Tried with a simple spring boot application with actuator dependency, but not able to access http://localhost:8080/actuator/beans
I am able to access http://localhost:8080/actuator with the following output :
{"_links":{"self":{"href":"http://localhost:8080/actuator","templated":false},"health-component-instance":{"href":"http://localhost:8080/actuator/health/{component}/{instance}","templated":true},"health-component":{"href":"http://localhost:8080/actuator/health/{component}","templated":true},"health":{"href":"http://localhost:8080/actuator/health","templated":false},"info":{"href":"http://localhost:8080/actuator/info","templated":false}}}
ALso majorly the following url's are not accessible listed from here
/auditevents – lists security audit-related events such as user login/logout. Also, we can filter by principal or type among others fields
/beans – returns all available beans in our BeanFactory. Unlike
/auditevents, it doesn’t support filtering
/conditions – formerly known as /autoconfig, builds a report of conditions around auto-configuration
/configprops – allows us to fetch all #ConfigurationProperties beans
/env – returns the current environment properties. Additionally, we can retrieve single properties
/flyway – provides details about our Flyway database migrations
/health – summarises the health status of our application
/heapdump – builds and returns a heap dump from the JVM used by our application
/info – returns general information. It might be custom data, build information or details about the latest commit
/liquibase – behaves like /flyway but for Liquibase
/logfile – returns ordinary application logs
/loggers – enables us to query and modify the logging level of our application
/metrics – details metrics of our application. This might include generic metrics as well as custom ones
/prometheus – returns metrics like the previous one, but formatted to work with a Prometheus server
/scheduledtasks – provides details about every scheduled task within our application
/sessions – lists HTTP sessions given we are using Spring Session
/shutdown – performs a graceful shutdown of the application
/threaddump – dumps the thread information of the underlying JVM
Default management.endpoints.web.exposure.include, info, health
As actuator/health and actuator/info are provided by default . so that you will get the information
management.endpoints.web.exposure.include = * //will allow all endpoints
to be exposed
management.endpoints.web.exposure.include=health,info # Endpoint IDs that should be included or '*' for all.
management.endpoints.web.exposure.exclude= # Endpoint IDs that should be excluded or '*' for all.
management.endpoints.web.base-path=/actuator # Base path for Web endpoints. Relative to server.servlet.context-path or management.server.servlet.context-path if management.server.port is configured.
management.endpoints.web.path-mapping= # Mapping between endpoint IDs and the path that should expose them.
Securing Endpoint
management.endpoint.health.roles= # Roles used to determine whether or not a user is authorized to be shown details. When empty, all authenticated users are authorized. //for health
management.endpoint.health.show-details=always,never # When to show full health details.
Enable/Disable endpoints
management.endpoint.(endpointName).enabled=true # Whether to enable the health endpoint.
e.g. management.endpoint.health.enabled=true
Refer This for Manual Configurations
Refer This for More Details
Related
To give you some context, we have various microservices and a config server where we store store all the application.yml files.
The problem is when some issue happens, we have to temporarily enable logs for every application so that we can trace the activities done by the user. But this creates a hassle as we have to change the log configs.
So we want to enable logging for only certain users (say, when some issue happens and we want to debug) via changing the yml files so we don't have to touch the code or redeploy the application. Basically we are thinking of creating a application-logging.yml file for all the microservices and in this when we mention
logging:
users:
id: 123
level: warn
all the microservices will pick it up and start generating logs only for this user.
How can I implement this in Spring Boot, if its possible?
Put user ID into the thread context then use a MutableThreadContextMapFilter.
You can specify values via a JSON file, which log4j polls periodically to pick up changes.
We have a Spring boot application that caters to 2 different organisations. Depending on some user-info in the database, the correct datasource is returned in a class that extends AbstractRoutingDataSource. An anonymous user gets access to a limited datasource that only provides some info needed to create an account. We also have a class that extends AbstractJwtWebSecurityConfig where our HttpSecurity rules are defined.
This all works perfectly fine.
The 2 organisations also get a new ‘view’ privilege to some of their information. This is a new feature, and I am not sure how to implement this correctly.
We have an nginx server that screens incoming requests and it allows most traffic. But if the view-url of organisation 1 is accessed nginx checks the ip-address to check if it’s the ip-address of organisation 1 and they are allowed, requests from other ip-addresses are denied. The same for organisation 2 but with a different view-url. They are anonymous users and can not login.
