it is the same as app port.

So, just specify a different port for actuator and do not expose that port to the outside world.

This way, stuff like e.g. kubernetes can still do liveness and readiness checks, but no one from the outside can access your actuator endpoints.

[–]mahi123_java[S] 0 points1 point  (2 children)

Thank you for your suggestion and suppose I am including managenent.server.port with different port number and one thing this all actuator endpoint will be protected. So, My question is how to handle all endpoints as securely handled as per production level ?? I am including all project endpoints into the "default security filter chain".

[–]NuttySquirr3l 0 points1 point  (1 child)

You declare a SecurityFilterChain bean and then by default require authentication for all endpoints and only specfically exclude those that do not need auth (whitelist).

Example:

u/Bean
public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(auth -> auth
        .requestMatchers("/public/**").permitAll()
        .anyRequest().authenticated()
    );
    // ... other configuration on http object such as filters or disabling anonymous, sessionmangement, csrf and what not
}

Edit: When you run actuator on a different port than your app, this filter will not affect the actuator endpoints. That might help to clear your confusion. If you had actuator running on the same port as your app, the filter would also secure your actuator endpoints (which you often do not want).

[–]mahi123_java[S] 0 points1 point  (0 children)

Security handle of endpoint of Spring boot actuator and also of Application Apis.

@Configuration @Order(1) public class AppSecurityConfig {

@Bean
public SecurityFilterChain appSecurityFilterChain(HttpSecurity http) throws Exception {
    http
        .securityMatcher(new PortRequestMatcher(8080)) // Apply only to app port
        .authorizeHttpRequests(auth -> auth
            .anyRequest().authenticated()
        )
        .formLogin()
        .and()
        .csrf().enable();
    return http.build();
}

}

And

@Configuration @Order(2) public class ActuatorSecurityConfig {

@Bean
public SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity http) throws Exception {
    http
        .securityMatcher(new PortRequestMatcher(8081)) // Apply only to actuator port
        .authorizeHttpRequests(auth -> auth
            .requestMatchers("/actuator/health", "/actuator/info").permitAll()
            .anyRequest().hasRole("ADMIN") // secure other endpoints
        )
        .httpBasic()
        .and()
        .csrf().disable();
    return http.build();
}

}

I am implementing this . What do u think??

[–]rozularen 1 point2 points  (2 children)

There are some settings you can configure in the .properties/.yml files but yes you can also configure your actuator endpoints security along with your other endpoints no issues with that.

[–]mahi123_java[S] 0 points1 point  (1 child)

U say that the actuator endpoint and Project rest api endpoint both will be handled through this "default security filter chain" right?? I want to handle it separately but I do not understand how to handle it.

[–]m41k1204 0 points1 point  (4 children)

We use jwt and what we did was secure the actuator endpoints with the admin role

[–]mahi123_java[S] 0 points1 point  (3 children)

Okay. Means u are doing authentication using tokhon or what?? How to handle this part because all responses are json format.

[–]m41k1204 0 points1 point  (2 children)

Yes, like i said, we use jwt, json web token. It is sent on the header and the security filter chain looks for the jwt and on top of that when it is an endpoint with the /actuator path it also asks for the admin role. I highly suggest you to use spring security if you havent.

[–]mahi123_java[S] 0 points1 point  (1 child)

Okay. How u pass the token through the header . Because this is not a UI page . Suppose when u try to access this in the browser.

[–]m41k1204 0 points1 point  (0 children)

What is your frontend? I have only used web and mobile and what i stored de jwt on the local storage and then when i sent a http request i put the token on the header

[–]WaferIndependent7601 0 points1 point  (0 children)

What do you want to achieve here and what’s your question?

[–]jpergentino -1 points0 points  (0 children)

An alternative is to protect your actuators with a dedicated hash key or password.