What would be the way to have Spring boot give requests from organisation 1 access to datasource 1 and organisation 2 access to Datasource 2? We have full control of the nginx server, so we could for instance add a header to the request and I was thinking along those lines but I am stumped as to how this could be correctly done and was hoping that Spring boot has a solution for this situation.
So my question is: What would be the way to have Spring boot give access to a specific Datasource if a certain url is accessed by an anonymous user?
I've developed a solution based on Spring Boot. It's like 10 projects with many endpoints, and I'm using Eureka and Zuul too.
Now I'm dealing with the security issues I have to solve. Authentication and Authorization will be done using spring-security in the Zuul server plus annotations to the endpoints.
But one thing I don't know is how to filter the results based on who's logged in. In my case, I need to associate each user* to an entity called Enterprise. Then I have the entity FooBar that have a FK_ID column that associates to an Enterprise. When this user logs in and call the listAllFooBars endpoint it should answer only those associated to the Enterprise object associated to the user.
The same validation should happen during POST and PUT calls...
How to implement that??
'* by user I mean the pair name+password
This is exactly the use case of #PostFilter annotation from spring security. You can have expression that filters the collection based on current authentication object.
We have recently upgraded out Spring-Boot version to 2.1.2 in one of our applications.
I noticed a change in JSON format when I hit this URL:
http://localhost:xxxx/health.
The changed structure is:
{
Health: {
status: "UP"
}
}
Earlier it was:
{
status: "UP"
}
My question is;
1. Why has it been modified?
2. Is there any config to keep the structure as it was before?
With the release of Spring Boot 2, Actuator has been redesigned, and new exciting endpoints were added.
The /actuator/health endpoint is used to check the health or state of the running application. It’s usually exercised by monitoring software to alert us if the running instance goes down or gets unhealthy for other reasons. E.g. Connectivity issues with our DB, lack of disk space…
http://localhost:8080/actuator/health
{
status: "UP"
}
Monitoring and Management over HTTP
If you are developing a web application, Spring Boot Actuator auto-configures all enabled endpoints to be exposed over HTTP. The default convention is to use the id of the endpoint with a prefix of /actuator as the URL path. For example, health is exposed as /actuator/health. TIP: Actuator is supported natively with Spring MVC, Spring WebFlux, and Jersey.
Actuator Security
For security purposes, all actuators other than /health and /info are disabled by default. The management.endpoints.web.exposure.include property can be used to enable the actuators.
If Spring Security is on the classpath and no other WebSecurityConfigurerAdapter is present, all actuators other than /health and /info are secured by Spring Boot auto-configuration. If you define a custom WebSecurityConfigurerAdapter, Spring Boot auto-configuration will back off and you will be in full control of actuator access rules.
Endpoints
Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the health endpoint provides basic application health information.
Each individual endpoint can be enabled or disabled. This controls whether or not the endpoint is created and its bean exists in the application context. To be remotely accessible an endpoint also has to be exposed via JMX or HTTP. Most applications choose HTTP, where the ID of the endpoint along with a prefix of /actuator is mapped to a URL. For example, by default, the health endpoint is mapped to /actuator/health.
Actuator JSON
The JSON payloads returned from many endpoints have been improved with Spring Boot 2.0.
Many endpoints now have JSON that more accurately reflects the underlying data. For example, the /actuator/conditions endpoint (/autoconfig in Spring Boot 1.5) now has a top level contexts key to group results by ApplicationContext.
8. Health (health)
To retrieve the health of the application, make a GET request to /actuator/health, as shown in the following curl-based example:
$ curl 'http://localhost:8080/actuator/health' -i -X GET
Useful Information : Baeldung
I am very much new to multi-tenancy. We have an application based on Java, Spring, Hibernate/JPA etc. which doesn't support multi-tenancy.
Now, we want to convert that application into multi-tenant one. I have read about multi-tenancy and even wrote one standalone application using hibernate with separate schema approach. Link referred is here.
I think about the logging part which is bound to be changed now as log files will be maintained per tenant(client) now. So, for each tenant a separate log file will be there.Also, log file for a particular tenant shouldn't be accessed by another tenant.
Is there any logging API specific to support multi-tenancy? If not, how should i go ahead with implementing logging in multi-tenant application? What should be taken care of while implementing logging in multi-tenant application.
you can use MDC (mapped diagnostic context) support to route logging for each tenant into a separate file/dir/whatever.
you can read up on the concept here. it exists in slf4/logback and log4j
simply put, you set some property like tenantName in the MDC at the beginning of every request processing according to the specific tenant making the request and then use this property in your logging configuration to determine the log file into which log messages are written.